Side-channel file transfer between independent VM executed on the same physical host

Overview

Inter-process or cross-VM data exchange via CPU load modulation

What is this

I made this PoC as a visual aid for an online discussion about M1RACLES --- a method of covert inter-process data exchange via a system register in Apple M1. The point is to demonstrate that said register does not add new means of data exchange, since any set of processes executed on the same physical host necessarily share the underlying hardware resources, which can be exploited for covert data exchange (proper modulation provided).

In the best spirit of "someone is wrong on the internet", I made this demo to prove the point.

Principle

This PoC demonstrates a straightforward side-channel that allows one to construct reasonably robust data links between multiple processes, possibly executed in different virtualized environments, by modulating the CPU load or altering the state of any other shared hardware resource (such as CPU caches).

The method is based on CDMA modulation, which effectively allows one to pull useful signal from beneath the noise floor. The sender and the receiver(s) share a specific CDMA spread code sequence. Logic 1 is encoded by emitting the spread code in its original form; logic 0 is produced by inverting the code. Each chip of the spread code is emitted by driving the state of the shared resource appropriately; one trivial approach is to modulate the computing load on the CPU such that a high-level chip is emitted by increasing the computing load and vice versa.

The receiver samples the state of the shared resource and feeds its observations into the CDMA correlator. The correlator maintains an array of concurrent correlation channels; each channel compares the received sample feed against the reference spread code (shared with the transmitter). Each correlation channel has its copy of the spread code shifted by a fraction of the chip, such that one of the channels is always guaranteed to match the sequence emitted by the transmitter, while others would perceive the mismatching sequence as noise.

The correlator computes a weighted sum of the outputs of its channels, where the weight of each channel is a function of the correlation between the received sample feed and the spread code. The weighting ensures that uncorrelated channels are suppressed along with the noise in the medium. This ensures that the data link is resilient against noise; e.g., random variations of the processing load on the host generally do not cause link disruption.

The correlator also performs clock recovery in a similar manner by computing a weighted sum of the code phase from each channel.

RX pipeline

Any given system may host a theoretically unlimited number of such data links provided that each link leverages sufficiently distinct spread code sequences.

The method provides reasonably robust VM-crossing data link at 1023 chips, 16 ms per chip, resulting in the data rate of about 0.06 bits per second. Data rates over 1 bit per second can be achieved if the data link does not cross the boundaries of virtualized environments. The speed vs. bit error rate trade-off can be adjusted by updating the chip period and the code length defined in the header file.

Demo

video

Building

The build instructions are given at the top of each file.

Links

Online discussions of this work:

You might also like...
WAFer is a C language-based software platform for scalable server-side and networking applications. Think node.js for C programmers.

WAFer WAFer is a C language-based ultra-light scalable server-side web applications framework. Think node.js for C programmers. Because it's written i

High performance server-side application framework

Seastar Introduction SeaStar is an event-driven framework allowing you to write non-blocking, asynchronous code in a relatively straightforward manner

Rudimentary opinionated client-side lua libwayland bindings and scanner

wau This should work with Lua 5.3+. By default it builds with 5.3 instead of 5.4 because the examples depend on lgi. These aren't 1-to-1 bindings to l

 16 Channel Current Meter to MQTT Gateway
16 Channel Current Meter to MQTT Gateway

16 Channel Current Meter to MQTT Gateway This sketch runs on an ESP8266 and reads data from 16 Channel Current Measurement Module over RS485 Modbus an

WiFi scanner with visual persistence, intended to find the idlest channel e.g. to assign to a ZigBee device
WiFi scanner with visual persistence, intended to find the idlest channel e.g. to assign to a ZigBee device

WiFiChanViz Motivation This tool was initially coded to help find the idlest 2.4GHz channel in order to connect a ZigBee device to HomeAssistant in id

Encapsulates the two protocols of OpenVpn and Ikev2, you only need to enter the server IP and port number to realize the connection and status display, and the specific situation of the connection can be displayed at the same time。

NewVpnCore 封装了OpenVpn和Ikev2两种协议,只需要输入服务器IP和端口号即可实现连接和状态显示,同时可以显示连接的具体情况。 UniteVpn Core(第一版) 1. 模块说明 unitevpn:封装了vpn的操作和统一不同协议信息的模块 ikev2:IKEV2协议的源码 op

Brutally effective DNS amplification ddos attack tool. Can cripple a target machine from a single host. Use with extreme caution.

