Towards a comprehensive model of isolation for mitigating illicit channels

The increased sharing of computational resources elevates the risk of side channels and covert channels, where an entity’s security is affected by the entities with which it is co-located. This introduces a strong demand for mechanisms that can effectively isolate individual computations. Such mechanisms should be efficient, allowing resource utilisation to be maximised despite isolation. In this work, we develop a model for uniformly describing isolation, co-location and containment relationships between entities at multiple levels of a computer’s architecture and at different granularities. In particular, we examine the formulation of constraints on co-location and placement using partial specifications, as well as the cost of maintaining isolation guarantees on dynamic systems. We apply the model to a number of established attacks and mitigations. This work was supported by the German Federal Ministry of Education and Research (BMBF) within EC SPRIDE. At the time this research was conducted, Eric Bodden was at Fraunhofer SIT and Technische Universität Darmstadt