Mitigation of Cache Side-Channel Attacks in Virtualised Environments

Cloud computing is an important technology that significantly reduces costs and increases operations and economic efficiencies through the use of shared computing resources provided with lightweight administrative procedures. However, the multi-tenancy model and sharing virtualised resources in cloud computing have also introduced new security vulnerabilities. An important such vulnerability arises when a malicious user exploits the cloud allocation techniques or VM (virtual machine) placement policies to co-locate their VM on the same physical server as a target victim VM. This then allows the malicious user to perform co-resident side-channel attacks leading to confidentiality violations such as obtaining cryptographic keys used on the victim's VM.
In this thesis, we present several proposed methods that can be integrated to mitigate the attack threats of the cache side-channel attacks in particular and the threats of microarchitectural attacks in general. These methods relied on different viewpoints to address these threats to maintain and preserve the advantages and characteristics of cloud computing.

The first method uses memory deduplication features to allow the proposed defence mechanism to reach the shared physical addresses of the sensitive processes to be monitored and identify suspicious behaviours using logistic regression to classify the behaviours according to the readings extracted from the observation of the shared cache lines. This mechanism provides self-protection for the VM and disrupts attackers' results in rare cases of false negatives due to frequent access to the cache lines for monitoring.

The second method relied on integrating dynamic and static analysis based on machine and deep learning algorithms. This mechanism monitors suspicious behaviour within the shared virtualised system using hardware performance counters related to the shared cache and affected by the cache side-channel attacks. If any suspicious behaviour of the VM is observed. In that case, the static analysis is run to access the disk images and RAM images of the suspicious VM to extract executable files to be checked against implicit attack characteristics (opcodes) using reverse engineering tools, and then the threat level of the VM is determined using a Softmax classification algorithm. This mechanism develops using static analysis to protect the shared systems with low system overhead and high accuracy.

The third method is based on the static analysis of the microarchitectural attacks and logistic regression for classification, integrated with the ClamAV Antivirus. This mechanism is designed to ensure the integrity of the shared virtualised system. It is a fundamental process to be used for frequent checking of VMs at long-range intervals.

These three mechanisms have also been combined to provide adequate protection for the shared virtualised systems, relying on diverse and high-accuracy lines of defence in detecting suspicious activities within the systems.