Everywhere All at Once: Co-Location Attacks on Public Cloud FaaS

Zirui Neil Zhao; Adam Morrison; Christopher W. Fletcher; Josep Torrellas

doi:10.1145/3617232.3624867

Everywhere All at Once: Co-Location Attacks on Public Cloud FaaS

Zirui Neil Zhao, Adam Morrison, Christopher W. Fletcher, Josep Torrellas

School of Computer Science

Tel Aviv University

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Microarchitectural side-channel attacks exploit shared hardware resources, posing significant threats to modern systems. A pivotal step in these attacks is achieving physical host co-location between attacker and victim. This step is especially challenging in public cloud environments due to the widespread adoption of the virtual private cloud (VPC) and the ever-growing size of the data centers. Furthermore, the shift towards Function-as-a-Service (FaaS) environments, characterized by dynamic function instance placements and limited control for attackers, compounds this challenge.In this paper, we present the first comprehensive study on risks of and techniques for co-location attacks in public cloud FaaS environments. We develop two physical host fingerprinting techniques and propose a new, inexpensive methodology for large-scale instance co-location verification. Using these techniques, we analyze how Google Cloud Run places function instances on physical hosts and identify exploitable placement behaviors. Leveraging our findings, we devise an effective strategy for instance launching that achieves 100% probability of co-locating the attacker with at least one victim instance. Moreover, the attacker co-locates with 61% - 100% of victim instances in three major Cloud Run data centers.

Original language	English
Title of host publication	Spring Cycle
Publisher	Association for Computing Machinery
Pages	133-149
Number of pages	17
ISBN (Electronic)	9798400703720
DOIs	https://doi.org/10.1145/3617232.3624867
State	Published - 27 Apr 2024
Event	29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2024 - San Diego, United States Duration: 27 Apr 2024 → 1 May 2024

Publication series

Name	International Conference on Architectural Support for Programming Languages and Operating Systems - ASPLOS
Volume	1

Conference

Conference	29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2024
Country/Territory	United States
City	San Diego
Period	27/04/24 → 1/05/24

Keywords

cloud computing
co-location vulnerability
function-as-a-service (FaaS)
timestamp counter

All Science Journal Classification (ASJC) codes

Software
Information Systems
Hardware and Architecture

Access to Document

10.1145/3617232.3624867

Cite this

@inproceedings{8150e3fe12b946ea96afc84b7ea53a23,

title = "Everywhere All at Once: Co-Location Attacks on Public Cloud FaaS",

abstract = "Microarchitectural side-channel attacks exploit shared hardware resources, posing significant threats to modern systems. A pivotal step in these attacks is achieving physical host co-location between attacker and victim. This step is especially challenging in public cloud environments due to the widespread adoption of the virtual private cloud (VPC) and the ever-growing size of the data centers. Furthermore, the shift towards Function-as-a-Service (FaaS) environments, characterized by dynamic function instance placements and limited control for attackers, compounds this challenge.In this paper, we present the first comprehensive study on risks of and techniques for co-location attacks in public cloud FaaS environments. We develop two physical host fingerprinting techniques and propose a new, inexpensive methodology for large-scale instance co-location verification. Using these techniques, we analyze how Google Cloud Run places function instances on physical hosts and identify exploitable placement behaviors. Leveraging our findings, we devise an effective strategy for instance launching that achieves 100% probability of co-locating the attacker with at least one victim instance. Moreover, the attacker co-locates with 61% - 100% of victim instances in three major Cloud Run data centers.",

keywords = "cloud computing, co-location vulnerability, function-as-a-service (FaaS), timestamp counter",

author = "Zhao, {Zirui Neil} and Adam Morrison and Fletcher, {Christopher W.} and Josep Torrellas",

note = "Publisher Copyright: {\textcopyright} 2024 Copyright is held by the owner/author(s). Publication rights licensed to ACM.; 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2024 ; Conference date: 27-04-2024 Through 01-05-2024",

year = "2024",

month = apr,

day = "27",

doi = "10.1145/3617232.3624867",

language = "الإنجليزيّة",

series = "International Conference on Architectural Support for Programming Languages and Operating Systems - ASPLOS",

