congurationshttp500

EnergyAttackonServerSystemsZhenyuWu,MengjunXie,andHainingWangTheCollegeofWilliamandMary,Williamsburg,VA23187,USA{adamwu,mjxie,hnw}@cs.
wm.
eduAbstractPowermanagementhasbecomeincreasinglyimportantforserversystems.
Numeroustechniqueshavebeenpro-posedanddevelopedtooptimizeserverpowerconsump-tionandachieveenergyproportionalcomputing.
How-ever,thesecurityperspectiveofserverpowermanage-menthasnotyetbeenstudied.
Inthispaper,weinvesti-gateenergyattacks,anewtypeofmaliciousexploitsonserversystems.
Targetedsolelyatabusingserverpowerconsumption,energyattacksexhibitverydifferentat-tackingbehaviorsandcauseverydifferentvictimsymp-tomsfromconventionalcyberspaceattacks.
First,weunveilthattoday'sserversystemswithimprovedpowersavingtechnologiesaremorevulnerabletoenergyat-tacks.
Then,wedemonstratearealisticenergyattackonastandaloneserversysteminthreesteps:(1)byprol-ingenergycostofanopenWebserviceunderdifferentoperationconditions,weidentifythevulnerabilitiesthatsubjectaservertoenergyattacks;(2)exploitingthedis-coveredattackvectors,wedesignanenergyattackthatcanbelaunchedanonymouslyfromremote;and(3)weexecutetheattackandmeasuretheextentofitsdamageinasystematicmanner.
Finally,wehighlightthechal-lengesindefendingagainstenergyattacks.
1IntroductionPowermanagementisoneofthecriticalissuesforserversystemsnowadays.
Todateenergycosthasbecomeamajorfactorinthetotalcostofownership(TCO)oflarge-scaleserverclusters[3,13].
Accordingto[21],morethan100billionkilowatthours,representinga$7.
4billionannualcost,willbeconsumedbyserversanddatacentersinU.
S.
by2011.
Asthepriceofhardwarekeepsdroppingwhileitsperformancecontinuouslyimproves,theproportionofenergycostinoverallexpenseofserversystemstendstogrowevenlarger[3,13].
ThisauthoriscurrentlyafliatedwiththeDepartmentofComputerScienceatUniversityofArkansasatLittleRockandcanbereachedatmxxie@ualr.
edu.
Previousresearchesonserversystempowerman-agementmainlyfocusonreducingpowerconsumptionwhilemaintainingacceptablequalityofservice.
Numer-oustechniqueshavebeenproposedtoimproveenergyef-ciencyinavarietyofaspects,fromlow-levelhardwarefeaturessuchasprocessorDynamicVoltageandFre-quencyScaling(DVFS)[10,14]andharddiskspin-down[7,12],tohigh-levelsystem-wisemanagementschemessuchasclusterloadprovisioning[8,19]andvirtualma-chineconsolidation[17].
Whilethesepowermanage-mentadvancementshavesignicantlyimprovedpowersavings1,theyhavealsoopenedupspacesforenergymisuse.
However,thesecurityaspectofserversystempowermanagementhasnotyetbeenpaidattentionto.
Inthispaper,weinvestigateenergyattacks,anewtypeofmaliciousexploitsonserversystems.
Energyattacksareremotelylaunched,stealthyattacksthatattempttoincreasetheenergyconsumptionofthevictimsystemnon-proportionaltoitseffectiveworkload.
Asuccess-fullylaunchedenergyattackcancausethevictimsystemtowastealargeamountofenergy,whichinturnbecomeswasteheat,resultinginsignicantlyincreasedpowerandcoolingexpense,shortenedhardwarecomponentlifes-pan,reducedreliability,andsometimesevenpermanenthardwarefailure.
Currentpowermanagementandsecu-ritymechanismsprovidevirtuallynodefenseagainsten-ergyattacks.
Energyattacksaredistinctfromconventionalcy-berspaceattacksinthreeinterrelatedaspects:objectives,attackingbehaviors,andvictimsymptoms.
First,anen-ergyattackaimssolelyatabusingserverpowercon-sumption.
Itdoesnotattempttodisruptavictimserver'snormalservicesoroperations,nortoacquiresensitiveinformationfromthevictim.
Second,anenergyattackismountedinastealthymanner,becausethedamageisdeliveredoverarelativelylongperiodoftime.
Thenet-workowofanattackerissimilartothatofanormalclient,andthereisnohigh-proletrafcpatternsordata1Forexample,ourstudyshowsthatamainstreamserverinidlenessconsumeslessthanhalfoftheenergyconsumedinfullutilization.
1ngerprintsleftbytheenergyattack.
Third,thevictimserverwouldonlyexperienceincreasedpowerconsump-tionsduetoenergyattacks,andobservenootheranoma-liessuchastangibleperformancedegradation.
Todemonstratethefeasibilityoflaunchinganenergyattack,weperformastep-by-stepdesignandexecutionofarealisticenergyattackonaWikipediamirrorserver.
First,weprolethepowerconsumptionofthevictimWebserverunderdifferentpageservingconditions,andidentifyaconditionthatincurshighenergyconsump-tionasaviableattackvector.
