Dynamic Frequency-Based Fingerprinting Attacks against Modern Sandbox Environments

TL;DR

The paper addresses the risk that user-space accessible CPU frequency data can fingerprint containers across native, sandboxed, and TEE-enabled cloud environments. It introduces a two-phase methodology (offline fingerprint collection and online CNN-based identification) and demonstrates that Docker images can be distinguished with up to 84.5% accuracy native and over 70% accuracy in gVisor, Firecracker, Gramine (SGX), and AMD SEV within 40 seconds. It systematically analyzes robustness across microarchitectures, multi-core contention, image versions, and docker-pull phases, and provides a practical noise-injection defense along with syscall-based detection ideas. The findings have practical implications for cloud security and container privacy, motivating the development of countermeasures that mitigate frequency-based side channels with acceptable performance overhead.

Abstract

The cloud computing landscape has evolved significantly in recent years, embracing various sandboxes to meet the diverse demands of modern cloud applications. These sandboxes encompass container-based technologies like Docker and gVisor, microVM-based solutions like Firecracker, and security-centric sandboxes relying on Trusted Execution Environments (TEEs) such as Intel SGX and AMD SEV. However, the practice of placing multiple tenants on shared physical hardware raises security and privacy concerns, most notably side-channel attacks. In this paper, we investigate the possibility of fingerprinting containers through CPU frequency reporting sensors in Intel and AMD CPUs. One key enabler of our attack is that the current CPU frequency information can be accessed by user-space attackers. We demonstrate that Docker images exhibit a unique frequency signature, enabling the distinction of different containers with up to 84.5% accuracy even when multiple containers are running simultaneously in different cores. Additionally, we assess the effectiveness of our attack when performed against several sandboxes deployed in cloud environments, including Google's gVisor, AWS' Firecracker, and TEE-based platforms like Gramine (utilizing Intel SGX) and AMD SEV. Our empirical results show that these attacks can also be carried out successfully against all of these sandboxes in less than 40 seconds, with an accuracy of over 70% in all cases. Finally, we propose a noise injection-based countermeasure to mitigate the proposed attack on cloud environments.

Figures (13)

• Figure 1: Overview of the threat models of our proposed attack in different execution environments.
• Figure 2: Frequency signatures of containers running in the Native Linux environment are given. openjdk (a, b), groovy (c, d), and ghost (e, f) containers have distinct fingerprints.
• Figure 3: Accuracy of container fingerprinting in the native environment with different samples. The accuracy in terms of the top 3 and top 5 guesses of the prediction model is also considered to make a comparison.
• Figure 4: The effects of running containers simultaneously in parallel cores. Although the containers are running in separate cores, the concurrent execution introduces some noise, which affects the accuracy of the pre-trained model.
• Figure 5: Demonstrating less frequency activity as the cause behind high misprediction rates of some Docker images. The left portion of the figure corresponds to the images that are comparatively harder to distinguish than the images in the right portion that show high-frequency activity.