Security Evaluation of Thermal Covert-channels on SmartSSDs

TL;DR

This paper demonstrates that thermal side-channels in SmartSSDs can be exploited for covert communication between cloud tenants, revealing potential security risks in multi-tenant cloud environments with FPGA-augmented SSDs.

Contribution

It introduces the first thermal covert-channel attack on SmartSSDs, showing how temperature changes can be measured and used for communication between tenants.

Findings

Thermal changes caused by SSD activity can be detected via FPGA circuits.

Thermal state persists for minutes, enabling temporal side-channel analysis.

A novel thermal covert-channel is demonstrated in multi-tenant scenarios.

Abstract

Continued expansion of cloud computing offerings now includes SmartSSDs. A SmartSSD is a solid-state disk (SSD) augmented with an FPGA. Through public cloud providers, it is now possible to rent on-demand virtual machines enabled with SmartSSDs. Because of the FPGA component of the SmartSSD, cloud users who access the SmartSSD can instantiate custom circuits within the FPGA. This includes possibly malicious circuits for measurement of power and temperature. Normally, cloud users have no remote access to power and temperature data, but with SmartSSDs they could abuse the FPGA component to learn this information. This paper shows for the first time that heat generated by a cloud user accessing the SSD component of the SmartSSD and the resulting temperature increase, can be measured by a different cloud user accessing the FPGA component of the same SmartSSD by using the ring oscillators circuits to measure temperature. The thermal state remains elevated for a few minutes after the SSD is heated up and can be measured from the FPGA side by a subsequent user for up to a few minutes after the SSD heating is done. Further, in a future multi-tenant SmartSSD setting, the thermal changes can be measured in parallel if one user controls the SSD and the other the FPGA. Based on this temporal thermal state of the SmartSSD, a novel thermal communication channel is demonstrated for the first time.