Side-Channel Attacks on Open vSwitch

TL;DR

This paper analyzes the security vulnerabilities of Open vSwitch, revealing three remote attack methods that compromise isolation and confidentiality in virtualized environments, and discusses potential mitigation strategies.

Contribution

It characterizes the cache hierarchy in Open vSwitch and introduces three novel remote attack primitives that break isolation and leak sensitive information.

Findings

Identified remote covert channels exploiting cache hierarchies.

Developed a header recovery attack leaking packet header fields.

Demonstrated remote packet rate monitoring attack.

Abstract

Virtualization is widely adopted in cloud systems to manage resource sharing among users. A virtualized environment usually deploys a virtual switch within the host system to enable virtual machines to communicate with each other and with the physical network. The Open vSwitch (OVS) is one of the most popular software-based virtual switches. It maintains a cache hierarchy to accelerate packet forwarding from the host to virtual machines. We characterize the caching system inside OVS from a security perspective and identify three attack primitives. Based on the attack primitives, we present three remote attacks via OVS, breaking the isolation in virtualized environments. First, we identify remote covert channels using different caches. Second, we present a novel header recovery attack that leaks a remote user's packet header fields, breaking the confidentiality guarantees from the system. Third, we demonstrate a remote packet rate monitoring attack that recovers the packet rate of a remote victim. To defend against these attacks, we also discuss and evaluate mitigation solutions.