Virtualization is widely adopted in cloud systems to manage resource sharing among users. A virtualized environment usually deploys a virtual switch within the host system to enable virtual machines to communicate with each other and with the physical network. The Open vSwitch (OVS) is one of the most popular software-based virtual switches. It maintains a cache hierarchy to accelerate packet forwarding from the host to virtual machines. We characterize the caching system inside OVS from a security perspective and identify three attack primitives. Based on the attack primitives, we present three remote attacks via OVS, breaking the isolation in virtualized environments. First, we identify remote covert channels using different caches. Second, we present a novel header recovery attack that leaks a remote user's packet header fields, breaking the confidentiality guarantees from the system. Third, we demonstrate a remote packet rate monitoring attack that recovers the packet rate of a remote victim. To defend against these attacks, we also discuss and evaluate mitigation solutions.

翻译：虚拟化技术被广泛应用于云系统中，以管理用户间的资源共享。虚拟化环境通常在主机系统内部署一个虚拟交换机，以实现虚拟机之间以及虚拟机与物理网络之间的通信。Open vSwitch（OVS）是最流行的基于软件的虚拟交换机之一。它维护一个缓存层次结构，以加速从主机到虚拟机的数据包转发。我们从安全角度分析了OVS内部的缓存系统，并识别出三种攻击原语。基于这些攻击原语，我们提出了三种通过OVS实施的远程攻击，从而打破了虚拟化环境中的隔离性。首先，我们识别出利用不同缓存的远程隐蔽信道。其次，我们提出了一种新颖的报文头部恢复攻击，该攻击会泄露远程用户的报文头部字段，破坏了系统提供的机密性保证。第三，我们展示了一种远程数据包速率监控攻击，该攻击能够恢复远程受害者的数据包速率。为了防御这些攻击，我们也讨论并评估了相应的缓解方案。