Dynamic Frequency-Based Fingerprinting Attacks against Modern Sandbox Environments
arxiv(2024)
摘要
The cloud computing landscape has evolved significantly in recent years,
embracing various sandboxes to meet the diverse demands of modern cloud
applications. These sandboxes encompass container-based technologies like
Docker and gVisor, microVM-based solutions like Firecracker, and
security-centric sandboxes relying on Trusted Execution Environments (TEEs)
such as Intel SGX and AMD SEV. However, the practice of placing multiple
tenants on shared physical hardware raises security and privacy concerns, most
notably side-channel attacks.
In this paper, we investigate the possibility of fingerprinting containers
through CPU frequency reporting sensors in Intel and AMD CPUs. One key enabler
of our attack is that the current CPU frequency information can be accessed by
user-space attackers. We demonstrate that Docker images exhibit a unique
frequency signature, enabling the distinction of different containers with up
to 84.5
different cores. Additionally, we assess the effectiveness of our attack when
performed against several sandboxes deployed in cloud environments, including
Google's gVisor, AWS' Firecracker, and TEE-based platforms like Gramine
(utilizing Intel SGX) and AMD SEV. Our empirical results show that these
attacks can also be carried out successfully against all of these sandboxes in
less than 40 seconds, with an accuracy of over 70
propose a noise injection-based countermeasure to mitigate the proposed attack
on cloud environments.
更多查看译文
AI 理解论文
溯源树
样例
生成溯源树,研究论文发展脉络
Chat Paper
正在生成论文摘要