Ohm’s Law in Data Centers: A Voltage Side Channel for Timing Power Attacks Mohammad A. Islam and Shaolei Ren UC Riverside Acknowledgement: This work was supported in part by the U.S. NSF under grants CNS-1551661 and ECCS-1610471.
Cloud data centers 2
This talk is not about cloud data centers User/Tenant = Virtual machines 2
Multi-tenant data centers (a.k.a. “ colo ”) Computer Servers Non-IT infrastructure Generator P Utility D (Primary) U UPS ATS P D U Managed by Operator 3
Multi-tenant data centers (a.k.a. “ colo ”) Computer Servers Non-IT infrastructure Generator P Utility D (Primary) U UPS ATS P D U Managed by Managed by Tenants Operator A shared data center facility that houses multiple tenants, each managing its own servers… 3
Multi- tenant data centers are everywhere… Apple houses 25% of its servers in multi- tenant data centers… 4
Multi- tenant data centers are everywhere… Google, Amazon, MS, Fb… :7.8% Multi-tenant: Enterprise: 37% 53% Percentage of electricity usage by data center type (source: NRDC 2015) 4
Data center security • Mission-critical infrastructure • Backbone of digital economy • 50% growth by 2020 • IoT and edge computing • …… Securing the cyberspace is well studied DDoS attack, network intrusion, privacy protection, etc. [Mirkovic Sigcomm’04][Zhang CCS’12][Moon CCS’15][Dong CCS’17]… 5
Data center security Are the physical infrastructures secure? 5
How to attack physical infrastructures? Multimillion-dollar investment PDU Servers Utility UPS ATS Generator 6
How to attack physical infrastructures? Multimillion-dollar investment PDU Servers Utility UPS ATS Generator Power Overload using Human intrusion server power Hacking control systems 6
How to attack physical infrastructures? Multimillion-dollar investment PDU Servers Utility Our focus UPS ATS Generator Power Overload using Human intrusion server power Hacking control systems 6
Threat model P D U UPS ATS P D U Generator 7
Threat model P D U UPS ATS P D U Generator 7
Threat model Power attack: P Well-timed power injection to overload the shared data D center capacity, subject to all applicable constraints set U UPS by the operator ATS P Malicious D Tenant U Generator Malicious load 7
Threat model Power attacks make outages more likely (~280x more likely for a Tier-IV data center ) 7
Cost analysis of power attacks Estimated impact of overloads (5% of the time, size: 1MW-10,00sqft) Million $/MW/year Million dollar impact! 20 15.6 8.7 10 3.5 0 Tier-II Tier-III Tier-IV Increased redundancy 8
How to precisely time power attacks? • Random attacks are unlikely to be successful, while constant full power is prohibited 9
How to precisely time power attacks? • Random attacks are unlikely to be successful, while constant full power is prohibited • Coarse timing (e.g., based on “peak” hours) is ineffective 9
How to precisely time power attacks? • Random attacks are unlikely to be successful, while constant full power is prohibited • Coarse timing (e.g., based on “peak” hours) is ineffective How to estimate the power load without power meters? 9
“Wireless” side channels Thermal: Higher power produces more heat • Requires heat recirculation model Slow responses • Only applicable to raised-floor designs • References M. A. Islam, S. Ren , and A. Wierman, “Exploiting a Thermal Side Channel for Power Attacks in Multi-Tenant Data Centers,” ACM Conference on • Computer and Communications Security ( CCS ), 2017. M. A. Islam, L. Yang, K. Ranganath, and S. Ren , “Why Some Like It Loud: Timing Power Attacks in Multi-tenant Data Centers Using an Acoustic Side • Channel,” ACM International Conference on Measurement and Modeling of Computer Systems ( SIGMETRICS ), 2018.
“Wireless” side channels Thermal: Higher power produces more heat • Requires heat recirculation model Slow responses • Only applicable to raised-floor designs • Acoustic: More heat requires more cold air • Inaccurate timing due to near-far effects Limited distance • Easy to degrade by injecting additional noise • References M. A. Islam, S. Ren , and A. Wierman, “Exploiting a Thermal Side Channel for Power Attacks in Multi-Tenant Data Centers,” ACM Conference on • Computer and Communications Security ( CCS ), 2017. M. A. Islam, L. Yang, K. Ranganath, and S. Ren , “Why Some Like It Loud: Timing Power Attacks in Multi-tenant Data Centers Using an Acoustic Side • Channel,” ACM International Conference on Measurement and Modeling of Computer Systems ( SIGMETRICS ), 2018.
