Visible to the public A Cross-Virtual Machine Network Channel Attack via Mirroring and TAP Impersonation

TitleA Cross-Virtual Machine Network Channel Attack via Mirroring and TAP Impersonation
Publication TypeConference Paper
Year of Publication2018
AuthorsSaeed, A., Garraghan, P., Craggs, B., Linden, D. v d, Rashid, A., Hussain, S. A.
Conference Name2018 IEEE 11th International Conference on Cloud Computing (CLOUD)
KeywordsBridges, cloud computing, cloud platform, co-located VMs, co-resident VMs, composability, computer network security, cross-Virtual machine network channel attack, data privacy, Human Behavior, internal cloud virtual network, internal virtual network, IP networks, logical resource isolation, malicious VM, Metrics, mirroring, Monitoring, multitenant virtualized cloud environments, Network Channel Attack, network channel attacks, network traffic, openstack, physical machine, privacy, pubcrawl, Resiliency, security, security requirements, side channel attacks, Switches, TAP impersonation, Virtual machine monitors, virtual machines, virtualisation, virtualization privacy, virtualization services, VM-to-VM interference
AbstractData privacy and security is a leading concern for providers and customers of cloud computing, where Virtual Machines (VMs) can co-reside within the same underlying physical machine. Side channel attacks within multi-tenant virtualized cloud environments are an established problem, where attackers are able to monitor and exfiltrate data from co-resident VMs. Virtualization services have attempted to mitigate such attacks by preventing VM-to-VM interference on shared hardware by providing logical resource isolation between co-located VMs via an internal virtual network. However, such approaches are also insecure, with attackers capable of performing network channel attacks which bypass mitigation strategies using vectors such as ARP Spoofing, TCP/IP steganography, and DNS poisoning. In this paper we identify a new vulnerability within the internal cloud virtual network, showing that through a combination of TAP impersonation and mirroring, a malicious VM can successfully redirect and monitor network traffic of VMs co-located within the same physical machine. We demonstrate the feasibility of this attack in a prominent cloud platform - OpenStack - under various security requirements and system conditions, and propose countermeasures for mitigation.
DOI10.1109/CLOUD.2018.00084
Citation Keysaeed_cross-virtual_2018