Jingzheng Wu

XenPump: A New Method to Mitigate Timing Channel in Cloud Computing

Cloud computing security has become the focus in information security, where much attention has been drawn to the user privacy leakage. Although isolation and some other security policies have been provided to protect the security of cloud computing, confidential information can be still stolen by timing channels without being detected. In this paper, a new method named XenPump is presented aiming to mitigate the threat of the timing channels by adding latency. XenPump is designed as a module located in hypervisor, monitoring the hypercalls used by the timing channels and adding latencies to lower the threat into an acceptable level. The prototype of XenPump has been implemented in Xen virtualization platform, and the performance is evaluated by the shared memory based timing channel. The experiment results show that XenPump can mitigate the threat of the timing channel by interrupting both the capacity and transmission accuracy. It is believed that after small extension, XenPump can mitigate the incoming timing channels.

Identification and Evaluation of Sharing Memory Covert Timing Channel in Xen Virtual Machines

Virtualization technology is the basis of cloud computing, and the most important property of virtualization is isolation. Isolation guarantees security between virtual machines. However, covert channel breaks the isolation and leaks sensitive message covertly. In this paper, we formally model the isolation into noninterference, and define that all the transmission channels violating noninterference are covert channels. With this definition, we present an identification method based on information flow. This method first compiles the source code into a more structured equivalent code with LLVM. And then a search algorithm is proposed to obtain the shared resources and the operational processes in the equivalent code. A new covert channel termed sharing memory covert timing channel (SMCTC) is identified from Xen source code. We construct channel scenario for SMCTC, and evaluate its threat with the metrics of channel capacity and transmission accuracy. The results show that SMCTC is much more threatened than CPU load based and cache based covert channels etc.

Improving performance of network covert timing channel through Huffman coding

Abstract Network covert channel is a mechanism used to transfer covert message violating security policies through network. Performance of a channel is crucial to an attacker. Some studies have improved the performance by advancing the coding mechanism, but few ones have taken account of the redundancy of covert message. This paper introduces Huffman coding scheme to compress the transferred data by exploiting redundancy, and investigates the performance of the network timing channel according to the channel capacity and covertness. A mathematical model of capacity is presented and the effects of the parameters are analyzed. The experiment examines how the network delays and the Huffman coding scheme affect the capacity and covertness, and the results demonstrate that the performance of the timing channel is improved.

C2Detector: a covert channel detection framework in cloud computing

Cloud computing is becoming increasingly popular because of the dynamic deployment of computing service. Another advantage of cloud is that data confidentiality is protected by the cloud provider with the virtualization technology. However, a covert channel can break the isolation of the virtualization platform and leak confidential information without letting it known by virtual machines. In this paper, the threat model of covert channels is analyzed. The channels are classified into three categories, and only the category that is new to cloud computing is concerned, for example, CPU load-based, cache-based, and shared memory-based covert channels. The covert channel scenario is modeled into an error-corrected four-state automaton, and two error-corrected algorithms are designed. A new detection framework termed C2Detector is presented. C2Detector includes a captor located in the hypervisor and a two-phase synthesis algorithm implemented as Markov and Bayesian detectors. A prototype of C2Detector is implemented on Xen hypervisor, and its performance of detecting the covert channels is demonstrated. The experiment results show that C2Detector can detect the three types of the covert channels with an acceptable false positive rate by using a pessimistic threshold. Moreover, C2Detector is a plug-in framework and can be easily extended. It is believed that new covert channels can be detected by C2Detector in the future. Copyright

CIVSched: A Communication-Aware Inter-VM Scheduling Technique for Decreased Network Latency between Co-Located VMs

Server consolidation in cloud computing environments makes it possible for multiple servers or desktops to run on a single physical server for high resource utilization, low cost, and reduced energy consumption. However, the scheduler in the virtual machine monitor (VMM), such as Xen credit scheduler, is agnostic about the communication behavior between the guest operating systems (OS). The aforementioned behavior leads to increased network communication latency in consolidated environments. In particular, the CPU resources management has a critical impact on the network latency between co-located virtual machines (VMs) when there are CPUand I/O-intensive workloads running simultaneously. This paper presents the design and implementation of a communication-aware inter-VM scheduling (CIVSched) technique that takes into account the communication behavior between inter-VMs running on the same virtualization platform. The CIVSched technique inspects the network packets transmitted between local co-resident domains to identify the target VM and process that will receive the packets. Thereafter, the target VM and process are preferentially scheduled by the VMM and the guest OS. The cooperation of these two schedulers makes the network packets to be timely received by the target application. Experimental results on the Xen virtualization platform depict that the CIVSched technique can reduce the average response time of network traffic by approximately 19 percent for the highly consolidated environment, while keeping the inherent fairness of the VMM scheduler.

