《计算机应用研究》|Application Research of Computers

云环境中的侧通道攻击研究进展

Research progress on side-channel attacks in cloud environment

免费全文下载 (已被下载 次)  
获取PDF全文
作者 何佩聪,黄汝维,陈宁江,李志坤
机构 广西大学 计算机与电子信息学院,南宁 530004
统计 摘要被查看 次,已被下载
文章编号 1001-3695(2018)04-0969-05
DOI 10.3969/j.issn.1001-3695.2018.04.002
摘要 随着云计算技术的迅猛发展,云环境中的安全问题已成为限制云计算发展的主要因素。云环境中的虚拟机侧通道攻击是云计算的主要潜在威胁之一,因此对云环境中侧通道攻击的研究已成为一个研究热点。为使国内外同行对此有较全面的了解,对云环境中的侧通道攻击方法进行综述。以传统的侧通道攻击方法作为切入点,讲述云环境中基于不同共享资源的侧通道攻击方法和特点,并对其进行分析、总结;介绍近年来国内外应对此类攻击的防御策略和保护措施;最后,根据云环境中侧通道攻击特点给出防御思路及下一步研究方向。
关键词 云计算;侧通道攻击;安全;防御
基金项目 广西自然科学基金资助项目(2016GXNSFAA380115)
广西大学科研基金资助项目(XBZ120257,XJZ151321)
本文URL http://www.arocmag.com/article/01-2018-04-002.html
英文标题 Research progress on side-channel attacks in cloud environment
作者英文名 He Peicong, Huang Ruwei, Chen Ningjiang, Li Zhikun
机构英文名 SchoolofComputer&ElectronicInformation,GuangxiUniversity,Nanning530004,China
英文摘要 With the rapid development of cloud computing technology, security in the cloud environment has become the main factor restricting the development of cloud computing. The side-channel attack of virtual machines in the cloud is one of the main potential threats of cloud computing. Therefore, the research on these attacks has become a hot research topic. In order to give a comprehensive understanding of these attacks methods to researchers, this paper reviewed the methods of side channel attacks in the cloud. Firstly, taking the traditional side-channel attack methods as the starting point, it described, analyzed and summarized the methods and characteristics of the side-channel attacks based on different sharing resources in cloud environment. Secondly, it introduced the research results of defensive strategies and protection measures to deal with these attacks at home and abroad in recent years. Finally, this paper gave some solutions of defense and future research trend based on the features of side-channel attack in cloud environment.
英文关键词 cloud computing; side-channel attacks; security; defense
参考文献 查看稿件参考文献
  [1] 陈康, 郑纬民. 云计算:系统实例与研究现状[J] . 软件学报, 2009, 20(5):1337-1348.
[2] 公有云安全报告 解读·2015[J] . 互联网周刊, 2016(6):64-65.
[3] 2016年十大云故障事件:数量减少, 损害增加[EB/OL] . (2017-01-03). http://cloud. idcquan. com/yaq/106224. shtml.
[4] 孙春辉. 边信道攻击及防御的研究与实现[D] . 西安:西安电子科技大学, 2012.
[5] Kocher P C. Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems[C] //Proc of Annual International Cryptology Conference. Berlin:Springer, 1996:104-113.
[6] Dhem J F, Koeune F, Leroux P A, et al. A practical implementation of the timing attack[C] //Proc of International Conference on Smart Card Research and Applications. Berlin:Springer-Verlag, 1998:167-182.
[7] Schindler W. A timing attack against RSA with the Chinese remainder theorem[C] //Proc of the 2nd International Workshop on Cryptographic Hardware & Embedded System. London:Springer-Verlag, 1999:109-124.
[8] Kocher P, Jaffe J, Jun B, et al. Introduction to differential power analysis[J] . Journal of Cryptographic Engineering, 2011, 1(1):5-27.
[9] Kocher P, Jaffe J, Jun B. Differential power analysis[M] //Power Analysis Attacks. Boston:Springer, 2007:119-165.
