Protecting Shared Virtualized Environments against Cache Side-channel Attacks

We introduce a side-channel attack detection and protection method that combines dynamic and static analysis. The dynamic analysis uses Linux Perf to obtain readings from 13 hardware performance counters related to the shared cache. Based on these readings, the virtual machine (VM) behaviour is then classified into suspicious or benign using logistic regression classification. As a second step, the static analysis extracts the executable files from the disk image or the RAM image of the suspicious VM. It then checks whether these files contain operating codes for side-channel attacks. Based on this, the threat level of these files is determined using the SoftMax classification algorithm; we have four threat levels in total. After that, VMs that pose a threat to the shared environment are excluded. As a hypervisor, we employed KVM (Kernel-based Virtual Machine), and as guest operating systems, we utilized Linux Ubuntu 18.04.5 LTS (64bits). We then conducted experiments on several host machines, namely Ubuntu 18.04.5 LTS, Debian 10, and CentOS 8, with various processor models. The accuracy of detecting suspicious behaviour and classifying the threat level was recorded as 96%99% with between 0.6%-25% CPU overheads for dynamic and static analysis.