Wethenproceedtode-signanenergyattack,achievingstealthinessbyleverag-ingknowledgeofhumanWebbrowsingbehaviors.
Andnally,weevaluateourdesignbyexecutingtheattackonthevictimserverandsystematicallymeasurethepowerconsumptionincreasesunderdifferentloadconditions.
Weobservethatthedamageoftheenergyattackisde-pendentontheworkloadoftheserversystem.
Foravic-timserverundertypicalworkloads,ourattackisabletoincreaseitspowerconsumptionby21.
7%to42.
3%.
Finally,wearguethatne-grainedpowermeasure-mentisacriticalcomponentfordifferentiatingenergyattackerfrombenignusers,andthelackofsupportofwhichincurrentserversystemsmakesbuildingeffectivegeneralpurposedefensesystemagainstenergyattacksquitechallenging.
Theremainderofthispaperisstructuredasfollows.
Section2presentsthebackgroundonserversystemen-ergysavingandthesecurityimplication.
Section3de-tailsthedesignofenergyattacks.
Section4evaluatesthethreatoftheproposedenergyattack.
Section5dis-cussesotherattackvectors,attackapplicabilityandde-fensechallenges.
Finally,Section6concludesthepaper.
2BackgroundInthissection,werstdiscusstheimpactofenergyproportionalcomputingonaserversystemandpresentpowermeasurementsonourownserversystems.
Then,wedescribethethreatofenergyattacksexposedonto-day'sserversystems.
2.
1EnergyProportionalityEnergyproportionalcomputing[4]isanimportantcon-ceptintoday'sserversystems.
Itaimstoaddresstheincreasingenergyconcernanddemandforpowersav-ingbymakingserversconsumeenergyproportionaltoitsworkload.
Thisgoalisnormallyachievedbycon-ditionallytradingoffcomponentperformanceforpowersavings.
Processorsaretheprimarytargetsforpoweroptimiza-tion,becauseoftheirhighmaximumpowerconsump-tion(hundredsofwattsperunit).
Nowadays,thema-jorityofserver-classCPUshaveemployedpowersavingtechniquesthatarealreadyusedindesktopandmobileprocessors,suchasDVFS,multiplepowerstateswithreducedperformance,andeventurningoffidlecores.
Motherboardandchipsetfeaturetheshutdownofunusedcircuitry,andmemorychipsalsohaveseveralstandbystateswithreducedpowerfornoread/writecycles.
Harddrivescanonlysaveasmallportionofenergyatidle-ness,duetotheirpowerdemandinginternalmechani-calparts(spinningplatters).
However,theyalsosupport"spin-down",shuttingdownthemotorandtherebycut-tingdownthemajorityofitspowerconsumption,atahigh(latency)costofresumingservice.
TheACPI(AdvancedCongurationandPowerInter-face)specications[1]areintroducedtounifythepowermanagementofvarioustypesofdevicesincomputersys-temsandprovidewelldenedpowermanagementinter-facesforbothhardwareandsoftware.
Withinthespec-ications,multipleperformancestatesaredenedforacomputercomponent.
Eachperformancestatecorre-spondstoaspecicationoftheexpectedperformanceandpowerconsumption.
Atleastonestateiswellde-ned:afullpowerstatecorrespondstothemaximumperformance.
Dependingondevicetypeandmanufac-turingtechnology,additionalnumberofreducedperfor-mancestatescanbedened.
AlthoughmodernoperatingsystemsareallcapableofutilizingtheACPItoconserveenergyunderlightloadorinidleness,previousgenerationsofserversystems(suchasourSystemAbelow)arenotveryenergyproportional.
Thisisbecauseperformanceandsecurityusedtobetheprimaryconcerns,andthustheunderlyinghardwarepro-videslittleornosupportofperformancestateswithre-ducedpowerconsumption.
However,asenergyconcernsweighincreasinglyheavily,today'sserversystemshavebeenbecomingmoreenergyproportional.
2.
2RealServerMeasurementsWeperformasmallmeasurementstudyonsystempowerconsumption,usingtwoserversystemswithdifferentgenerationsofhardwarecongurations,whicharelistedinTable1.
SystemAwasboughtin2006andSystemBwasboughtinmid-2009.
Webelievethatbothserversarerepresentativeofthemainstreamsystemcongura-tionsatthetimeofpurchase.
Wemeasurethewholesystempowerconsumptioninthreedifferentloadscenarios:completelyidle(IDLE),processorsbeingfullyutilized(CPU),andprocessorsandharddrivesbeingfullyutilized(CPU+HDD).
The"CPU"workloadisgeneratedbyrunningmultiplein-stancesofaclassicCPUbenchmarkprogram"linpack",andthenumberofinstancescorrespondstothenumberoflogiccores.
The"CPU+HDD"workloadisgenerated2SystemASystemBCPU2*Xeon51302*Xeon5520DualCoreQuadCoreMemory4*1GB6*1GBDDR2FBDIMMDDR3FBDIMMHDD4*7200RPM6*7200RPMSATASATATable1:CongurationsforServerSystems/>Wt^^WhWhн,Figure1:WholeSystemPowerConsumptionsbyrunningthe"CPU"workloadwiththehighestnicevalueand,atthesametime,writingalargevolumeofdatatotheharddrivesusingtheddutility.