[10] Boneh D, DeMillo R A, Lipton R J. On the importance of checking cryptographic protocols for faults[C] //Proc of the 16th International Conference on Theory and Application of Cryptographic Techniques. Berlin:Springer-Verlag, 1997:1175-1213.
[11] Boneh D, DeMillo R A, Lipton R J. On the importance of eliminating errors in cryptographic computations[J] . Journal of Cryptology, 2001, 14(2):101-119.
[12] 梁鑫, 桂小林, 戴慧珺, 等. 云环境中跨虚拟机的cache侧信道攻击技术研究[J] . 计算机学报, 2017, 40(2):317-336.
[13] 余思, 桂小林, 张学军, 等. 云环境中基于cache共享的虚拟机同驻检测方法[J] . 计算机研究与发展, 2013, 50(12):2651-2660.
[14] Tromer E, Osvik D A, Shamir A. Efficient cache attacks on AES, and countermeasures[J] . Journal of Cryptology, 2010, 23(1):37-71.
[15] Younis Y A, Kifayat K, Shi Qi, et al. A new prime and probe cache side-channel attack for cloud computing[C] //Proc of IEEE International Conference on Dependable, Autonomic and Secure Computing. 2015:1718-1724.
[16] Liu Fangfei, Yarom Y, Ge Qian, et al. Last-level cache side-channel attacks are practical[C] //Proc of IEEE Symposium on Security & Privacy. Washington DC:IEEE Computer Society, 2015:605-622.
[17] Oren Y, Kemerlis V P, Sethumadhavan S, et al. The spy in the sandbox:practical cache attacks in JavaScript and their implications[C] //Proc of the 22nd ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2015:1406-1418.
[18] Suzaki K, Iijima K, Yagi T, et al. Memory deduplication as a threat to the guest OS[C] //Proc of the 4th European Workshop on System Security. New York:ACM Press, 2011.
[19] Owens R, Wang Weichao. Non-interactive OS fingerprinting through memory de-duplication technique in virtual machines[C] //Proc of the 30th IEEE International Performance Computing and Communications Conference. 2011:1-8.
[20] Wu Jingzheng, Ding Liping, Wang Yongji, et al. Identification and evaluation of sharing memory covert timing channel in Xen virtual machines[C] //Proc of IEEE, International Conference on Cloud Computing. Washington DC:IEEE Computer Society, 2011:283-291.
[21] Ristenpart T, Tromer E, Shacham H, et al. Hey, you, get off of my cloud:exploring information leakage in third-party compute clouds[C] //Proc of the 16th ACM Conference on Computer and Communications Security. New York:ACM Press, 2009:199-212.
[22] Zeng Shan, Hao Qinfen. Network I/O path analysis in the kernel-based virtual machine environment through tracing[C] //Proc of the 1st International Conference on Information Science & Engineering. Washington DC:IEEE Computer Society, 2009:2658-2661.
[23] Miao Qiguang, Liu Hui, Zhang Xianguo, et al. Developing a virtual network environment for analyzing malicious network behavior[C] //Proc of International Conference on Educational and Network Technology. 2010:271-275.
[24] Bates A, Mood B, Pletcher J, et al. Detecting co-residency with active traffic analysis techniques[C] //Proc of ACM Workshop on Cloud Computing Security. 2012:1-12.
[25] Yu Si, Gui Xiaolin, Lin Jiancai. An approach with two-stage mode to detect cache-based side channel attacks[C] //Proc of International Conference on Information Networking. 2013:186-191.
[26] Baig M B, Fitzsimons C, Balasubramanian S, et al. CloudFlow:cloud-wide policy enforcement using fast VM introspection[C] //Proc of IEEE International Conference on Cloud Engineering. Washington DC:IEEE Computer Society, 2014:159-164.
[27] Xu Yunjing, Bailey M, Jahanian F, et al. An exploration of L2 cache covert channels in virtualized environments[C] //Proc of the 3rd ACM Workshop on Cloud Computing Security. 2011:29-40.
[28] Kim T, Peinado M, Mainar-Ruiz G. STEALTHMEM:system-level protection against cache-based side channel attacks in the cloud[C] //Proc of USENIX Conference on Security Symposium. Berkeley:USENIX Association, 2012:11.
