I Know What You Sync: Covert and Side Channel Attacks on File Systems via syncfs

TL;DR

This paper reveals new file system side channels that break logical isolation, demonstrating covert and side channel attacks on Linux and Windows, with high accuracy and bandwidth, exploiting timing leaks during syncfs operations.

Contribution

It uncovers timing-based side channels in file systems that enable covert and side channel attacks across containers and applications, a novel security threat.

Findings

Achieved covert channel bandwidth of up to 7.6 Kbps with low error rates.

Developed website, video, and application fingerprinting attacks with over 90% accuracy.

Demonstrated cross-container covert channels and detection techniques.

Abstract

Operating Systems enforce logical isolation using abstractions such as processes, containers, and isolation technologies to protect a system from malicious or buggy code. In this paper, we show new types of side channels through the file system that break this logical isolation. The file system plays a critical role in the operating system, managing all I/O activities between the application layer and the physical storage device. We observe that the file system implementation is shared, leading to timing leakage when using common I/O system calls. Specifically, we found that modern operating systems take advantage of any flush operation (which saves cached blocks in memory to the SSD or disk) to flush all of the I/O buffers, even those used by other isolation domains. Thus, by measuring the delay of syncfs, the attacker can infer the I/O behavior of victim programs. We then demonstrate a syncfs covert channel attack on multiple file systems, including both Linux native file systems and the Windows file system, achieving a maximum bandwidth of 5 Kbps with an error rate of 0.15% on Linux and 7.6 Kbps with an error rate of 1.9% on Windows. In addition, we construct three side-channel attacks targeting both Linux and Android devices. On Linux devices, we implement a website fingerprinting attack and a video fingerprinting attack by tracking the write patterns of temporary buffering files. On Android devices, we design an application fingerprinting attack that leaks application write patterns during boot-up. The attacks achieve over 90% F1 score, precision, and recall. Finally, we demonstrate that these attacks can be exploited across containers implementing a container detection technique and a cross-container covert channel attack.