Detecting co-residency with active traffic analysis techniques

Adam Bates, Benjamin Mood, Joe Pletcher, Hannah Pruse, Masoud Valafar, Kevin Butler

Research output: Chapter in Book/Report/Conference proceedingConference contribution


Virtualization is the cornerstone of the developing third party compute industry, allowing cloud providers to instantiate multiple virtual machines VMson a single set of physical resources. Customers utilize cloud resources alongside unknown and untrusted parties, creating the co-resident threat-unless perfect isolation is provided by the virtual hypervisor, there exists the possibility for unauthorized access to sensitive customer information through the exploitation of covert side channels. This paper presents co-resident watermarking, a traffic analysis attack that allows a malicious co-resident VM to inject a watermark signature into the network flow of a target instance. This watermark can be used to exfiltrate and broadcast co-residency data from the physical machine, compromising isolation without reliance on internal side channels. As a result, our approach is difficult to defend without costly underutilization of the physical machine. We evaluate co-resident watermarking under a large variety of conditions, system loads and hardware configurations, from a local lab environment to production cloud environments Futuregrid and the University of Oregon's ACISS). We demonstrate the ability to initiate a covert channel of 4 bits per second, and we can confirm coresidency with a target VM instance in less than 10 seconds. We also show that passive load measurement of the target and subsequent behavior profiling is possible with this attack. Our investigation demonstrates the need for the careful design of hardware to be used in the cloud.

Original languageEnglish (US)
Title of host publicationCCSW'12 - Proceedings of the Cloud Computing Security Workshop
Number of pages12
StatePublished - 2012
Externally publishedYes
Event2012 ACM Workshop on Cloud Computing Security Workshop, CCSW 2012 - Raleigh, NC, United States
Duration: Oct 19 2012Oct 19 2012

Publication series

NameProceedings of the ACM Conference on Computer and Communications Security
ISSN (Print)1543-7221


Other2012 ACM Workshop on Cloud Computing Security Workshop, CCSW 2012
Country/TerritoryUnited States
CityRaleigh, NC


  • Cloud Security
  • Covert Channel
  • Traffic Analysis

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications


Dive into the research topics of 'Detecting co-residency with active traffic analysis techniques'. Together they form a unique fingerprint.

Cite this