posted on 2023-11-29, 18:22authored byMartin Schwarzl, Pietro Borrello, Andreas Kogler, Kenton Varda, Thomas Schuster, Daniel Gruss, Michael SchwarzMichael Schwarz
In the quest for efficiency and performance, edge-computing providers replace process isolation with sandboxes, to support a high number of tenants per machine. While secure against software vulnerabilities, microarchitectural attacks can bypass these sandboxes. In this paper, we present a Spectre attack leaking secrets from co-located tenants in edge computing. Our remote Spectre attack, using amplification techniques and a remote timing server, leaks 2 bit/min. This motivates our main contribution, DyPrIs, a scalable process-isolation mechanism that only isolates suspicious worker scripts following a lightweight detection mechanism. In the worst case, DyPrIs boils down to process isolation. Our proof-of-concept implementation augments real-world cloud infrastructure used in production at large scale, Cloudflare Workers. With a false-positive rate of only 0.61 %, we demonstrate that DyPrIs outperforms strict process isolation while statistically maintaining its security guarantees, fully mitigating cross-tenant Spectre attacks.
History
Preferred Citation
Martin Schwarzl, Pietro Borrello, Andreas Kogler, Kenton Varda, Thomas Schuster, Daniel Gruss and Michael Schwarz. Robust and Scalable Process Isolation against Spectre in the Cloud. In: European Symposium on Research in Computer Security (ESORICS). 2022.
Primary Research Area
Threat Detection and Defenses
Name of Conference
European Symposium on Research in Computer Security (ESORICS)
Legacy Posted Date
2022-08-12
Open Access Type
Green
BibTeX
@inproceedings{cispa_all_3748,
title = "Robust and Scalable Process Isolation against Spectre in the Cloud",
author = "Schwarzl, Martin and Borrello, Pietro and Kogler, Andreas and Varda, Kenton and Schuster, Thomas and Gruss, Daniel and Schwarz, Michael",
booktitle="{European Symposium on Research in Computer Security (ESORICS)}",
year="2022",
}