Pacer: Comprehensive Network Side-Channel Mitigation in the Cloud

This paper presents Pacer, a new system for preventing network side-channels leaks (NSCs) in IaaS Clouds. NSCs leak secrets through packet timing and packet sizes. They are of particular concern in public IaaS Clouds, where any tenant may be able to colocate with a victim and mount an attack. Pacer is the first system that eliminates NSC leaks in public IaaS Clouds end-to-end. It builds on the principled technique of shaping guest traffic outside the guest to make the traffic shape independent of secrets by design. However, Pacer also addresses important concerns that have not been considered in prior work--it prevents internal side-channel leaks from affecting reshaped traffic, and it respects network flow control, congestion control and loss recovery signals. Pacer is implemented as a paravirtualizing extension to the host hypervisor, requiring modest changes to the hypervisor and the guest kernel, and only optional, minimal changes to applications. We describe Pacer's key abstraction--a cloaked tunnel, its design and implementation, prove the security of important design aspects through a formal model, and show through an experimental evaluation that Pacer imposes only moderate overheads on bandwidth, client latency and server throughput.