(2022) Robust and Scalable Process Isolation against Spectre in the Cloud.
|
Text
paper_73.pdf Download (381kB) | Preview |
Abstract
In the quest for efficiency and performance, edge-computing providers replace process isolation with sandboxes, to support a high number of tenants per machine. While secure against software vulnerabilities, microarchitectural attacks can bypass these sandboxes. In this paper, we present a Spectre attack leaking secrets from co-located tenants in edge computing. Our remote Spectre attack, using amplification techniques and a remote timing server, leaks 2 bit/min. This motivates our main contribution, DyPrIs, a scalable process-isolation mechanism that only isolates suspicious worker scripts following a lightweight detection mechanism. In the worst case, DyPrIs boils down to process isolation. Our proof-of-concept implementation augments real-world cloud infrastructure used in production at large scale, Cloudflare Workers. With a false-positive rate of only 0.61 %, we demonstrate that DyPrIs outperforms strict process isolation while statistically maintaining its security guarantees, fully mitigating cross-tenant Spectre attacks.
| Item Type: | Conference or Workshop Item (A Paper) (Paper) |
|---|---|
| Divisions: | Michael Schwarz (MS) |
| Conference: | ESORICS European Symposium On Research In Computer Security |
| Depositing User: | Michael Schwarz |
| Date Deposited: | 12 Aug 2022 02:30 |
| Last Modified: | 12 Aug 2022 02:30 |
| Primary Research Area: | NRA3: Threat Detection and Defenses |
| URI: | https://publications.cispa.saarland/id/eprint/3748 |
Actions
Actions (login required)
 |
View Item |