Side-channel security


This research looks at data disclosures due to side channels in cloud services.

Side channels arise due to sharing of resources among mutually untrusting principals. In public clouds, different tenants share CPUs, caches, memory, storage, and network resources of the cloud provider. A tenant's (called the victim) usage of a server's resources may be correlated with its secrets; an adversarial tenant on the same server can observe the victim's usage of shared resources and thereby infer the victim's secrets. How can tenants ensure privacy of their sensitive data and code hosted in the cloud in face of such side-channel attacks? Moreover, how can we design efficient side-channel mitigations in the face of changing landscape of cloud architecture, where applications and hardware are becoming more disaggregated, leading to increased resource sharing among untrusted tenants?

Our prior work has investigated fundamental principles in building secure mitigations for memory (USENIX Security '17) and network side-channel attacks in cloud (USENIX Security '22). The key principle is to shape an application's resource usage pattern to make it independent of the application's secrets. Using this principle we developed mitigations for applications ranging from proprietary machine learning algorithms to web and video streaming services, which protect the application secrets while incurring moderate overheads on the application performance and resource requirements. In the future, we will build more efficient, general-purpose, and practical tools for mitigating side-channel attacks in serverless cloud applications running on disaggregated datacenter hardware.

Additional Information

People: Aastha Mehta, Amir Sabzi

Pacer: Comprehensive Network Side-Channel Mitigation in the Cloud (USENIX Security '22)

Oblivious Multi-Party Machine Learning on Trusted Processors (USENIX Security '17)

arrow_back Back

Systopia lab is supported by a number of government and industrial sources, including Cisco Systems, the Communications Security Establishment Canada, Intel Research, the National Sciences and Engineering Research Council of Canada (NSERC), Network Appliance, Office of the Privacy Commissioner of Canada, and the National Science Foundation (NSF).