Let's Prevent Spectre Attacks in the Docker Containers Too

Humdah Shakir Khan; Farooque Hassan Kumbhar; Jawwad Ahmed Shamsi

doi:10.1109/FIT57066.2022.00052

Let's Prevent Spectre Attacks in the Docker Containers Too

Humdah Shakir Khan^*
, Farooque Hassan Kumbhar
, Jawwad Ahmed Shamsi

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

The Spectre attacks in modern processors have been inherently conveyed in the major Docker clients. The speculative execution mechanism in a processor can be maliciously used to access unauthorized content of other users, where the processor is the same for all the tenants. Instructions and code that completed execution and remained in the micro-architecture as cache could be accessed by the attacker through cache-side channel attacks. In this paper, we propose an automated solution to detect susceptible code snippets in the binary program and implement a patch to avoid further attacks. The proposed methodology extracts control flow, address analysis and taint analysis to detect the conditional branches that maliciously access memory speculatively. We have used the Kocher tests, which are a set of susceptible code patterns to generate malicious snippets. In a nutshell, the proposed system implements fences around suspicious conditional branches that stop speculative execution in the processor. Moreover, our evaluation also considers runtime overhead, analysis time, and effectiveness.

Original language	English
Title of host publication	Proceedings - 2022 International Conference on Frontiers of Information Technology, FIT 2022
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	243-248
Number of pages	6
ISBN (Electronic)	9798350345933
DOIs	https://doi.org/10.1109/FIT57066.2022.00052
State	Published - 2022
Externally published	Yes
Event	2022 International Conference on Frontiers of Information Technology, FIT 2022 - Islamabad, Pakistan Duration: 12 Dec 2022 → 13 Dec 2022

Publication series

Name	Proceedings - 2022 International Conference on Frontiers of Information Technology, FIT 2022

Conference

Conference	2022 International Conference on Frontiers of Information Technology, FIT 2022
Country/Territory	Pakistan
City	Islamabad
Period	12/12/22 → 13/12/22

Bibliographical note

Publisher Copyright:
© 2022 IEEE.

Keywords

Containers
Docker
Spectre Attack
Virtual Machines

ASJC Scopus subject areas

Artificial Intelligence
Computer Networks and Communications
Computer Science Applications
Computer Vision and Pattern Recognition
Information Systems
Software
Information Systems and Management
Control and Optimization

Access to Document

10.1109/FIT57066.2022.00052

Cite this

Khan, H. S., Hassan Kumbhar, F., & Shamsi, J. A. (2022). Let's Prevent Spectre Attacks in the Docker Containers Too. In Proceedings - 2022 International Conference on Frontiers of Information Technology, FIT 2022 (pp. 243-248). (Proceedings - 2022 International Conference on Frontiers of Information Technology, FIT 2022). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/FIT57066.2022.00052

Khan, Humdah Shakir ; Hassan Kumbhar, Farooque ; Shamsi, Jawwad Ahmed. / Let's Prevent Spectre Attacks in the Docker Containers Too. Proceedings - 2022 International Conference on Frontiers of Information Technology, FIT 2022. Institute of Electrical and Electronics Engineers Inc., 2022. pp. 243-248 (Proceedings - 2022 International Conference on Frontiers of Information Technology, FIT 2022).

@inproceedings{ede007dab48a41c4aedd8cb0c6781bf8,

title = "Let's Prevent Spectre Attacks in the Docker Containers Too",

abstract = "The Spectre attacks in modern processors have been inherently conveyed in the major Docker clients. The speculative execution mechanism in a processor can be maliciously used to access unauthorized content of other users, where the processor is the same for all the tenants. Instructions and code that completed execution and remained in the micro-architecture as cache could be accessed by the attacker through cache-side channel attacks. In this paper, we propose an automated solution to detect susceptible code snippets in the binary program and implement a patch to avoid further attacks. The proposed methodology extracts control flow, address analysis and taint analysis to detect the conditional branches that maliciously access memory speculatively. We have used the Kocher tests, which are a set of susceptible code patterns to generate malicious snippets. In a nutshell, the proposed system implements fences around suspicious conditional branches that stop speculative execution in the processor. Moreover, our evaluation also considers runtime overhead, analysis time, and effectiveness.",

keywords = "Containers, Docker, Spectre Attack, Virtual Machines",

author = "Khan, \{Humdah Shakir\} and \{Hassan Kumbhar\}, Farooque and Shamsi, \{Jawwad Ahmed\}",

note = "Publisher Copyright: {\textcopyright} 2022 IEEE.; 2022 International Conference on Frontiers of Information Technology, FIT 2022 ; Conference date: 12-12-2022 Through 13-12-2022",