A voltage side channel due to Ohm’s Law 11
Ohm’s Law 𝐉 𝐖 = 𝐉 ⋅ 𝑺 𝐖 𝟐 𝐖 𝟑 𝐒 12
Ohm’s Law 𝐉 𝐖 𝟐 − 𝐖 𝟑 = 𝐉 ⋅ 𝑺 𝐖 𝟐 𝐖 𝟑 𝐒 12
Ohm’s Law 𝐉 𝐖 𝟑 = 𝐖 𝟐 − 𝐉 ⋅ 𝑺 𝐖 𝟐 𝐖 𝟑 𝐒 The voltage at the other end depends on the current 12
Ohm’s Law in data centers Server PDU UPS 𝑺 𝑺 𝒃 Attacker 13
Ohm’s Law in data centers Line resistance Server PDU UPS 𝑺 𝑺 𝒃 Attacker 13
Ohm’s Law in data centers Server PDU 𝑱 𝟐 𝑱 𝟑 𝑱 = ∑𝑱 𝒐 UPS 𝑺 𝑺 𝒃 𝑱 𝒃 Attacker 13
Ohm’s Law in data centers Server PDU 𝑱 𝟐 𝑱 𝟑 𝑱 = ∑𝑱 𝒐 UPS 𝑺 𝑺 𝒃 𝑱 𝒃 Attacker Attacker’s voltage 𝑾 𝒃 = 𝑾 𝑸𝑬𝑽 − 𝑱 𝒃 𝑺 𝒃 13
Ohm’s Law in data centers Server PDU 𝑱 𝟐 𝑱 𝟑 𝑱 = ∑𝑱 𝒐 UPS 𝑺 𝑺 𝒃 𝑱 𝒃 Attacker Attacker’s voltage 𝑾 𝒃 = 𝑾 𝑸𝑬𝑽 − 𝑱 𝒃 𝑺 𝒃 = 𝑾 𝑽𝑸𝑻 − ∑𝑱 𝒐 𝑺 − 𝑱 𝒃 𝑺 𝒃 Power load is included in 𝑾 𝒃 Own impact 13
A voltage side channel Attacker’s voltage 𝑾 𝒃 = 𝑾 𝑽𝑸𝑻 − ∑𝑱 𝒐 𝑺 − 𝑱 𝒃 𝑺 𝒃 14
A voltage side channel 𝚬𝐖 based attack: Low voltage High current/load Attack opportunity? Attacker’s voltage 𝑾 𝒃 = 𝑾 𝑽𝑸𝑻 − ∑𝑱 𝒐 𝑺 − 𝑱 𝒃 𝑺 𝒃 14
A voltage side channel 𝚬𝐖 based attack: Low voltage High current/load Attack opportunity? Attacker’s voltage 𝑾 𝒃 = 𝑾 𝑽𝑸𝑻 − ∑𝑱 𝒐 𝑺 − 𝑱 𝒃 𝑺 𝒃 Large random variation from power grid 14
A voltage side channel 𝚬𝐖 based attack: Low voltage High current/load Attack opportunity? Attacker’s voltage 𝑾 𝒃 = 𝑾 𝑽𝑸𝑻 − ∑𝑱 𝒐 𝑺 − 𝑱 𝒃 𝑺 𝒃 Large random variation from power grid • Grid variation = ~3V • Voltage drop variation = ~10mV 14
A voltage side channel How to extract power load information from voltage signals? 14
A closer look at server’s power supply Power Factor Correction (PFC) 15
A closer look at server’s power supply Power Factor Correction (PFC) Without PFC Current draw is bursty 15
A closer look at server’s power supply Power Factor Correction (PFC) Without PFC With PFC Current draw is bursty Current follows a sinewave 15 with high-frequency ripples
The ripples come from the PFC control Inductor Diode MOSFET Input voltage sample PWM Output Control voltage sample Rectifier Power Factor Correction (PFC) 16
The ripples come from the PFC control Inductor Diode MOSFET Input voltage sample PWM Output Control voltage sample Rectifier Power Factor Correction (PFC) Reference Current 16
The ripples come from the PFC control Inductor Diode MOSFET Input voltage sample PWM Output Control voltage sample Rectifier Power Factor Correction (PFC) Reference Actual Current Current 16
The ripples come from the PFC control Inductor Diode MOSFET Input voltage sample PWM Output Control voltage sample Rectifier Power Factor Correction (PFC) Reference Actual Current Current 𝑼 𝒑𝒈𝒈 𝑼 𝒑𝒈𝒈 𝑼 𝒑𝒐 𝑼 𝒑𝒐 𝑼 𝑼 16
The ripples come from the PFC control Inductor Diode MOSFET Input voltage sample PWM Output Control voltage sample Rectifier Power Factor Correction (PFC) Reference Actual Current Current 𝑼 𝒑𝒈𝒈 𝑼 𝒑𝒈𝒈 𝑼 𝒑𝒐 𝑼 𝒑𝒐 𝑼 𝑼 16
Voltage measurement of a Dell server 17
Voltage measurement of a Dell server High-frequency ripples caused by PFC 17
Voltage measurement of a Dell server High-frequency ripples caused by PFC Frequency analysis of the voltage signal 17
Voltage measurement of a Dell server High-frequency ripples caused by PFC Frequency spike Frequency (at PFC switching analysis of the frequency) voltage signal 17
Can we estimate the power load based on frequency spikes? 18
Can we estimate the power load based on frequency spikes? Our intuition says “yes” ! Given a higher current, the ripples need to rise up more during each cycle. 18
Recommend
More recommend