Thepowerconsumptiondataarecollectedusing"Wattsup.
Net"digitalpowermeter[23].
TwoobservationscanbemadefromourmeasurementresultsshowninFigure1:rst,inhighutilizationscenar-iosSystemB(thenewerserver)consumesslightlymorepowerthanSystemA;second,andmoreinterestingly,intheIDLEscenario,thepowerconsumptionofSys-temBissignicantlylessthanthatofSystemA.
WhiletherstobservationcanbeexplainedbySystemBhav-ingincreasedoverallcomputationpowerthanSystemA,thesecondobservationpresentsusthedirectproofthatnewerserversystemisbecomingmoreenergypropor-tionalthanpreviousgenerations.
Withhighercompu-tationpowerandimprovedenergyproportionality,onecanexpectSystemBtoyieldmoreenergysavingthanSystemAunderthesameworkload.
However,wemakeanadditional,alarmingobservationwhenwelookattheadvancementsinenergyproportionalcomputingfromasecurityrespective.
2.
3ThreatofEnergyAttacksTheimprovedenergyproportionalityhassignicantlychangedthepowerproleoftoday'sserversystems.
Forexample,ourmeasurementdatainFigure1showsthatcomparedtoIDLE,theCPU+HDDpowerconsumptionofSystemAincreasesbyonly35%,whilethatofSystemBincreasesby134%.
Thelargerpowerconsumptionin-creaseofSystemBindicatesthatithasawiderdynamicpowerrangethanSystemA.
Inotherwords,thepowerconsumptionofSystemB(energyproportionalserver)ismorealterablethanthatofSystemA(non-energypro-portionalserver).
Theincreasedpowerconsumptional-terabilityrepresentsanewthreattoserversystems.
Thepowermanagementmechanismofaservercanbeat-tackedbymaliciouslycraftedworkloadsthattargetatconsumingdisproportionalamountofenergy,renderingthepowersavingineffective,andresultinginsignicantenergywasteofavictim.
Alarmingly,werealizethatthethreatofenergyattacksisinfactanexploitablevulnerabilitybecausethereisnoeffectivedefenseagainstit.
Existingpowermanagementschemesmainlyfocusonimprovingenergyefciencyundernormaloperatingconditionswithbenignwork-load,andthustheydonotprovideanydefenseagainstenergyattacks.
Moreover,mostserversystemsdonohaveanefcientmechanismtomeasurepowerconsump-tion,andthuscouldnotevendetectenergyattacks,letalonedefendagainstthem.
3EnergyAttackonServerSystemsInthissection,wedemonstratethefeasibilityoflaunch-inganenergyattack.
First,wedescribethescenariose-lectionandthecharacterizationofenergyattacks.
WethendesignarealisticenergyattackagainstanopenWebserverasacasestudy,coveringtheattackvectordiscov-ery,exploitation,anddetectionavoidance.
3.
1ScenarioSelectionAgreatvarietyoftacticscanbeusedtomountenergytargetedattacksagainstserversystems.
Forexample,ifattackersobtain"root"or"administrator"privilegeonavictimsystem,theycandeliberatelymis-conguredriversand/orrmware,e.
g.
,over-clockprocessorandmemory,tooperatethehardwarecomponentsout-of-specs.
Evenwiththeprivilegeofanormaluser,attackerscanstilleasilyincreasethepowerconsumptionbyrun-ningbadlybehavingprogramssuchasatightdeadloop.
However,theabovementionedscenariosarenotthefo-cusofourstudy,becausetheyaregenerallydifculttoimplementfromremote,duetothehighrequirementsforattackers(e.
g.
,havingprivilegedorphysicalaccesstothevictimsystem).
Weareinterestedinmorecommonlyencounteredsce-narios,inwhichenergyattackscanbelaunchedwithoutanyspecialprivileges.
Weassumethat(1)thevictimserverrunsanopenservice,whichacceptsservicere-questsfromtheInternet;(2)theattackershavenophysi-3&EDWtEDEKFigure2:PowerDrawvs.
CachingScenarios&ZdEDEKFigure3:ResponseTimevs.
CachingScenarioscalaccesstothevictimserver;(3)theattackersonlyhaveequivalentprivilegesof"anonymoususers"onthevictimserver(forexample,theycannotchangesystemcong-urationsorexecutearbitrarycode);and(4)therearenoexploitablesecurityvulnerabilitiesonthevictimsystemtoescalatetheattackers'privileges.
Inotherwords,theattackerscommunicatewiththevictimserverusingthesamemethodaslegitimateusers,andthemajorvariabletheycanmanipulateistheserver'sworkloadbycraftingandsubmittingmaliciousservicerequests.
Thankstothegenericsettingofattackenvironment,webelievethatourscenariosareapplicabletoawiderangeofservers,particularly,publicWebservicessuchasnews,blogs,andforums,publicdataservicesinclud-ingleandimagesharingsites,andsearchengines.
3.
2AttackCharacterizationAttemptingtobestealthy,energyattacksincurtheirdam-ageinanaccumulativefashionoveralongperiodoftime.