year = "2022",

doi = "10.1109/FIT57066.2022.00052",

language = "English",

series = "Proceedings - 2022 International Conference on Frontiers of Information Technology, FIT 2022",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "243--248",

booktitle = "Proceedings - 2022 International Conference on Frontiers of Information Technology, FIT 2022",

address = "United States",

}

Khan, HS, Hassan Kumbhar, F & Shamsi, JA 2022, Let's Prevent Spectre Attacks in the Docker Containers Too. in Proceedings - 2022 International Conference on Frontiers of Information Technology, FIT 2022. Proceedings - 2022 International Conference on Frontiers of Information Technology, FIT 2022, Institute of Electrical and Electronics Engineers Inc., pp. 243-248, 2022 International Conference on Frontiers of Information Technology, FIT 2022, Islamabad, Pakistan, 12/12/22. https://doi.org/10.1109/FIT57066.2022.00052

Let's Prevent Spectre Attacks in the Docker Containers Too. / Khan, Humdah Shakir; Hassan Kumbhar, Farooque; Shamsi, Jawwad Ahmed.
Proceedings - 2022 International Conference on Frontiers of Information Technology, FIT 2022. Institute of Electrical and Electronics Engineers Inc., 2022. p. 243-248 (Proceedings - 2022 International Conference on Frontiers of Information Technology, FIT 2022).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Let's Prevent Spectre Attacks in the Docker Containers Too

AU - Khan, Humdah Shakir

AU - Hassan Kumbhar, Farooque

AU - Shamsi, Jawwad Ahmed

PY - 2022

Y1 - 2022

N2 - The Spectre attacks in modern processors have been inherently conveyed in the major Docker clients. The speculative execution mechanism in a processor can be maliciously used to access unauthorized content of other users, where the processor is the same for all the tenants. Instructions and code that completed execution and remained in the micro-architecture as cache could be accessed by the attacker through cache-side channel attacks. In this paper, we propose an automated solution to detect susceptible code snippets in the binary program and implement a patch to avoid further attacks. The proposed methodology extracts control flow, address analysis and taint analysis to detect the conditional branches that maliciously access memory speculatively. We have used the Kocher tests, which are a set of susceptible code patterns to generate malicious snippets. In a nutshell, the proposed system implements fences around suspicious conditional branches that stop speculative execution in the processor. Moreover, our evaluation also considers runtime overhead, analysis time, and effectiveness.

AB - The Spectre attacks in modern processors have been inherently conveyed in the major Docker clients. The speculative execution mechanism in a processor can be maliciously used to access unauthorized content of other users, where the processor is the same for all the tenants. Instructions and code that completed execution and remained in the micro-architecture as cache could be accessed by the attacker through cache-side channel attacks. In this paper, we propose an automated solution to detect susceptible code snippets in the binary program and implement a patch to avoid further attacks. The proposed methodology extracts control flow, address analysis and taint analysis to detect the conditional branches that maliciously access memory speculatively. We have used the Kocher tests, which are a set of susceptible code patterns to generate malicious snippets. In a nutshell, the proposed system implements fences around suspicious conditional branches that stop speculative execution in the processor. Moreover, our evaluation also considers runtime overhead, analysis time, and effectiveness.

KW - Containers

KW - Docker

KW - Spectre Attack

KW - Virtual Machines

UR - https://www.scopus.com/pages/publications/85149704450

U2 - 10.1109/FIT57066.2022.00052

DO - 10.1109/FIT57066.2022.00052

M3 - Conference contribution

AN - SCOPUS:85149704450

T3 - Proceedings - 2022 International Conference on Frontiers of Information Technology, FIT 2022

SP - 243

EP - 248

BT - Proceedings - 2022 International Conference on Frontiers of Information Technology, FIT 2022

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 2022 International Conference on Frontiers of Information Technology, FIT 2022

Y2 - 12 December 2022 through 13 December 2022

ER -

Khan HS, Hassan Kumbhar F, Shamsi JA. Let's Prevent Spectre Attacks in the Docker Containers Too. In Proceedings - 2022 International Conference on Frontiers of Information Technology, FIT 2022. Institute of Electrical and Electronics Engineers Inc. 2022. p. 243-248. (Proceedings - 2022 International Conference on Frontiers of Information Technology, FIT 2022). doi: 10.1109/FIT57066.2022.00052

Let's Prevent Spectre Attacks in the Docker Containers Too

Abstract

Publication series

Conference

Bibliographical note

Keywords

ASJC Scopus subject areas

Access to Document

Fingerprint

Cite this