Brutally effective DNS amplification ddos attack tool. Can cripple a target machine from a single host. Use with extreme caution.

Port-Fin(port finder) is a tool which scans for open and closed port on a website/host.
Port-Fin(port finder) is a tool which scans for open and closed port on a website/host.

Port-Fin(port finder) is a tool which scans for open and closed port on a website/host. This tool scans the state of the well known/common ports.

A Linux Host-based Intrusion Detection System based on eBPF.
A Linux Host-based Intrusion Detection System based on eBPF.

eHIDS 介绍 eBPF内核技术实现的HIDS demo. 功能实现: TCP网络数据捕获 UDP网络数据捕获 uprobe方式的DNS信息捕获 进程数据捕获 uprobe方式实现JAVA的RASP命令执行场景事件捕获 eBPF的go框架实现,针对kprobe\uprobe挂载方式,多类型even

Owner
Pavel Kirienko
Building stuff at @Zubax, maintaining @UAVCAN
Pavel Kirienko
LANDrop is a cross-platform tool that you can use to conveniently transfer photos, videos, and other types of files to other devices on the same local network.

LANDrop is a cross-platform tool that you can use to conveniently transfer photos, videos, and other types of files to other devices on the same local network.

LANDrop 3.2k Nov 16, 2022
Inter-process communication library to enable allocation between processes/threads and send/receive of allocated regions between producers/consumer processes or threads using this ipc buffer.

This is a relatively simple IPC buffer that allows multiple processes and threads to share a dynamic heap allocator, designate "channels" between processes, and share that memory between producer/consumer pairs on those channels.

RaftLib 8 Aug 20, 2022
A linux based file-transfer system in terminal. Share Files Over A Network

Introduction A linux based file-transfer system in terminal. Share Files Over A Network Note This Project Is Not Fully Completed Yet But You Are Free

notaweeb 8 Sep 20, 2021
A virtual network Differential GNSS server-client project using Precise Point Positioning (PPP). Global coverage. Without physical base station construction needed. An open-source virtual base station approach.

Virtual-Network-DGNSS-Project This project is the software implementation for a publicly available, open-source, client/server VN-DGNSS implementation

null 13 Oct 24, 2022
(Test assignment) Transfer files over the network using a homegrown UDP protocol

Требования Linux x86_64 gcc >= 4.9 (C++11) Сборка $ make Запуск $ make run -j5 -j5 позволяет серверу и четырём клиентам запуститься одновременно. В

Alexander Batischev 2 Dec 18, 2021
WDT Warp speed Data Transfer

Warp speed Data Transfer (WDT) is an embeddedable library (and command line tool) aiming to transfer data between 2 systems as fast as possible over multiple TCP paths.

Meta Archive 2.7k Nov 14, 2022
Ole Christian Eidheim 741 Nov 2, 2022
To have platform independent network interfaces over usb which is working with Linux, Windows, Mac OS ect.

To have platform independent network interfaces over usb which is working with Linux, Windows, Mac OS ect. called RNDIS. This project is a RNDIS demo, which addtionally implements a http server. It runs out of the box on a stm32f411 BlackPill board. My RNDIS library with an empty template for the second interface (which can ba UART, CAN, ETH or like in this demo a tcp/ip stack) can be found under following link: https://github.com/RDMsmartnetworks/STM32_HAL_RNDIS

Nico Korn 16 Sep 27, 2022
A very simple, fast, multithreaded, platform independent HTTP and HTTPS server and client library implemented using C++11 and Boost.Asio.

A very simple, fast, multithreaded, platform independent HTTP and HTTPS server and client library implemented using C++11 and Boost.Asio. Created to be an easy way to make REST resources available from C++ applications.

Ole Christian Eidheim 2.4k Nov 22, 2022
Apache Thrift is a lightweight, language-independent software stack for point-to-point RPC implementation

Apache Thrift Introduction Thrift is a lightweight, language-independent software stack for point-to-point RPC implementation. Thrift provides clean a

The Apache Software Foundation 9.4k Nov 14, 2022