A Side-channel Attack on HotSpot Heap Management
xiaofeng.wu at mavs.uta.edu
Mon Apr 23 15:42:50 UTC 2018
We publish a paper “A Side-channel Attack on HotSpot Heap Management”, and it is
to appear in The 10th USENIX Workshop on Hot Topics in Cloud Computing (HotCloud), 2018
The paper link and details can be found in this link: http://ranger.uta.edu/~jrao/papers/HotCloud18.pdf
In a nutshell, the problem is due to the usage of wall-clock timer in Parallel Scavenge GC.
When JVM shares wall-clock timer with other applications in a multi-tenant environment, the time
measurement opens up a side-channel for us to trick PS GC algorithm.
we can dilate time of minor GC or major GC to make GC dysfunctional:
1. consume more heap size, or 2. invoke more GCs.
Currently, we only use eBPF to trace JVM debug symbols and launch attack like
_ZN18AdaptiveSizePolicy22minor collection beginEv. However, profiler tools usually need
root privilege. Still, we believe that it is an important issue and hope to see that the community
can provide a safety net to avoid this kind of attack.
More information about the hotspot-gc-dev