Network side channels (NSCs) leak secrets through packet timing and packet sizes. They are of particular concern in public IaaS Clouds, where any tenant may be able to colocate and indirectly observe a victim's traffic shape. We present Pacer, the first system that eliminates NSC leaks in public IaaS Clouds end-to-end. It builds on the principled technique of shaping guest traffic outside the guest to make the traffic shape independent of secrets by design. However, Pacer also addresses important concerns that have not been considered in prior work -- it prevents internal side-channel leaks from affecting reshaped traffic, and it respects network flow control, congestion control and loss recovery signals. Pacer is implemented as a paravirtualizing extension to the host hypervisor, requiring modest changes to the hypervisor and the guest kernel, and only optional, minimal changes to applications. We present Pacer's key abstraction of a cloaked tunnel, describe its design and implementation, prove the security of important design aspects through a formal model, and show through an experimental evaluation that Pacer imposes moderate overheads on bandwidth, client latency, and server throughput, while thwarting attacks based on state-of-the-art CNN classifiers.
翻译:网络侧渠道(NSCs)通过封装时间和封装大小泄漏秘密。 封装时间和封装大小, 封存者特别关心这些秘密, 任何租户都可以在IaS Clouds公共平台上放置并间接观察受害者的交通形状。 我们展示了Pacer, 这是第一个在公开的IaAS Clouds端到端端端消除NSC泄漏的系统。 它基于在客人外塑造客流量的原则性方法, 目的是通过设计使隐蔽隧道的交通结构独立于秘密。 然而, Pacer也处理以前工作中未曾考虑过的重要问题 -- -- 它防止内部侧道漏漏影响重塑的交通,它尊重网络流量控制、拥堵控制和损失恢复信号。 Pacer是作为对主机超视仪的准扩展, 需要对超视仪和访客内内核进行适度的改动, 并且只是对应用程序进行可选的最小的修改。 我们介绍Pacer对隐蔽隧道的主要抽象图, 描述其设计和实施, 通过正式模型证明重要设计方面的安全性, 并通过实验性评估显示Pacer 将中中中中中中控服务器的中压式服务器。