Thus,thekeytothesuccessofenergyattacksistobelowproleandavoiddetection.
Asaresult,energyattacksonaserversystemmustmeettworequirements.
First,theattackshouldnotexhibittrafcanomaliesorhaveuniquetrafcpatterns,becausetheservertrafcisoftenmonitoredforsecuritypurposes.
Second,theat-tackshouldcauseminimalperformanceanomalyonthevictimserver,asunusualperformancedegradationisaveryvisiblesignthattheserverisunderattack.
Therstrequirementprecludeshighservicerequestrateattacks,duetotheirobvioustrafcanomalies.
Themaliciousrequestsinanenergyattackneedtobesentatlowtonormalrate,andhenceshouldbecraftedtoen-sureahighper-requestenergycost.
Inordertofulllthesecondrequirement,energyattacksmustbeadaptivetotheworkloadconditionofthevictimserver.
Becausethevictimhostsanopenservice,itsnormalworkloadtendstovarysignicantlyintime.
Theworkloadmaybecorrelatedtotheday-nightandweekday-weekendcycle.
Inictingaxedmaliciousworkloadonthevictimmayeithercauseperformanceanomalyduringhigh-loadpe-riods,orfailtoincurthemaximumenergycostdamage.
3.
3CaseStudy:WikipediaMirrorServerWeperformacasestudyofdesigninganenergyattackonanopenWebserver.
WeuseSystemBasthevic-timserver,runningamirroredWikipediaservice.
TheservicesetupisdetailedinSection4.
1.
WechooseWikipediamirrorasourattacktargetbecauseitisafreelyavailable,largesingleserverWebservice—arepresenta-tiveofrealworldproduction-useopenWebservices.
3.
3.
1IdentifyinganAttackVectorTheWikipediamirrorispoweredbyMediaWiki,alarge-scalecontentmanagementsystem.
ThecontentsofallMediaWikipagesarestoredinamarkedupformatdif-ferentfromstandardHTML,andpagesaredynami-callygeneratedwhentheyarerequested.
Twolevelsofcaching,objectcacheandin-memorycache,helptoop-timizetheperformance.
MediaWikistoresthedynamicallygeneratedHTMLcontentsinan"objectcache"—adatabasetable.
Whenapageisrequestedrepeatedly,theHTMLcontentisre-trieveddirectlyfromtheobjectcachewithoutbeingre-peatedlygenerated.
AcachedHTMLpageexpireseitherafteraperiodofinactivityortheassociatedpagecontenthasbeenmodied.
Inadditiontotheobjectcache,theMySQLdatabasespeedsupoperationsbystoringapor-tionoffrequentlyqueriedtableentries,aswellastablesearchindicesandqueryresultsinamemory,employingamodiedLRUreplacementalgorithm.
Weprolethepowerconsumptionandservicelatencycharacteristicsofthetwocachingmechanismsonthetar-getserver.
Figures2and3showtheaveragepowerus-ageandaverageresponsetimeforservingpagerequestsfromasingleclientinthreedifferentcachingscenarios:pagesbeingfullycached(inbothmemoryandobjectcache),pagesonlyinobjectcache,andpagesnotbe-ingcached.
ThelowerboundofY-axisinFigure2issetto130watts,thesystemidlenesspowerconsumption.
Thus,thecolumnsinthegurerepresenttheadditionalpowerconsumptioncausedbytheservicerequests.
Fromthismeasurement,wecanobservethatcom-paredtofullycachedrequests,requestswithmemory4cachemissesincur3%powerincreaseand129%pro-cessingtimeincrease,andrequestswithobjectcachemissesincur12.
7%powerincreaseand840%processingtimeincrease.
Becauseenergyisdenedastheproductofpowerandtime,theeffectofcachemissesonenergyconsumptionincreaseismultiplicative.
ThehighenergycostrenderedbycachemissesformsaneffectiveenergyattackvectortoourWikipediamirrorserver.
3.
3.
2ExploitingtheAttackVectorOurnextstepisdevisingamethodtoexploitthedis-coveredattackvector,thatis,togeneraterequeststhatcancausecachemisses,especiallyobjectcachemisses.
WeexaminepreviousstudiesinWebbrowsingbehav-iors.
AccordingtoBarfordandCrovella[2],WebpageaccessesonaWebserverfollowZipfdistribution,i.
e.
ac-cessfrequencyofapagecorrelatestoitsrank,andmostaccessesconcentrateonasmallnumberofpageswhilealargenumberofpagesarerarelyaccessed.
ItisclearthatthecachingmechanismsinourWebserverworkwellinhandlingsuchanaccesspatternbecausetheyaredesignedtooptimizeforsimilaraccesspatterns.
How-ever,thisknowledgealsohintsapracticalcacheattackscheme.
Togeneratepagerequestswithhighprobabilityofcachemiss,wejustneedtoaccesspagesinpatternsfollowingaverydifferentdistributionfromZipf.
Fortheeaseofstudyandimplementation,wechooseauniformrandompageaccesspatterntoexploitourattackvector.
3.
3.
3DetectionAvoidanceTheselectedattackvectorenablesustoincreasethevictim'senergyconsumptionwithoutsendingalargeamountofrequests.
