A Side-channel Attack on HotSpot Heap Management

Xiaofeng Wu xiaofeng.wu at mavs.uta.edu
Mon Apr 23 15:42:50 UTC 2018

We publish a paper “A Side-channel Attack on HotSpot Heap Management”, and it is 
to appear in The 10th USENIX Workshop on Hot Topics in Cloud Computing (HotCloud), 2018 
The paper link and details can be found in this link: http://ranger.uta.edu/~jrao/papers/HotCloud18.pdf 

In a nutshell, the problem is due to the usage of wall-clock timer in Parallel Scavenge GC. 
When JVM shares wall-clock timer with other applications in a multi-tenant environment, the time 
measurement opens up a side-channel for us to trick PS GC algorithm.
we can dilate time of minor GC or major GC to make GC dysfunctional: 
1. consume more heap size, or 2. invoke more GCs.

Currently, we only use eBPF to trace JVM debug symbols and launch attack like 
_ZN18AdaptiveSizePolicy22minor collection beginEv. However, profiler tools usually need 
root privilege. Still, we believe that it is an important issue and hope to see that the community 
can provide a safety net to avoid this kind of attack.

Best regards,
Xiaofeng Wu

More information about the hotspot-gc-dev mailing list