Table of Contents
Fetching ...

Side-Channel Attacks on Open vSwitch

Daewoo Kim, Sihang Liu

TL;DR

The paper demonstrates that Open vSwitch, a common software-based virtual switch, exhibits exploitable side channels via its two-tier caching (microflow and megaflow caches). By characterizing cache latencies and eviction behaviors, the authors extract three attack primitives and implement remote attacks: covert channels, remote header recovery, and remote packet-rate monitoring. They quantify attack performance, showing high microflow-based covert-channel bandwidth and substantial recovery/monitoring capabilities, and propose defenses including instance isolation and cache-hashing/ordering randomization that mitigate the threats. The work highlights security risks in cloud virtualization stacks and provides practical mitigation guidance for OVS deployments. Overall, the findings underscore the need for careful isolation and randomized cache policies to preserve tenant isolation in virtual networks.

Abstract

Virtualization is widely adopted in cloud systems to manage resource sharing among users. A virtualized environment usually deploys a virtual switch within the host system to enable virtual machines to communicate with each other and with the physical network. The Open vSwitch (OVS) is one of the most popular software-based virtual switches. It maintains a cache hierarchy to accelerate packet forwarding from the host to virtual machines. We characterize the caching system inside OVS from a security perspective and identify three attack primitives. Based on the attack primitives, we present three remote attacks via OVS, breaking the isolation in virtualized environments. First, we identify remote covert channels using different caches. Second, we present a novel header recovery attack that leaks a remote user's packet header fields, breaking the confidentiality guarantees from the system. Third, we demonstrate a remote packet rate monitoring attack that recovers the packet rate of a remote victim. To defend against these attacks, we also discuss and evaluate mitigation solutions.

Side-Channel Attacks on Open vSwitch

TL;DR

The paper demonstrates that Open vSwitch, a common software-based virtual switch, exhibits exploitable side channels via its two-tier caching (microflow and megaflow caches). By characterizing cache latencies and eviction behaviors, the authors extract three attack primitives and implement remote attacks: covert channels, remote header recovery, and remote packet-rate monitoring. They quantify attack performance, showing high microflow-based covert-channel bandwidth and substantial recovery/monitoring capabilities, and propose defenses including instance isolation and cache-hashing/ordering randomization that mitigate the threats. The work highlights security risks in cloud virtualization stacks and provides practical mitigation guidance for OVS deployments. Overall, the findings underscore the need for careful isolation and randomized cache policies to preserve tenant isolation in virtual networks.

Abstract

Virtualization is widely adopted in cloud systems to manage resource sharing among users. A virtualized environment usually deploys a virtual switch within the host system to enable virtual machines to communicate with each other and with the physical network. The Open vSwitch (OVS) is one of the most popular software-based virtual switches. It maintains a cache hierarchy to accelerate packet forwarding from the host to virtual machines. We characterize the caching system inside OVS from a security perspective and identify three attack primitives. Based on the attack primitives, we present three remote attacks via OVS, breaking the isolation in virtualized environments. First, we identify remote covert channels using different caches. Second, we present a novel header recovery attack that leaks a remote user's packet header fields, breaking the confidentiality guarantees from the system. Third, we demonstrate a remote packet rate monitoring attack that recovers the packet rate of a remote victim. To defend against these attacks, we also discuss and evaluate mitigation solutions.
Paper Structure (48 sections, 21 figures, 5 tables)

This paper contains 48 sections, 21 figures, 5 tables.

Figures (21)

  • Figure 1: Packet forwarding in OpenFlow pipeline.
  • Figure 2: Software-based caches in OVS.
  • Figure 3: Microflow cache (with default size of 8k entries).
  • Figure 4: Megaflow cache.
  • Figure 5: Overall system setup for OVS characterization.
  • ...and 16 more figures