CISPA
Browse
- No file added yet -

Robust and Scalable Process Isolation against Spectre in the Cloud

Download (372.89 kB)
conference contribution
posted on 2023-11-29, 18:22 authored by Martin Schwarzl, Pietro Borrello, Andreas Kogler, Kenton Varda, Thomas Schuster, Daniel Gruss, Michael SchwarzMichael Schwarz
In the quest for efficiency and performance, edge-computing providers replace process isolation with sandboxes, to support a high number of tenants per machine. While secure against software vulnerabilities, microarchitectural attacks can bypass these sandboxes. In this paper, we present a Spectre attack leaking secrets from co-located tenants in edge computing. Our remote Spectre attack, using amplification techniques and a remote timing server, leaks 2 bit/min. This motivates our main contribution, DyPrIs, a scalable process-isolation mechanism that only isolates suspicious worker scripts following a lightweight detection mechanism. In the worst case, DyPrIs boils down to process isolation. Our proof-of-concept implementation augments real-world cloud infrastructure used in production at large scale, Cloudflare Workers. With a false-positive rate of only 0.61 %, we demonstrate that DyPrIs outperforms strict process isolation while statistically maintaining its security guarantees, fully mitigating cross-tenant Spectre attacks.

History

Preferred Citation

Martin Schwarzl, Pietro Borrello, Andreas Kogler, Kenton Varda, Thomas Schuster, Daniel Gruss and Michael Schwarz. Robust and Scalable Process Isolation against Spectre in the Cloud. In: European Symposium on Research in Computer Security (ESORICS). 2022.

Primary Research Area

  • Threat Detection and Defenses

Name of Conference

European Symposium on Research in Computer Security (ESORICS)

Legacy Posted Date

2022-08-12

Open Access Type

  • Green

BibTeX

@inproceedings{cispa_all_3748, title = "Robust and Scalable Process Isolation against Spectre in the Cloud", author = "Schwarzl, Martin and Borrello, Pietro and Kogler, Andreas and Varda, Kenton and Schuster, Thomas and Gruss, Daniel and Schwarz, Michael", booktitle="{European Symposium on Research in Computer Security (ESORICS)}", year="2022", }

Usage metrics

    Categories

    No categories selected

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC