Wei Shao (University of California, Davis), Najmeh Nazari (University of California, Davis), Behnam Omidi (George Mason University), Setareh Rafatirad (University of California, Davis), Khaled N. Khasawneh (George Mason University), Houman Homayoun (University of California Davis), Chongzhou Fang (Rochester Institute of Technology)

Serverless computing has revolutionized cloud computing by offering users an efficient, cost-effective way to develop and deploy applications without managing infrastructure details. However, serverless cloud users remain vulnerable to various types of attacks, including micro-architectural side-channel attacks. These attacks typically rely on the physical co-location of victim and attacker instances, and attackers need to exploit cloud schedulers to achieve co-location with victims. Therefore, it is crucial to study vulnerabilities in serverless cloud schedulers and assess the security of different serverless scheduling algorithms. This study addresses the gap in understanding and constructing co-location attacks in serverless clouds. We present a comprehensive methodology to uncover exploitable features in serverless scheduling algorithms and to devise strategies for constructing co-location attacks via normal user interfaces. In our experiments, we successfully reveal exploitable vulnerabilities and achieve instance co-location on prevalent open-source infrastructures and Microsoft Azure Functions. We also present a mitigation strategy, the Double-Dip scheduler, to defend against co-location attacks in serverless clouds. Our work highlights critical areas for security enhancements in current cloud schedulers, offering insights to fortify serverless computing environments against potential co-location attacks.

View More Papers

The Case for LLM-Enhanced Backward Tracking

Jiahui Wang (Zhejiang University, Hangzhou, China), Xiangmin Shen (Hofstra University, Hempstead, NY, USA), Zhengkai Wang (Zhejiang University, Hangzhou, China), Zhenyuan Li (Zhejiang University, Hangzhou, China)

Read More

SACK: Systematic Generation of Function Substitution Attacks Against Control-Flow...

Zhechang Zhang (The Pennsylvania State University), Hengkai Ye (The Pennsylvania State University), Song Liu (University of Delaware), Hong Hu (The Pennsylvania State University)

Read More

CatBack: Universal Backdoor Attacks on Tabular Data via Categorical...

Behrad Tajalli (Radboud University), Stefanos Koffas (Delft University of Technology), Stjepan Picek (Radboud University)

Read More