Cross-container cloud attacks
.. with a proof of concept on Azure
Our latest publication [1] just presented in CSCML 2022, demonstrating an inherent side-channel in container infrastructure. This allows an attacker to infer private information from vulnerable containers or to establish a covert channel with such containers that bypasses detection (e.g., firewalls). We demonstrate this attack on Microsoft Azure (to whom it was disclosed in advance).
One one foot, the key observation is that containers need to share much of their file system in order to benefit from their light-weight environment. This sharing permits a page-cache attack based on the common files.
The page cache [2] remains an extremely difficult channel [3] to disrupt, in part because it is so intimately linked to the efficiency of a system.
[1] Boskov, N., Radami, N., Tiwari, T., Trachtenberg, A. (2022). Union Buster: A Cross-Container Covert-Channel Exploiting Union Mounting. In: Dolev, S., Katz, J., Meisels, A. (eds) Cyber Security, Cryptology, and Machine Learning. CSCML 2022. Lecture Notes in Computer Science, vol 13301. Springer, Cham. https://doi.org/10.1007/978-3-031-07689-3_23.
[2] Daniel Gruss, Erik Kraft, Trishita Tiwari, Michael Schwarz, Ari Trachtenberg, Jason Hennessey, Alex Ionescu, and Anders Fogh. 2019. Page Cache Attacks. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS '19). Association for Computing Machinery, New York, NY, USA, 167–180. https://doi.org/10.1145/3319535.3339809.
[3] Linux Kernel Developers: Revert “Change mincore() to count “mapped” pages rather than “cached” pages” (2019). https://git.kernel.org/pub/scm/linux/kernel/ git/torvalds/linux.git/commit/?id=30bac164aca750892b93eef350439a0562a68647