Toavoidgeneratingabnormaltrafcpatterns,wemodeltheattackingrequestrateafter"nor-mal"Webclients.
BarfordandCrovella[2]alsoshowthatWebbrowsingexhibitsan"active-inactive"behavioralpattern.
Duringtheactiveperiod,aclientsubmitsrequestsinaburstymanner,whichisattributedtothebrowserdownload-ingmultipleresources(images,scripts,etc.
)linkedtoadocument.
Duringtheinactiveperiod,theclientpausessendingrequests,presumablyreadingthepagecontent.
ThelengthoftheinactiveperiodfollowsParetodistribu-tion.
Forourexperiments,wesimplifyourmodelby"con-densing"theactiveperiodintoasinglerequest,andonlymodeltheinactiveperiodforrequestinter-arrivaltime.
ThisisbecauseallWikipediapagesaretextorientedandstructurallyalike.
Theclientbehaviorsinalltheactiveperiodswouldbeverysimilar.
Inadditiontotrafcshaping,wealsoneedtoadap-tivelyadjusttheinjectionofmaliciousrequestsbasedontheworkloadofthevictimserver.
Theserverworkloadcanbeapproximatedbytheserviceresponsetime.
Webuildaproleofthevictim,correlatingtheserverloadwiththeresponsetime.
Duringtheattack,wemonitortheresponsetimeoftheserverandadjustthesendingrateofmaliciousrequestsaccordingly.
4AttackEvaluationInthissection,werstdescribetheexperimentalsetupsetup.
Then,wedetailtheattackpreparation,measure-mentsoftheenergyattack.
Andnallyweassesstheachievabledamage.
4.
1CongurationandSetupWesetupaWikipediamirrorserveronSystemBusingtheclassicalLAMP(Linux,Apache,MySQL,andPHP)combination.
ThedatabaseisimportedfromaWikipediadumpcontaining9,053,725pageentries.
Withanum-beroftests,wendthattheserveriscapableofcachingabout10,000pagesinmemory.
Therefore,werandomlypick50,000pagesforuseinourexperiment.
Wesimulateclientrequestsusingacustomclientpro-gramrunningonadesktopcomputer.
Theclientpro-gramsimulatesmultipleclientseachrunninginasep-aratethread.
The"normal"clientsareconguredtoaccessselectedpagesfollowingZipfdistributionwithα=1,andtherequestinterarrivaltimefollowsParetodistributionwithk=1andα=1.
5.
The"malicious"clientsareconguredtoaccessselectedpageswithuni-formrandompatterns,andhavethesamerequestinter-arrivaltimedistributionasthe"normal"clients.
4.
2Workload–ResponseTimeProleBeforelaunchingtheattack,werstprolethevictimserverandestablishthecorrelationbetweenitsworkloadandresponsetime.
Wendoutthattheserveriscapableofstablysupportingupto100normalclientsandthusdene100clientsasthefullworkloadoftheserver.
Figure4showsthecorrelationbetweenworkloadandresponsetime.
Eachdatapointistheaverageof250sam-plesofserviceresponsetimeobtainedunderthecorre-spondingworkload.
Theerrorbarrepresentsthestan-darddeviationofresponsetime.
Forlightandmoderateworkloads(upto50clients),theserver'sresponsetimeincreasesquiteslowly.
Whentheworkloadincreasesbe-yond60%,or60clients,theresponsetimestartstorisesignicantly.
Withworkloadsinwhichthenumberofactiveclientsisbeyond100,theserverstartstoshowsymptomsofbeingoverloaded—allclientsexperienceintermittentshortburstofrequestfailuresintheformof5dEFigure4:Workloadvs.
ResponseTimeWtEEFigure5:Workloadvs.
PowerConsumptionйййййййййййW>/йEDW/>/DFigure6:AttackEffectwith100NormalClientsйййййййййййW>/йEDW/>/DFigure7:AttackEffectwith50NormalClients"HTTP500"errors.
Figure5showsthecorrelationbe-tweenstableworkloadandsystempowerconsumption,fromwhichwecanseethattheserversystempowercon-sumptionisindeedproportionaltoitsworkload.
4.
3AttackMeasurementsWeuseserver-sidepowerconsumptionandclient-sideperceivedresponselatencytomeasuretheeffectsoftheenergyattack.
Weconducttheexperimentsusingdiffer-entserverworkloads,whichrangefrom10to100normalclientswiththeincrementoftenclients.
Foreachwork-load,weinjectenergyattacktrafcbyaddinganumberofmaliciousclients.
Duetothelargevolumeofdata,weonlypresenttheresultscorrespondingto100,50,and10normalclientsanddepicttheminFigures6,7,and8,respectively.
Theseguresshowtheincreasesinpowerconsumptionandresponselatencycausedbytheintro-ductionofmaliciousworkloads.
At100%ofthefullload,asshowninFigure6,there-sponselatencyofthevictimserverisverysensitivetotheadditionofmaliciousworkloads.
Themaliciouswork-loadoftenmaliciousclientsincreasestheresponsela-tencyby7.
6%,andtheworkloadof15maliciousclientsincreasestheresponselatencyby50.
2%.
