Researchers in Houman Houmayoun's ECE lab have identified a new vulnerability in the cloud scheduler, which potentially opens the door for sophisticated micro-architectural attacks
Discusses a vulnerability in cloud scheduling that can allow future micro-architectural attacks deployed on the cloud
- The newly detected vulnerabilities published at NDSS 2022, points out that a certain feature in the cloud scheduler enables arbitrary users to influence scheduling results.
- This can be exploited to help malicious attackers accurately locate victims in a heterogeneous cloud to enable further micro-architectural attacks. The potential data attacked could include patient data in the cloud, sensitive financial data, and more.
Researchers from both UC Davis and George Mason University have recently identified a vulnerability in the cloud scheduler which can open the door for future micro-architectural attacks deployed on the cloud.
A micro-architectural attack is a type of attack strategy that exploits the design flaws in hardware to affect the execution of certain programs or extract secret data from victim programs. It has been proven that micro-architectural attacks can be a serious threat to cloud infrastructures.
The research team’s work points out that a certain feature in the cloud scheduler that enables users to influence scheduling results can be exploited to help malicious attackers accurately locate victims in a heterogeneous cloud to enable further micro-architectural attacks, which is relevant to the research area of cloud security. Using this strategy, the researchers manage to achieve high co-location success rates that can be considered threats to cloud providers. Results demonstrate that such threats exist in a real-world setting. Effective initial defense techniques based on randomization which are also easy to deploy were developed as well to defend against the proposed attack.
This paper titled “Repttack: Exploiting Cloud Schedulers to Guide Co-Location Attacks” has been accepted for publication by Network and Distributed System Security Symposium (NDSS) 2022, which will be held in San Diego in late February, 2022. Main authors are from ASEEC Lab led by Professor Houman Homayoun in the Department of Electrical and Computer Engineering, UC Davis and a research group led by Professor Khaled N. Khasawneh in the Department of Electrical and Computer Engineering, George Mason University.