Know Thy Neighbor: Crypto Library Detection in Cloud

Authors: Gorka Irazoqui (Worcester Polytechnic Institute), Mehmet Sinan İncİ (Worcester Polytechnic Institute), Thomas Eisenbarth (Worcester Polytechnic Institute), Berk Sunar (Worcester Polytechnic Institute)

Volume: 2015
Issue: 1
Pages: 25–40
DOI: https://doi.org/10.1515/popets-2015-0003

Download PDF

Abstract: Software updates and security patches have become a standard method to fix known and recently discovered security vulnerabilities in deployed software. In server applications, outdated cryptographic libraries allow adversaries to exploit weaknesses and launch attacks with significant security results. The proposed technique exploits leakages at the hardware level to first, determine if a specific cryptographic library is running inside (or not) a co-located virtual machine (VM) and second to discover the IP of the co-located target. To this end, we use a Flush+Reload cache side-channel technique to measure the time it takes to call (load) a cryptographic library function. Shorter loading times are indicative of the library already residing in memory and shared by the VM manager through deduplication. We demonstrate the viability of the proposed technique by detecting and distinguishing various cryptographic libraries, including MatrixSSL, PolarSSL, GnuTLS, OpenSSL and CyaSSL along with the IP of the VM running these libraries. In addition, we show how to differentiate between various versions of libraries to better select an attack target as well as the applicable exploit. Our experiments show a complete attack setup scenario with single-trial success rates of up to 90% under light load and up to 50% under heavy load for libraries running in KVM.

Keywords: Cryptographic Libraries, Cross-VM attacks, Virtualization, Deduplication

Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution-NonCommercial-NoDerivs license.