Robust and Efficient Covert Channel Communications in Operating Systems: Design, Implementation and Evaluation

Covert channel has been studied for years due to its ability to divulge sensitive information in computer systems. Constructing covert communication scenarios is the first step to learn the threat of a channel. There are several challenges in the existing design of covert channel communications: lacking general communicating model description, low transmission accuracy and weak anti-interference ability. In this paper, we explore how to construct robust and efficient covert channel communications in operating systems. Firstly, we design three general covert communicating protocol models: the Basic Protocol (BP), the Two-Channel Transmission Protocol (TCTP) and the Self-Adaptive Protocol (SAP). Then we implement them in Linux operating systems. To simulate real attack scenarios, a toy Trojan program extracting passwords to cooperate with the covert protocols is presented. To identify potential covert channels in Linux kernel, we use Directed Information Flow Graph (DIFG) to analyze the source code and choose last_pid and temporary files channels in our implementation. Finally we evaluate the transmitting rate and accuracy of the three protocols. The results demonstrate that without special protective measures, the TCTP can achieve rather high accuracy and rate (100% and 31bps in our lab). When equipped with some restricting or interfering mechanisms, the SAP can achieve 97% accuracy and 18bps rate. This result reveals that attackers can bypass countermeasures to steal sensitive data from victims by well-designed covert protocols.

Exception beyond Exception: Crashing Android System by Trapping in "Uncaught Exception"

Android is characterized as a complicated open source software stack created for a wide array of devices with different form of factors, whose latest release has over one hundred million lines of code. Such code is mainly developed with the Java language, which builds complicated logic and brings implicit information flows among components and the inner framework. By studying the source code of system service interfaces, we discovered an unknown type of code flaw, which is named uncaughtException flaw, caused by un-well implemented exceptions that could crash the system and be further vulnerable to system level Denial-of-Service (DoS) attacks. We found that exceptions are used to handle the errors and other exceptional events but sometimes they would kill some critical system services exceptionally. We designed and implemented ExHunter, a new tool for automatic detection of this uncaughtException flaw by dynamically reflecting service interfaces, continuously fuzzing parameters and verifying the running logs. On 11 new popular Android devices, ExHunter extracted 1045 system services, reflected 758 suspicious functions, discovered 132 uncaughtException flaws which are 0-day vulnerabilities that have never been known before and generated 275 system DoS attack exploitations. The results showed that: (1) almost every type of Android phone suffers from this flaw, (2) the flaws are different from phone by phone, and (3) all the vulnerabilities can be exploited by direct/indirect trapping. To mitigate uncaughtException flaws, we further developed ExCatcher to re-catch the exceptions. Finally, we informed four internationally renowned manufacturers and provided secure improvements in their commercial phones.

A Practical Covert Channel Identification Approach in Source Code Based on Directed Information Flow Graph

Covert channel analysis is an important requirement when building secure information systems, and identification is the most difficult task. Although some approaches were presented, they are either experimental or constrained to some particular systems. This paper presents a practical approach based on directed information flow graph taking advantage of the source code analysis. The approach divides the whole system into serval independent modules and analyzes them respectively. All the shared variables and their caller functions are found out from the source codes and modeled into directed information flow graphs. When the information flow branches are visible and modifiable to the external interface, a potential covert channel exists. Contributions made in this paper are as follows: a modularized analysis scheme is proved and reduces the workloads of identifying, a directed information flow graph algorithm is presented and used to model the covert channels, more than 30 covert channels have been identified in Linux kernel source code using this scheme, and a typical channel scenario is constructed.

Vulnerability Detection of Android System in Fuzzing Cloud

The rapid growth of Android system has encountered enormous security challenges. The vulnerabilities caused by the limited security models, coarse permission system and code flaws lead to private information leakage, deny of service, potential costs, etc. To detect these vulnerabilities, some analysis and security testing methods have been presented. However, most of these methods focus on certain aspects, for example, applications, permission, or capability leakage. In this paper, we propose a new detection paradigm named Fuzzing Cloud to detect vulnerabilities in Android system. Firstly, the architecture of fuzzing cloud is introduced, and the fuzzing nodes are investigated. Then, each layer of the Android system is decomposed into separated modules, and the fuzzing test cases are created with the endless capacity of processing power and storage in fuzzing cloud. Finally, the prototype of fuzzing cloud has been implemented, and some separated modules have been tested. The experiment results show that some vulnerabilities can be detected by the fuzzing cloud. It is also believed that after small extension, fuzzing cloud can detect vulnerabilities in other systems.

Solving linear optimization over arithmetic constraint formula

Since Balas extended the classical linear programming problem to the disjunctive programming (DP) problem where the constraints are combinations of both logic AND and OR, many researchers explored this optimization problem under various theoretical or application scenarios such as generalized disjunctive programming (GDP), optimization modulo theories (OMT), robot path planning, real-time systems, etc. However, the possibility of combining these differently-described but form-equivalent problems into a single expression remains overlooked. The contribution of this paper is two folded. First, we convert the linear DP/GDP model, linear-arithmetic OMT problem and related application problems into an equivalent form, referred to as the linear optimization over arithmetic constraint formula (LOACF). Second, a tree-search-based algorithm named RS-LPT is proposed to solve LOACF. RS-LPT exploits the techniques of interval analysis and nonparametric estimation for reducing the search tree and lowering the number of visited nodes. Also, RS-LPT alleviates bad construction of search tree by backtracking and pruning dynamically. We evaluate RS-LPT against two most common DP/GDP methods, three state-of-the-art OMT solvers and the disjunctive transformation based method on optimization benchmarks with different types and scales. Our results favor RS-LPT as compared to existing competing methods, especially for large scale cases.