Sync+Sync: A Covert Channel Built on fsync with Storage
Qisheng Jiang, Chundong Wang
TL;DR
The paper identifies a practical covert channel built on the fsync primitive in persistent storage and shows that concurrent fsyncs create measurable contention across the file-system journal and storage-device I/O paths. It introduces Sync+Sync, achieves up to 20,000 bps with about 0.40% error in intra-disk settings, and demonstrates viability across cross-file, cross-container, cross-VM, and even cross-disk scenarios. The authors further leverage Sync+Sync to perform side-channel attacks including precise database operation inference, application and website fingerprinting, and keystroke recovery, highlighting substantial information leakage surfaces via storage I/O. They discuss limitations, potential defenses, and platform considerations, underscoring the need for security-aware storage stack design and cross-platform scrutiny of fsync-related contention. The work broadens the landscape of covert channels to include persistent storage and motivates further research into mitigating storage-level side channels while preserving necessary durability guarantees.
Abstract
Scientists have built a variety of covert channels for secretive information transmission with CPU cache and main memory. In this paper, we turn to a lower level in the memory hierarchy, i.e., persistent storage. Most programs store intermediate or eventual results in the form of files and some of them call fsync to synchronously persist a file with storage device for orderly persistence. Our quantitative study shows that one program would undergo significantly longer response time for fsync call if the other program is concurrently calling fsync, although they do not share any data. We further find that, concurrent fsync calls contend at multiple levels of storage stack due to sharing software structures (e.g., Ext4's journal) and hardware resources (e.g., disk's I/O dispatch queue). We accordingly build a covert channel named Sync+Sync. Sync+Sync delivers a transmission bandwidth of 20,000 bits per second at an error rate of about 0.40% with an ordinary solid-state drive. Sync+Sync can be conducted in cross-disk partition, cross-file system, cross-container, cross-virtual machine, and even cross-disk drive fashions, without sharing data between programs. Next, we launch side-channel attacks with Sync+Sync and manage to precisely detect operations of a victim database (e.g., insert/update and B-Tree node split). We also leverage Sync+Sync to distinguish applications and websites with high accuracy by detecting and analyzing their fsync frequencies and flushed data volumes. These attacks are useful to support further fine-grained information leakage.