Seeding the Cloud: Detecting Co-Residency with Network Flow Watermarking

Cloud computing has become vital in the realm of information technology by providing computing as a service. Cloud provider customers do not need to purchase and maintain their own machines to deploy web applications, but can instead run virtual machines (VMs) from the provider’s datacenter. The key to supporting this model is virtualization, which allows physical resources to be shared across multiple users, allowing several VMs to run on a single computer. However, customers share resources with unknown and un- trusted parties, leaving sensitive data vulnerable to unauthorized access through the exploitation of side channels. Prior co-residency detection methods relied on specific vulnerabilities of hypervisors, the underlying software facilitating virtualization, which can be easily fixed. We demonstrate that co-residency exploitation is not simply a flaw in a particular hypervisor, but is a real threat in the cloud computing model. We have developed a hypervisor-independent attack that compromises isolation of VMs, allowing for exfiltration of co-residency information by injecting a watermark, or specific patterns of delays, into the target VM’s network flow. Through experiments in a local testbed and real-world deployments on a commercial cloud, we observed accurate detection of co-residency in less than 60 seconds. We demonstrate that our watermark itself can be a covert channel for malicious access of data, thus highlighting the significance of this vulnerability and the threat posed to current cloud computing platforms.