Thepowercon-sumption,however,doesnotincreasewiththeresponselatency,astheserverisalreadyfullyloaded.
At50%ofthefullload,asshowninFigure7,with20maliciousclients,theattackresultsin20.
9%ofextrapowerbeingconsumedwhileonlyincurs7.
1%increaseinresponselatency.
However,with30ormoremaliciousclients,theresponselatencyincreasesurpassesthepowerconsumptionincrease.
At10%thefullload,asshowninFigure8,theenergyincreasecausedbytheattackbecomesverysignicant.
With40maliciousclients,thevictimserver'spowercon-sumptionincreasesby39.
0%,whiletheserviceresponselatencyonlyincreasesby7.
4%.
4.
4DamageAssessmentOurmeasurementresultsshowthat,atanystablework-load,energyattackswillcauseincreasedpowercon-sumptiononthevictimserver.
Themoremaliciousclients,thelargerthepowerincrease.
However,alargernumberofmaliciousclientsalsoresultstangibleperfor-mancedegradation.
Figure9presentsthecollectivere-sultsofserviceresponsetimeincreasesforalltendiffer-entworkloadswithvaryingnumbersofmaliciousclients.
Inthisgure,weomitsamplepointswithresponsetimeincrementlargerthan50%.
Toguaranteethesuccessofanenergyattack,lowat-tackproletakesprecedenceoverthepowerconsump-tionincrement.
Therefore,thenumberofmaliciousclientsneedtobelimitedtoavoidsignicantresponsetimeimpact.
Werefertotheworkload–responsetimeproleforareasonablethreshold.
Thestandarddevia-tionofresponsetimeatstableworkloads(10-100clients)6йййййййййййW>/йEDW/>/DFigure8:AttackEffectwith10NormalClientsйййййййййййEZd/DFigure9:AttackResultedResponseTimeIncreasesUtilization10%20%30%40%50%60%70%80%90%100%PowerIncrease39.
0%42.
3%36.
3%31.
6%21.
7%14.
8%11.
6%9.
0%11.
3%6.
2%Table2:PercentageofPowerIncreasesduetoAttackvariesbetween12.
3%and21.
1%ofthemeasuredval-ues.
Wesettheresponsetimeincrementthresholdtothesmallestpercentage,12.
3%.
Withthechosenresponsetimeincreaseconstraint,foreachworkload,wedeterminethemaximumpowercon-sumptionachievablebytheattacksandpresenttheminTable2.
Weobservethat,thepowerincreaseeffectoftheenergyattackisinverselycorrelatedtotheworkloadoftheserver–anidleserversufferssignicantextrapowerconsumption,whileaverybusyserveronlyincursasmallpowerconsumptionincrease.
Toassessthegrossdamageoftheenergyattacktoatypicalserver,werefertothestudyoftypicalserverworkloads.
BarrosoandH¨olzle[4]observethatmostservershaveaverageutilizationbetween10%and50%.
Correspondingly,undersuchutilization,ourenergyat-tackcanresultin21.
7%–42.
3%powerconsumptionin-crease.
5DiscussionInthissection,werstdescribeotherpossibleenergyat-tackvectors,theapplicabilityofenergyattacks,andthenwediscussthechallengesofdefendingenergyattacks.
5.
1AttackVariationsBesidesusingcachemissasanattackvector,energyat-tackscanalsobelaunchedbyexploitingotherenergyrelatedvulnerabilities.
Forexample,aledepositingserverrunninganun-modiedLinuxkernelandallowsuserstocontrolthenamesforstoredles(suchasapublicFTPserver)isvulnerabletoenergyattacks.
Theattackercanexploitawellknown*nixkernellenameresolutionvulnerabil-ity2,andlaunchalow-ratealgorithmiccomplexityattack[6,9]tostealthilyincreaseprocessorutilization.
Becausealedepositingserviceisstorageandnetworkband-widthbound,awell-controlledenergyattackcanavoidgeneratinganythroughputanomalies.
Besidestheprocessors,othercomponentswithlargedynamicpowerrangecanalsobeexploitedbyenergyat-tacks.
Forexample,harddrivesnormallyconsume12to16wattsduringoperation,buttheirpowerconsump-tioncanbereducedtounderonewattbyspin-downtheplattersduringlongperiodofidleness.
Asaresult,anen-ergyattackonharddrivescanbemountedbyperformingsleepdeprivationattacktopreventexpectedspin-down.
Althoughtheenergycostofasingleattackedharddriveseemstobeinsignicant,thedamagecanaccumulatetoasignicantamountwhentheenergyattacktargetsatadecentsizedstorageserverwith10to20installedharddrives.
5.
2OrthogonalitytoDoSattacksEnergyattacksmayseemtobeconnectedtoDoS(DenialofService)attacks[15,20,22],astheyseeminglysharesomerelatedvulnerabilities,suchascacheexploitsandalgorithmiccomplexityweakness.
However,theyareor-thogonalclassesofattacks.
Ononehand,DoSattackshavemixedenergyeffects.
ThisisbecausetheintroductionofDoSattackstoserver2Asimplehashdatastructureisusedbythekernelforlenamecachingandlookup.
Bymaliciouslynamingles,onecancausealargenumberoflenamescollideontothesamehashslot,resultinginexpensivelinearsearchesforlenamerelatedoperations.
7systemspre-datestheeraofenergyproportionalcom-puting,andthusenergywasneveranattacktargetwhenservershaveconstantpowerconsumptionwhetherbusyoridle.
Asanintuitiveexample,aTCPSYNoodingDoSattackexhauststhevictimserver'ssocketresource,andthuspreventsthevictimfromreceivingnormalser-vicerequests.
Thisattackcausesmostcomponentsofthevictimservertobecomeidle,andthussignicantlyre-ducesitspowerconsumption.
Ontheotherhand,energyattackswouldneverattempttocausedenialofservice.
Tothecontrary,ittrieshardtoavoidcausingdenialofservice,becausestayinglow-proleandundiscoverediscriticaltoasuccessfulattack.
Therefore,energyattacksandDoSattacksaredistinctintermsoftheirdesignedpurpose,executionmethodologyandeffects.
5.
3AttackApplicabilityWehavethoroughlyinvestigatedtheproposedenergyattackagainstastandaloneserversystem.
Weusethecaseofsinglestandaloneserverastherststeptostudyenergyattack,becauseitisrelativelyeasytoperformaclearanalysisandrepeatableevaluations.
However,theattackvectorsonastandaloneserverarenotappli-cabletootherhostingcongurations,suchasclusteredserversandloadbalancedserverfarm.
Forexample,ourproposedenergyattackonourWikipediamirrorserverisnoteffectiveontheactualWikipediawebsite,whichemploysloadbalancedserverclustersandheavyproxycachingtechniques.
However,webelieveenergyattacksalsoposeseriousthreatstolargescaledsystems,suchascloudhostingenvironment[11].
Competingcloudven-dorsmayuseenergyattackasapowerfulweapontoin-creasetheoperationcostoftheiropponents,makingtheattackers'serviceratesmoreattractive.
Toextendthescopeofthiswork,weplantostudyandprolethein-teractionsofworkloadandpowerconsumptionofserverclusters,discoverviableattackvectors,aswellasdevisedefendingtechniques.
5.
4ChallengesofDefenseTodefendagainstenergyattacks,itisnecessarytomea-suretheamountofenergyconsumedbyauser'srequestsanduseittodifferentiatemalicioususersfrombenignusers.
Therefore,measuringandaccountingpowercon-sumptionforprocessingeachrequestisafundamentalrequirement.
Unfortunately,eventhoughitispossibletomeasurethepowerconsumptionofthewholesysteminacoarsetimegranularity(e.
g.
,usingapowerme-ter),thereisnoeld-deployablemechanismavailableforne-grainedpowermeasurement.
NeugebauerandMcAuley[18]suggestusingperfor-mancecounterdatasuchasCPUcycles,diskopera-tions,andscreenpixelstoapproximatepowerconsump-tionforlaptopsandmobiledevices.
Buennemeyeretal.
[5]presentabattery-sensingintrusionprotectionsystemformobilecomputers,whichcorrelatesdevicepowerconsumptionwithWi-FiandBluetoothcommuni-cationactivities.
Kimetal.
[16]proposeapower-awaremalwaredetectionframeworkbycollectingapplicationpowerconsumptionsignatures.
Thesetechniques,however,arehardlyapplicabletoaserversystem.
Thisisbecausemobiledevicesarede-signedtobeusedbyindividuals,andtheyrunfewappli-cationsconcurrently.
Incontrast,serversystemsarede-signedtoprocessalargenumberofrequestsfrommulti-pleusersinparallel.
Asaresult,powerconsumptionsofserversystemsareheavilycorrelatedwiththecollectiveservicerequestscomingfromthenetwork,fromwhichonehardlyextractsignaturesofindividualusers.
Inad-dition,performancecounterreadingsonserversystems(especiallyatnegranularitysuchasper-requestpro-cessing)ofindependentprocessescanbeheavilycou-pledandinaccurateforpowerapproximation.
Forexam-ple,anSMT(SimultaneousMulti-Threading)processorallowstwoormorethreadstoexecuteinparallel,shar-ingthesameunderlyinghardware.
Thismayleadtoun-relatedprocessescompetingforprocessorresourcesandinterferingwitheachother'scyclecountreadings.
An-otherexampleisthatmodernharddrivescanintelligentlyreorderthesequenceofoperationstoimproveefciency;however,thiscancausetheoperationlatencydispropor-tionaltotherequestdatasize.
6ConclusionServersystemshavebecomemorepowerefcientandenergyproportionalaspowermanagementtechnologiesadvance.
However,thesecurityaspectofpowermanage-menthasnotyetbeenstudied.
Inthispaper,weinvesti-gatedthepotentialvulnerabilitiesinserverpowerman-agement.
First,weexposedthethreatofenergyattacksbymeasuringthepowerconsumptionofrealserversys-tems.
Then,wedesignedandevaluatedenergyattacksonserversystems.
Inparticular,wevalidatedthethreatofenergyattacksonanopenWebserverrunningWikipediamirrorservice.
Byprolingpowerconsumptionofthetargetserverunderdifferentoperationconditions,were-alizedaviableenergyattackvector.
