I Know What You Sync: Covert and Side Channel Attacks on File Systems via syncfs
Cheng Gu, Yicheng Zhang, Nael Abu-Ghazaleh
TL;DR
This work reveals a new OS-level timing leakage channel in shared file systems by exploiting the syncfs call. It identifies leakage vectors that sense I/O activity and infer write sizes, enabling fast covert channels and three high-accuracy side-channel attacks (web, video, and Android app fingerprinting) across Linux, Windows, Android, and containers. By leveraging STFT features and CNNs, the attacks achieve precision and recall above 90% in most scenarios, including open-world settings, and demonstrate cross-container leakage with measurable bandwidth. The findings underscore the need for mitigations in syncfs design, timer access controls, anomaly detection, and I/O buffer isolation to preserve cross-process and cross-container isolation in modern OSes.
Abstract
Operating Systems enforce logical isolation using abstractions such as processes, containers, and isolation technologies to protect a system from malicious or buggy code. In this paper, we show new types of side channels through the file system that break this logical isolation. The file system plays a critical role in the operating system, managing all I/O activities between the application layer and the physical storage device. We observe that the file system implementation is shared, leading to timing leakage when using common I/O system calls. Specifically, we found that modern operating systems take advantage of any flush operation (which saves cached blocks in memory to the SSD or disk) to flush all of the I/O buffers, even those used by other isolation domains. Thus, by measuring the delay of syncfs, the attacker can infer the I/O behavior of victim programs. We then demonstrate a syncfs covert channel attack on multiple file systems, including both Linux native file systems and the Windows file system, achieving a maximum bandwidth of 5 Kbps with an error rate of 0.15% on Linux and 7.6 Kbps with an error rate of 1.9% on Windows. In addition, we construct three side-channel attacks targeting both Linux and Android devices. On Linux devices, we implement a website fingerprinting attack and a video fingerprinting attack by tracking the write patterns of temporary buffering files. On Android devices, we design an application fingerprinting attack that leaks application write patterns during boot-up. The attacks achieve over 90% F1 score, precision, and recall. Finally, we demonstrate that these attacks can be exploited across containers implementing a container detection technique and a cross-container covert channel attack.