TY - JOUR
T1 - Know Thy Neighbor: Crypto Library Detection in Cloud
AU - Eisenbarth, Thomas
AU - Irazoqui, Gorka
AU - Inci, Mehmet Sinan
AU - Sunar, Berk
PY - 2015/4/18
Y1 - 2015/4/18
N2 - Software updates and security patches have become a standard method to fix known and recently discovered security vulnerabilities in deployed software. In server applications, outdated cryptographic libraries allow adversaries to exploit weaknesses and launch attacks with significant security results. The proposed technique exploits leakages at the hardware level to first, determine if a specific cryptographic library is running inside (or not) a co-located virtual machine (VM) and second to discover the IP of the co-located target. To this end, we use a Flush+Reload cache side-channel technique to measure the time it takes to call (load) a cryptographic library function. Shorter loading times are indicative of the library already residing in memory and shared by the VM manager through deduplication. We demonstrate the viability of the proposed technique by detecting and distinguishing various cryptographic libraries, including MatrixSSL, PolarSSL, GnuTLS, OpenSSL and CyaSSL along with the IP of the VM running these libraries. In addition, we show how to differentiate between various versions of libraries to better select an attack target as well as the applicable exploit. Our experiments show a complete attack setup scenario with single-trial success rates of up to 90% under light load and up to 50% under heavy load for libraries running in KVM.
AB - Software updates and security patches have become a standard method to fix known and recently discovered security vulnerabilities in deployed software. In server applications, outdated cryptographic libraries allow adversaries to exploit weaknesses and launch attacks with significant security results. The proposed technique exploits leakages at the hardware level to first, determine if a specific cryptographic library is running inside (or not) a co-located virtual machine (VM) and second to discover the IP of the co-located target. To this end, we use a Flush+Reload cache side-channel technique to measure the time it takes to call (load) a cryptographic library function. Shorter loading times are indicative of the library already residing in memory and shared by the VM manager through deduplication. We demonstrate the viability of the proposed technique by detecting and distinguishing various cryptographic libraries, including MatrixSSL, PolarSSL, GnuTLS, OpenSSL and CyaSSL along with the IP of the VM running these libraries. In addition, we show how to differentiate between various versions of libraries to better select an attack target as well as the applicable exploit. Our experiments show a complete attack setup scenario with single-trial success rates of up to 90% under light load and up to 50% under heavy load for libraries running in KVM.
UR - https://www.semanticscholar.org/paper/Know-Thy-Neighbor%3A-Crypto-Library-Detection-in-Apecechea-Inci/cb5ab4d277627b1d275ffbcd11379f5a3bacb68f
U2 - 10.1515/popets-2015-0003
DO - 10.1515/popets-2015-0003
M3 - Journal articles
SN - 2299-0984
VL - 2015
SP - 25
EP - 40
JO - Proceedings on Privacy Enhancing Technologies
JF - Proceedings on Privacy Enhancing Technologies
IS - 1
ER -