Weconductedase-riesofexperiments,inwhichenergyattackswithvaryingattackintensitieswerecarefullymountedtoavoidincur-ringtangibledegradationofserverperformance.
Ourex-perimentalresultsshowthattheproposedenergyattackcanincur21.
7%—42.
3%additionalpowerconsumptiononthevictimserver.
Finally,wediscussedthechallengesinprotectingvictimserversagainstenergyattacks.
8References[1]Advancedcongurationandpowerinterface.
http://www.
acpi.
info,2009.
[2]P.
BarfordandM.
Crovella.
Generatingrepresentativewebworkloadsfornetworkandserverperformanceeval-uation.
InProceedingsofthe1998ACMSIGMETRICS,pages151–160,1998.
[3]L.
A.
Barroso.
Thepriceofperformance.
ACMQueue,3(7):48–53,September2005.
[4]L.
A.
BarrosoandU.
H¨olzle.
Thecaseforenergy-proportionalcomputing.
IEEEComputer,40(12):33–37,Dec.
2007.
[5]T.
K.
Buennemeyer,M.
Gora,R.
C.
Marchany,andJ.
G.
Tront.
Batteryexhaustionattackdetectionwithsmallhandheldmobilecomputers.
InProceedingsoftheIEEEPORTABLE,2007.
[6]X.
Cai,Y.
Gui,andR.
Johnson.
Exploitingunixle-systemracesviaalgorithmiccomplexityattacks.
InPro-ceedingsofthe30thIEEESymposiumonSecurityandPrivacy,2009.
[7]E.
V.
Carrera,E.
Pinheiro,andR.
Bianchini.
Conservingdiskenergyinnetworkservers.
InProceedingsofthe17thICS,pages86–97,2003.
[8]J.
S.
Chase,D.
C.
Anderson,P.
N.
Thakar,A.
M.
Vahdat,andR.
P.
Doyle.
Managingenergyandserverresourcesinhostingcenters.
InProceedingsofthe18thACMSOSP,pages103–116,2001.
[9]S.
A.
CrosbyandD.
S.
Wallach.
Denialofserviceviaal-gorithmiccomplexityattacks.
InProceedingsofthe12thconferenceonUSENIXSecuritySymposium,2003.
[10]M.
Elnozahy,M.
Kistler,andR.
Rajamony.
Energycon-servationpoliciesforwebservers.
InProceedingsofthe4thconferenceonUSENIXUSITS,2003.
[11]X.
Fan,W.
-D.
Weber,andL.
A.
Barroso.
Powerprovi-sioningforawarehouse-sizedcomputer.
InProceedingsofthe34thISCA,pages13–23,2007.
[12]S.
Gurumurthi,A.
Sivasubramaniam,M.
Kandemir,andH.
Franke.
Drpm:Dynamicspeedcontrolforpowerman-agementinserverclassdisks.
InProceedingsofthe30thISCA,pages169–182,2003.
[13]J.
Hamilton.
WheredoesthepowergoandwhattodoaboutitInProceedingsoftheUSENIXHotPower,2008.
[14]T.
Horvath,T.
Abdelzaher,K.
Skadron,andX.
Liu.
Dy-namicvoltagescalinginmultitierwebserverswithend-to-enddelaycontrol.
IEEETrans.
Comput.
,56(4):444–458,2007.
[15]S.
Kandula,D.
Katabi,M.
Jacob,andA.
Berger.
Botz-4-sale:Survivingorganizedddosattacksthatmimicashcrowds.
InProceedingsofthe2ndUSENIXNSDI,2005.
[16]H.
Kim,J.
Smith,andK.
G.
Shin.
Detectingenergy-greedyanomaliesandmobilemalwarevariants.
InPro-ceedingofthe6thMobiSys,pages239–252,June2008.
[17]R.
NathujiandK.
Schwan.
Virtualpower:coordinatedpowermanagementinvirtualizedenterprisesystems.
InProceedingsofthe21stACMSOSP,pages265–278,2007.
[18]R.
NeugebauerandD.
McAuley.
Energyisjustanotherresource:Energyaccountingandenergypricinginthenemesisos.
InProceedingsofthe8thUSENIXHOTOS,2001.
[19]E.
Pinheiro,R.
Bianchini,E.
V.
Carrera,andT.
Heath.
Dynamicclusterrecongurationforpowerandperfor-mance,pages75–93.
KluwerAcademicPublishers,Nor-well,MA,USA,2003.
[20]S.
Ranjan,R.
Swaminathan,M.
Uysal,andE.
Knightly.
Ddos-resilientschedulingtocounterapplicationlayerat-tacksunderimperfectdetection.
InProceedingsofthe25thIEEEINFOCOM,2006.
[21]U.
S.
EnvironmentalProtectionAgency.
Reporttocongressonserveranddatacenterenergyefciency,2007.
[22]H.
Wang,C.
Jin,andK.
G.
Shin.
Defenseagainstspoofediptrafcusinghop-countltering.
IEEE/ACMTransac-tionsonNetworking,15(1),Feb.
2007.
[23]WattsupWattsup.
netdigitalpowermeter.
https://www.
wattsupmeters.
com/secure/products.
phppn=0,2009.
9