Eliminating fine grained timers in Xen

Abstract

The move to "infrastructure-as-a-service" cloud computing brings with it a new risk: cross-virtual machine side channels through shared physical resources such as the L2 cache. One approach to this risk is to rewrite sensitive code to eliminate the signal. In this paper we consider another approach: weakening malicious virtual machines' ability to receive the signal by eliminating fine-grained timers. Such "fuzzy time" was implemented in 1991 in the VAX security kernel, but it was not clearly applicabile to modern virtual machine managers such as Xen on platforms such as the x86, which exports a cycle counter through the RDTSC instruction. In this paper, we demonstrate that it is possible to modify the RDTSC instruction on Xen-virtualized x86 machines, making the timer provided by this instruction substantially more coarse. We perform a thorough evaluation of the impact of modifying this timer on the usability of the system, and we evaluate the limiting point of the timer coarseness. Our findings open the way to a specific research program for mitigating cloud computing side channels through fuzzy time: (1) What other sources of fine-grained time are available to a malicious VM, and is it possible to degrade them? (2) What distribution of noise should be introduced to RDTSC and other timing signals to maximize the effect on malicious VMs while minimizing the effect on legitimate ones? (3) What timing resolution is actually needed to make use of L2 cache side channels?