Quantifying the Information Leakage in Timing Side Channels in Deterministic Work-Conserving Schedulers

TL;DR

This paper analyzes how different deterministic work-conserving schedulers leak timing information about user job arrivals to attackers, revealing that some schedulers are privacy-compromising while others can reduce leakage.

Contribution

It provides a theoretical analysis of information leakage in various schedulers, identifying privacy-optimal schedulers and deriving universal bounds on leakage.

Findings

LQF scheduler leaks all user information to attackers.

FCFS and round robin leak nearly all information at low traffic rates.

WC-TDMA scheduler reduces leakage by half and is privacy-optimal among det-WC schedulers.

Abstract

When multiple job processes are served by a single scheduler, the queueing delays of one process are often affected by the others, resulting in a timing side channel that leaks the arrival pattern of one process to the others. In this work, we study such a timing side channel between a regular user and a malicious attacker. Utilizing Shannon's mutual information as a measure of information leakage between the user and attacker, we analyze privacy-preserving behaviors of common work-conserving schedulers. We find that the attacker can always learn perfectly the user's arrival process in a longest-queue-first (LQF) scheduler. When the user's job arrival rate is very low (near zero), first-come-first-serve (FCFS) and round robin schedulers both completely reveal the user's arrival pattern. The near-complete information leakage in the low-rate traffic region is proven to be reduced by half in a work-conserving version of TDMA (WC-TDMA) scheduler, which turns out to be privacy-optimal in the class of deterministic-working-conserving (det-WC) schedulers, according to a universal lower bound on information leakage we derive for all det-WC schedulers.