IOTLB-SC: An Accelerator-Independent Leakage Source in Modern Cloud Systems

TL;DR

This paper uncovers a new security vulnerability in cloud systems where I/O memory management units can leak information via the IOTLB, enabling covert channels and data extraction from shared hardware peripherals.

Contribution

It identifies and analyzes the IOTLB as a novel attack surface in modern cloud hardware, providing both qualitative and quantitative insights and proposing countermeasures.

Findings

IOTLB can be exploited for covert communication between peripherals.

Leakage from IOTLB can be used to extract information from neighboring compute jobs.

Countermeasures can reduce side-channel leakages with implicit costs.

Abstract

Hardware peripherals such as GPUs and FPGAs are commonly available in server-grade computing to accelerate specific compute tasks, from database queries to machine learning. CSPs have integrated these accelerators into their infrastructure and let tenants combine and configure these components flexibly, based on their needs. Securing I/O interfaces is critical to ensure proper isolation between tenants in these highly complex, heterogeneous, yet shared server systems, especially in the cloud, where some peripherals may be under control of a malicious tenant. In this work, we investigate the interfaces that connect peripheral hardware components to each other and the rest of the system.We show that the I/O memory management units (IOMMUs) - intended to ensure proper isolation of peripherals - are the source of a new attack surface: the I/O translation look-aside buffer (IOTLB). We show that by using an FPGA accelerator card one can gain precise information over IOTLB activity. That information can be used for covert communication between peripherals without bothering CPU or to directly extract leakage from neighboring accelerated compute jobs such as GPU-accelerated databases. We present the first qualitative and quantitative analysis of this newly uncovered attack surface before fine-grained channels become widely viable with the introduction of CXL and PCIe 5.0. In addition, we propose possible countermeasures that software developers, hardware designers, and system administrators can use to suppress the observed side-channel leakages and analyze their implicit costs.