Skip to content

A Cross-Virtual Machine Network Channel Attack via Mirroring and TAP Impersonation

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Original languageEnglish
Title of host publication2018 IEEE 11th International Conference on Cloud Computing (CLOUD 2018)
Subtitle of host publicationProceedings of a meeting held 2-7 July 2018, San Francisco, California, USA
Place of PublicationSan Francisco
Publisher or commissioning bodyInstitute of Electrical and Electronics Engineers (IEEE)
Pages606-613
Number of pages8
ISBN (Electronic)9781538672358
ISBN (Print)9781538672365
DOIs
DateAccepted/In press - 28 Apr 2018
DateE-pub ahead of print - 10 Sep 2018
DatePublished (current) - Oct 2018

Publication series

Name
ISSN (Electronic)2159-6190

Abstract

Data privacy and security is a leading concern for providers and customers of cloud computing, where Virtual Machines (VMs) can co-reside within the same underlying physical machine. Side channel attacks within multi-tenant virtualized cloud environments are an established problem, where attackers are able to monitor and exfiltrate data from co-resident VMs. Virtualization services have attempted to mitigate such attacks by preventing VM-to-VM interference on shared hardware by providing logical resource isolation between co-located VMs via an internal virtual network. However, such approaches are also insecure, with attackers capable of performing network channel attacks which bypass mitigation strategies using vectors such as ARP Spoofing, TCP/IP steganography, and DNS poisoning. In this paper we identify a new vulnerability within the internal cloud virtual network, showing that through a combination of TAP impersonation and mirroring, a malicious VM can successfully redirect and monitor network traffic of VMs co-located within the same physical machine. We demonstrate the feasibility of this attack in a prominent cloud platform - OpenStack - under various security requirements and system conditions, and propose countermeasures for mitigation.

    Structured keywords

  • Cyber Security

    Research areas

  • Attack, Cyber Security, Virtual Machine, VM

Download statistics

No data available

Documents

Documents

  • Full-text PDF (accepted author manuscript)

    Rights statement: This is the author accepted manuscript (AAM). The final published version (version of record) is available online via IEEE at https://ieeexplore.ieee.org/document/8457853 . Please refer to any applicable terms of use of the publisher.

    Accepted author manuscript, 6 MB, PDF-document

DOI

View research connections

Related faculties, schools or groups