HyperDetector: Detecting, Isolating, and Mitigating Timing Attacks in Virtualized Environments

We present a generic approach, called HyperDetector, to detect, isolate, and prevent ongoing timing based side-channel attacks that operate by measuring the execution times of short-running operations in virtualized environments. HyperDetector, being implemented at the level of hypervisor, uses a hardware extension for virtualization to intercept the rdtsc instructions, such that the consecutive pairs of time readings that are close to each other in time can be detected. Once potentially malicious time measurements are detected, noise is introduced into the measurements to prevent the ongoing attacks and the sequence of such measurements is analyzed at runtime by using a sliding window-based approach to determine the processes involved in the attacks. In the experiments, HyperDetector detected all the malicious processes with a perfect accuracy after these processes made few time measurements, reduced the success rates of the attacks from between 98%-99% to between 0%-0.5%, and did so with a runtime overhead of 1.14%.