publisher = "Association for Computing Machinery",

pages = "133--149",

booktitle = "Spring Cycle",

address = "الولايات المتّحدة",

}

Zhao, ZN, Morrison, A, Fletcher, CW & Torrellas, J 2024, Everywhere All at Once: Co-Location Attacks on Public Cloud FaaS. in Spring Cycle. International Conference on Architectural Support for Programming Languages and Operating Systems - ASPLOS, vol. 1, Association for Computing Machinery, pp. 133-149, 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2024, San Diego, United States, 27/04/24. https://doi.org/10.1145/3617232.3624867

Everywhere All at Once: Co-Location Attacks on Public Cloud FaaS. / Zhao, Zirui Neil; Morrison, Adam; Fletcher, Christopher W. et al.
Spring Cycle. Association for Computing Machinery, 2024. p. 133-149 (International Conference on Architectural Support for Programming Languages and Operating Systems - ASPLOS; Vol. 1).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Everywhere All at Once

T2 - 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2024

AU - Zhao, Zirui Neil

AU - Morrison, Adam

AU - Fletcher, Christopher W.

AU - Torrellas, Josep

PY - 2024/4/27

Y1 - 2024/4/27

N2 - Microarchitectural side-channel attacks exploit shared hardware resources, posing significant threats to modern systems. A pivotal step in these attacks is achieving physical host co-location between attacker and victim. This step is especially challenging in public cloud environments due to the widespread adoption of the virtual private cloud (VPC) and the ever-growing size of the data centers. Furthermore, the shift towards Function-as-a-Service (FaaS) environments, characterized by dynamic function instance placements and limited control for attackers, compounds this challenge.In this paper, we present the first comprehensive study on risks of and techniques for co-location attacks in public cloud FaaS environments. We develop two physical host fingerprinting techniques and propose a new, inexpensive methodology for large-scale instance co-location verification. Using these techniques, we analyze how Google Cloud Run places function instances on physical hosts and identify exploitable placement behaviors. Leveraging our findings, we devise an effective strategy for instance launching that achieves 100% probability of co-locating the attacker with at least one victim instance. Moreover, the attacker co-locates with 61% - 100% of victim instances in three major Cloud Run data centers.

AB - Microarchitectural side-channel attacks exploit shared hardware resources, posing significant threats to modern systems. A pivotal step in these attacks is achieving physical host co-location between attacker and victim. This step is especially challenging in public cloud environments due to the widespread adoption of the virtual private cloud (VPC) and the ever-growing size of the data centers. Furthermore, the shift towards Function-as-a-Service (FaaS) environments, characterized by dynamic function instance placements and limited control for attackers, compounds this challenge.In this paper, we present the first comprehensive study on risks of and techniques for co-location attacks in public cloud FaaS environments. We develop two physical host fingerprinting techniques and propose a new, inexpensive methodology for large-scale instance co-location verification. Using these techniques, we analyze how Google Cloud Run places function instances on physical hosts and identify exploitable placement behaviors. Leveraging our findings, we devise an effective strategy for instance launching that achieves 100% probability of co-locating the attacker with at least one victim instance. Moreover, the attacker co-locates with 61% - 100% of victim instances in three major Cloud Run data centers.

KW - cloud computing

KW - co-location vulnerability

KW - function-as-a-service (FaaS)

KW - timestamp counter

UR - http://www.scopus.com/inward/record.url?scp=85191466253&partnerID=8YFLogxK

U2 - 10.1145/3617232.3624867

DO - 10.1145/3617232.3624867

M3 - منشور من مؤتمر

T3 - International Conference on Architectural Support for Programming Languages and Operating Systems - ASPLOS

SP - 133

EP - 149

BT - Spring Cycle

PB - Association for Computing Machinery

Y2 - 27 April 2024 through 1 May 2024

ER -

Everywhere All at Once: Co-Location Attacks on Public Cloud FaaS

Abstract

Publication series

Conference

Keywords

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this