This specification relates to computer security.
Cloud computing is network-based computing in which typically large collections of servers housed in data centers or “server farms” provide computational resources and data storage as needed to remote end users. Some cloud computing services allow end users to execute software applications in virtual machines. For example, an operator of the cloud computing service can allow users to rent, lease or otherwise use virtual machines hosted on the operator's physical machines (e.g., the collection of servers). Users can execute various applications on the virtual machines. For example, a user can execute encryption algorithms/applications (e.g., password encryption schemes, data encryption schemes, user authentication algorithms, etc.) or other security applications.
Some users may execute malicious software applications or processes (e.g., malware, viruses, etc.) that attempt to compromise processes executing on other virtual machines hosted on the same physical machine. For example, a malicious process can perform a side-channel attack of a first virtual machine to compromise an encryption process executing on a second virtual machine that is hosted on the same physical machine. As another example, a malicious process can perform a statistical keystroke analysis attack and attempt to gather information entered from the keyboard based on elapsed times between keystrokes that can be used to predict character combinations. As a third example, a malicious process can perform a covert channel attack that involves two or more virtual machines that are isolated from each other (e.g., cannot communicate with one another) and use subtle variations in events that perturb the physical machine (e.g., disk accesses or accessing a shared resource that can only be accessed by a one virtual machine at a time) as a medium to communicate information.