Side channels arise due to sharing of resources among mutually untrusting principals. In public clouds, different tenants share CPUs, caches, memory, storage, and network resources of the cloud provider. A tenant's (called the victim) usage of a server's resources may be correlated with its secrets; an adversarial tenant on the same server can observe the victim's usage of shared resources and thereby infer the victim's secrets. How can tenants ensure privacy of their sensitive data and code hosted in the cloud in face of such side-channel attacks? Moreover, how can we design efficient side-channel mitigations in the face of changing landscape of cloud architecture, where applications and hardware are becoming more disaggregated, leading to increased resource sharing among untrusted tenants?

Our prior work has investigated fundamental principles in building secure mitigations for memory (USENIX Security '17) and network side-channel attacks in cloud (USENIX Security '22). The key principle is to shape an application's resource usage pattern to make it independent of the application's secrets. Using this principle we developed mitigations for applications ranging from proprietary machine learning algorithms to web and video streaming services, which protect the application secrets while incurring moderate overheads on the application performance and resource requirements. In the future, we will build more efficient, general-purpose, and practical tools for mitigating side-channel attacks in serverless cloud applications running on disaggregated datacenter hardware.