Repttack: Exploiting Cloud Schedulers to Guide Co-Location Attacks

TL;DR

This paper reveals how cloud schedulers can be exploited by attackers to co-locate malicious and victim applications, enabling micro-architectural attacks, and proposes mitigation strategies to enhance scheduler security.

Contribution

It introduces Repttack, a novel attack exploiting scheduler requirements to induce co-location, and evaluates its effectiveness along with potential defenses.

Findings

Single attack instance achieves 50% co-location rate.

With 5 instances, co-location rate reaches 80%.

Proposed mitigation can reduce co-location risk.

Abstract

Cloud computing paradigms have emerged as a major facility to store and process the massive data produced by various business units, public organizations, Internet-of-Things, and cyber-physical systems. To meet users' performance requirements while maximizing resource utilization to achieve cost-efficiency, cloud administrators leverage schedulers to orchestrate tasks to different physical nodes and allow applications from different users to share the same physical node. On the other hand, micro-architectural attacks can exploit the shared resources to compromise the confidentiality/integrity of a co-located victim application. Since co-location is an essential requirement for micro-architectural attacks, in this work, we investigate whether attackers can exploit the cloud schedulers to satisfy the co-location requirement. Our analysis shows that for cloud schedulers that allow users to submit application requirements, an attacker can carefully select the attacker's application requirements to influence the scheduler to co-locate it with a targeted victim application. We call such attack Replication Attack (Repttack). Our experimental results, in both a simulated cluster environment and a real cluster, show similar trends; a single attack instance can reach up to 50% co-location rate and with only 5 instances the co-location rate can reach up to 80%. Furthermore, we propose and evaluate a mitigation strategy that can help defend against Repttack. We believe that our results highlight the fact that schedulers in multi-user clusters need to be more carefully designed with security in mind, and the process of making scheduling decisions should involve as little user-defined information as possible.