Sync+Sync: A Covert Channel Built on fsync with Storage

TL;DR

This paper introduces Sync+Sync, a covert channel exploiting fsync contention in storage systems, enabling high-bandwidth, cross-environment covert communication and side-channel attacks for data and activity inference.

Contribution

The paper presents a novel covert channel based on fsync contention, demonstrating its high bandwidth and applicability across various environments, and shows its use in precise side-channel attacks.

Findings

Achieves 20,000 bits/sec bandwidth with 0.40% error rate.

Works across disks, filesystems, containers, VMs, and disks.

Enables detection of database operations and application activities.

Abstract

Scientists have built a variety of covert channels for secretive information transmission with CPU cache and main memory. In this paper, we turn to a lower level in the memory hierarchy, i.e., persistent storage. Most programs store intermediate or eventual results in the form of files and some of them call fsync to synchronously persist a file with storage device for orderly persistence. Our quantitative study shows that one program would undergo significantly longer response time for fsync call if the other program is concurrently calling fsync, although they do not share any data. We further find that, concurrent fsync calls contend at multiple levels of storage stack due to sharing software structures (e.g., Ext4's journal) and hardware resources (e.g., disk's I/O dispatch queue). We accordingly build a covert channel named Sync+Sync. Sync+Sync delivers a transmission bandwidth of 20,000 bits per second at an error rate of about 0.40% with an ordinary solid-state drive. Sync+Sync can be conducted in cross-disk partition, cross-file system, cross-container, cross-virtual machine, and even cross-disk drive fashions, without sharing data between programs. Next, we launch side-channel attacks with Sync+Sync and manage to precisely detect operations of a victim database (e.g., insert/update and B-Tree node split). We also leverage Sync+Sync to distinguish applications and websites with high accuracy by detecting and analyzing their fsync frequencies and flushed data volumes. These attacks are useful to support further fine-grained information leakage.