A Novel Scheduling Framework Leveraging Hardware Cache Partitioning for Cache-Side-Channel Elimination in Clouds

TL;DR

This paper introduces a hardware-software framework that enhances cloud process isolation against cache side-channel attacks by utilizing Intel's cache partitioning technology combined with novel scheduling and cleansing techniques, without needing application modifications.

Contribution

The paper presents a new scheduling framework that leverages Intel's cache partitioning and state cleansing to eliminate cache side channels in cloud environments, maintaining SMT and application transparency.

Findings

Effective cache isolation in cloud environments.

Preserves SMT and application transparency.

Preliminary evaluation shows promising security improvements.

Abstract

While there exist many isolation mechanisms that are available to cloud service providers, including virtual machines, containers, etc., the problem of side-channel increases in importance as a remaining security vulnerability, particularly in the presence of shared caches and multicore processors. In this paper we present a hardware-software mechanism that improves the isolation of cloud processes in the presence of shared caches on multicore chips. Combining the Intel CAT architecture that enables cache partitioning on the fly with novel scheduling techniques and state cleansing mechanisms, we enable cache-side-channel free computing for Linux-based containers and virtual machines, in particular, those managed by KVM. We do a preliminary evaluation of our system using a CPU bound workload. Our system allows Simultaneous Multithreading (SMT) to remain enabled and does not require application level changes.