| To maximize the resource utilization rate and reduce the occupation of memory, the multi-tenanted cloud platform introduce several kinds of memory sharing mechanism. Once the mechanism takes effective, memory pages will be shared among virtual machines in the form of COW(Copy-On-Write) pages. However,the covert channel constructed on shared memory can break the isolation between virtual machines and make use of cross-VM shared pages to encode and transfer message to co-resident VM, resulting in a leakage of user`s secret data. Moreover, such kind of malicious program can run with normal privilege and shows no sign of virus. As a result, normal security software in the cloud cannot identify and eliminate such kind of covert channel.In this paper, CovertInspector is presented as a tool to identify and eliminate the covert channels based on shared memory in the cloud. By intercepting RDTSC instructions and identifying special COW pages fault sequence, CovertInspector is able to identify the characteristics of the covert channel and further locate the specific process information by traversing the processes in the virtual machines. Meanwhile, CovertInspector can reserve the benefits of memory sharing as well as avoiding the shortcomings of fuzzy timer method, which will bring overall impact to all legitimate programs.Our experiments show that Covert Inspector is able to identify the covert channel based on shared memory with zero false negative rate and zero false positive rate. By bridging the sematic gap between the VMM and guest VM, CovertInspector can identify the malicious covert process without any modification to the guest VM, which is of good practical value. |
PDF Full Text Request