摘要: |
随着云计算市场占有率的逐渐增长,云安全也越来越受到研究者的重视。云环境中为了提高资源的利用效率,使用虚拟化技术对底层资源进行整合与分配。由此,在虚拟机之间存在大量的共享资源,使得云平台易受到侧信道攻击的威胁,而缓存侧信道攻击是目前侧信道攻击中攻击范围广、攻击变种多、危害较大的一类攻击。攻击检测是防御工作中重要的一环,甚至是作为其他防御手段的前置步骤。虽然已有不少研究者对缓存侧信道攻击检测方法做出研究,但目前针对云环境的研究较少,且现有的缓存侧信道攻击检测方法存在抗干扰性差、检测粒度过粗等问题。为了解决这些问题,本文通过对典型缓存侧信道攻击的分析,提出了一种基于指令监控的缓存侧信道攻击检测方法。该检测方法基于虚拟化技术实现,结合了基于异常和基于特征的检测思路,可对多种缓存侧信道攻击进行进程级别的细粒度检测,并且该方法无需对底层硬件和上层虚拟机进行修改。本文在基于KVM的云平台中,应用该攻击检测方法实现了一个攻击检测系统。经实验验证,该攻击检测系统的运行对正常云服务的性能影响基本控制在5%以内,并且该系统在不同负载情况下都可以保持目标检测效果。 |
关键词: 缓存侧信道攻击,攻击检测,防御策略,KVM |
DOI:10.19363/J.cnki.cn10-1380/tn.2024.02.12 |
投稿时间:2022-01-19修订日期:2022-03-04 |
基金项目: |
|
A Fine-Grained Cache Side-Channel Attack Detection Method for Cloud Environment |
HuangQingjia, LingYuqing, ZhangWeijuan
|
(Institute of Information Engineering,Chinese Academy of Sciences) |
Abstract: |
With the gradual growth of cloud computing market share, cloud security has been paid more and more attention by researchers. In order to improve the utilization efficiency of resources in cloud environment, virtualization technology is used to integrate and allocate the underlying resources. Therefore, there are a large number of shared resources between virtual machines, which makes the cloud platform vulnerable to side channel attacks. Cache side channel attacks are a kind of side channel attacks which have wide attack range, many attack variants and do great harm to victims. Attack detection is an important part of defense work, even as a preparation of other defense methods. Although many researchers have done research on the cache side channel attack detection, there is little research on the cloud environment, and the existing cache side channel attack detection methods have some problems, such as poor anti-interference, too coarse detection granularity and so on. In order to solve these problems, through the analysis of typical cache side channel attacks, this paper proposes a cache side channel attack detection method based on instruction monitoring. This detection is implemented based on virtualization technology, and combines anomaly based and feature-based detection methods. It can detect a variety of cache side channel attacks at the process level. It is worth mentioning that this method does not need to modify the underlying hardware and the upper-level virtual machine, so it is transparent to tenants. In this paper, an attack detection system is implemented by using this attack detection method in the cloud platform based on KVM. Experiments show that the impact of the operation of the cache side channel attack detection system on the performance of normal cloud services is basically controlled within 5%, and the detection system can maintain the target detection effect even under different loads. |
Key words: cache side-channel attack, attack detection, defense strategy, KVM |