Inter-VM data exfiltration: The art of cache timing covert channel on x86 multi-core presented at Defcon 2015

by Etienne Martineau,

Summary : On x86 multi-core covert channels between co-located Virtual Machine (VM) are real and practical thanks to the architecture that has many imperfections in the way shared resources are isolated.
This talk will demonstrate how a non-privileged application from one VM can ex-filtrate data or even establish a reverse shell into a co-located VM using a cache timing covert channel that is totally hidden from the standard access control mechanisms while being able to offer surprisingly high bps at a low error rate.
In this talk you'll learn about the various concepts, techniques and challenges involve in the design of a cache timing covert channel on x86 multi-core such as:
An overview of some of the X86 shared resources and how we can use / abuse them to carry information across VMs.
Fundamental concept behind cache line encoding / decoding.
Getting around the hardware pre-fetching logic ( without disabling it from the BIOS! )
Data persistency and noise. What can be done?
Guest to host page table de-obfuscation. The easy way.
Phase Lock Loop and high precision inter-VM synchronization. All about timers.
At the end of this talk we will go over a working VM to VM reverse shell example as well as some surprising bandwidth measurement results. We will also cover the detection aspect and the potential countermeasure to defeat such a communication channel. The source code is going to be release at that time on 'github