HomeAlone borrows techniques that are more commonly used by attackers, detecting the presence of other virtual machines on a server via what are known as “side channels.” Side channels are the byproducts of running software: power usage data or the pattern in which software accesses temporary storage.
HomeAlone watches for unexpected use of a part of the memory called the cache—a sign that an unauthorized virtual machine is present. The software coordinates the activity of legitimate virtual machines so that a randomly selected part of the cache goes quiet; if there’s another virtual machine present, it gives itself away by continuing to use that portion of the cache.
HomeAlone can detect unexpected virtual machines at a rate of 80 percent or better, with about 1 percent false positives. But aggressively malicious virtual machines are even more likely to be detected because they will be more actively using the cache.
Bryan Ford, an assistant professor at Yale University who studies decentralized and distributed computer systems, has previously shown that attackers can use side channels to get useful information about the virtual machines running on a shared server—potentially even passwords.
Ford says the amount of information that can be gained from side channels illustrates why companies are right to be nervous about cloud computing. Cloud providers often don’t know what the virtual machines they host are doing, he says, and they don’t want to assume responsibility. Using side channels as a defensive measure is a promising approach, he says, but it could lead to an “arms race that can’t be won.” In other words, attackers might get better at hiding or find new ways to use the side channels against the defenders.
HomeAlone can help only those cloud computing customers who require that their data be physically isolated. “This is not a solution to cloud security en masse,” Reiter says. A lot of work remains to be done to provide similar assurances to other customers.
The researchers are developing a prototype, Oprea says, and the next step is to make the system run on a commercial cloud computing platform to show that it works in practice.