When customers buy service on a computing cloud, their software runs inside a virtual machine hosted on a physical machine managed by the service provider. The service provider may choose to host virtual machines from different customers on the same physical machine. In this case, it is important for the provider to fairly allocate physical resources among the virtual machines.
This paper describes a method by which a malicious process can trick many OS schedulers into giving it an unfair share of the CPU time.
In this project, you will investigate the question: can a cloud tenant use similar techniques to trick the virtual machine monitor into giving it an unfair share of the CPU? The project can take several different directions:
To earn an A on this project, you must convince me that the attack is possible (by performing the attack) or impossible (by walking through source code of the VMM and explaining why the attack is not possible) on all the virtual machine monitors available on your own computer.
Performing the attack on a real cloud service (or providing proof that the attack is not possible on a real cloud service) will earn a bonus. Note that simply failing to perform the attack does not count as proof that the attack is not possible.
Several papers have shown that it is possible to recover partial information about the keys a user is typing from two main side-channels:
Furthermore, keystroke recovery attacks can be improved by using a language model to guide reconstruction.Surprisingly, no paper (that I know of) has used both of the above side channels to improve keystroke recovery rates.
Furthermore, no paper (that I know of) has investigated the feasibility of recovering keystrokes that are recorded over a VoIP connection. We've all had the experience of hearing our friends typing while we talk over skype. How much can we learn about their typing from this sound information?
In this project, you should develop a machine-learning algorithm for recovering keystrokes from audio data. Your algorithm should use acoustic and timing features, and should incorporate a language model. You should then evaluate your model on audio data obtained via a VoIP system, such as Skype.
Hint: your classifier will probably be an HMM in which each state is the last key typed and observation are associated with edges and consists of a pair (delay, sound), where the delay is the time since the last keystroke and the sound is the sound of the current keystroke. Transition probabilities are given by the language model, and observation probabilities for each edge are determined empirically by measuring inter-keystroke timings and keystroke sounds.
You will also have to perform some signal processing to determine when keystrokes occur in the audio data. I have no idea how to do that -- you're on your own to figure that part out.
Evaluation should measure the fraction of keystrokes inferred correctly. Evaluation must include audio data collected via a VoIP application. Note that you may train your classifier using data from the VoIP program.
The Content Security Policy draft standard defines script nonces that can be used to prevent cross-site scripting (XSS) attacks. Design and implement an Apache module to automatically insert script nonces into CSPs and web pages served by Apache.
The primary dsign question is: which scripts should have a script nonce added to them? One method would be to have a server-side nonce that gets replaced with a client-side nonce that gets changed every time. Thus a web page with an injected script would look like this, before processing:
<script script-nonce="some secret value"> /* Valid script here */ </scipt> <script> /* evil injected script here */ </script>
The Apache module would be configured to look for scripts with "some secret value" and replace it with a fresh, random value that it also placed inside the CSP:
<script script-nonce="some fresh random value"> /* Valid script here */ </scipt> <script> /* evil injected script here */ </script>
A complete implementation should correctly handle CSPs, web pages, and javascript files. Your evaluation should demonstrate that your module successfully prevents reflected and stored XSS attacks. Not all browsers implement support for script-nonce. Supposedly, recent versions of firefox and IE support these features. If you cannot obtain a browser that implements script-nonce, then you can simply confirm that the output generated by your Apache module is correct, i.e. it would prevent execution of injected scripts in a browser that supported script-nonce.
Note: to the best of my knowledge, there is currently no server-side implementation of script-nonce. The closest thing I csan find is here, but it doesn't handle adding nonces to the legitimate scripts in a web page. It just sticks a nonce in the page's CSP. If you find an implementation online, please let me know.