[29] Okamura K, Oyama Y. Load-based covert channels between Xen virtual machines[C] //Proc of ACM Symposium on Applied Computing. 2010:173-180.
[30] Keller E, Szefer J, Rexford J, et al. NoHype:virtualized cloud infrastructure without the virtualization[J] . ACM SIGARCH Computer Architecture News, 2010, 38(3):350-361.
[31] Martin R, Demme J, Sethumadhavan S. TimeWarp:rethinking timekeeping and performance monitoring mechanisms to mitigate side-channel attacks[C] //Proc of the 39th Annual International Symposium on Computer Architecture. 2012:118-129.
[32] Yu Si, Gui Xiaolin, Tian Feng, et al. A security-awareness virtual machine placement scheme in the cloud[C] //Proc of IEEE International Conference on Embedded and Ubiquitous Computing. 2013:1078-1083.
[33] Raj H, Nathuji R, Singh A, et al. Resource management for isolation enhanced cloud services[C] //Proc of ACM Workshop on Cloud Computing Security. New York:ACM Press, 2009:77-84.
[34] Zhang Yinqian, Juels A, Oprea A, et al. HomeAlone:co-residency detection in the cloud via side-channel analysis[C] //Proc of IEEE Symposium on Security & Privacy. 2011:313-328.
[35] Domnitser L, Jaleel A, Loew J, et al. Non-monopolizable caches:low-complexity mitigation of cache side channel attacks[J] . ACM Trans on Architecture & Code Optimization, 2012, 8(4):146-149.
[36] Wang Zhenghong, Lee R B. Covert and side channels due to processor architecture[C] //Proc of the 22nd Annual Computer Security Applications Conference. Washington DC:IEEE Computer Society, 2006:473-482.
[37] Wang Zhenghong, Lee R B. New cache designs for thwarting software cache-based side channel attacks[J] . ACM SIGARCH Computer Architecture News, 2007, 35(2):494-505.
[38] Kong Jingfei, Aciicmez O, Seifert J P, et al. Deconstructing new cache designs for thwarting software cache-based side channel attacks[C] //Proc of the 2nd ACM Workshop on Computer Security Architectures. New York:ACM Press, 2008:25-34.
[39] Kong Jingfei, Aciicmez O, Seifert J P, et al. Hardware-software integrated approaches to defend against software cache-based side channel attacks[C] //Proc of the 15th International Symposium on High Performance Computer Architecture. 2009:393-404.
[40] Wang Zhenghong, Lee R B. A novel cache architecture with enhanced performance and security[C] //Proc of the 41st IEEE/ACM International Symposium on Microarchitecture. Washington DC:IEEE Computer Society, 2008:83-93.
[41] Godfrey M, Zulkernine M. Preventing cache-based side-channel attacks in a cloud environment[J] . IEEE Trans on Cloud Computing, 2014, 2(4):395-408.
[42] Pattuk E, Kantarcioglu M, Lin Zhiqiang, et al. Preventing cryptographic key leakage in cloud virtual machines[C] //Proc of the 23rd USENIX Security Symposium. Berkeley:USENIX Association, 2014:703-718.
[43] Erlingssonú, Abadi M. Operating system protection against side-channel attacks that exploit memory latency, MSR-TR-2007-117[R] . 2007.
[44] Han Yi, Chan J, Alpcan T, et al. Virtual machine allocation policies against co-resident attacks in cloud computing[C] //Proc of IEEE International Conference on Communications. 2014.
[45] Varadarajan V, Ristenpart T, Swift M. Scheduler-based defenses against cross-VM side-channels[C] //Proc of the 23rd USENIX Conference on Security. Berkeley:USENIX Association, 2014:687-702.
[46] Ali M, Khan S U, Vasilakos A V. Security in cloud computing:opportunities and challenges[J] . Information Sciences, 2015, 305(6):357-383.
收稿日期 2017/3/2
修回日期 2017/5/5
页码 969-973
中图分类号 TP309.2
文献标志码 A