EAAO
October 9, 2024 ยท View on GitHub
Open-source release of "Everywhere All at Once: Co-Location Attacks on Public Cloud FaaS" (ASPLOS'24). This repo contains the source code of a Google Cloud Run service that we used for fingerprinting and a library for interacting with the service.
You can clone the repo by running:
git clone https://github.com/zzrcxb/EAAO.git
Dependences
Python
Our scripts require Python >= 3.9 and Python libraries that are listed in requirements.txt.
You can install those libraries by executing
pip3 install -r requirements.txt --user
Google Cloud CLI
Please refer to this Google Cloud documentation on installing Google Cloud CLI. I recommend the Docker option.
Code Structure
Google Cloud Run (GCR) Service
finp_service/ directory contains the source code of a Google Cloud Run service
that helps fingerprinting a Google Cloud physical host.
Deploy the Service
To deploy the service using Google Cloud CLI, you can execute a command similar to:
gcloud run deploy <Service name> \
--region=<GCR region> --source=<Path to service directory> \
--memory=<Memory requirement in MiB>Mi --cpu=<CPU requirement> \
--max-instances=1000 --concurrency=1 --timeout=3600 \
--session-affinity --allow-unauthenticated
Please refer to Google Cloud's documentation on the command and documentation about deploying GCR services in general.
Please note that our experiment script requires setting concurrency=1 so that
each WebSocket connection corresponds to exactly one container.
It is also required to enable unauthenticated accesses --allow-unauthenticated.
The default service configuration that we used is:
--memory=512Mi --cpu=1 --max-instances=1000 --concurrency=1 \
--timeout=3600 --session-affinity --allow-unauthenticated
To learn more about deploying a service to Google Cloud Run via CLI, you can execute:
gcloud run deploy --help
After the deployment, you will get an URL to invoke the service. Please save the URL.
Toolkit for Invoking the Service
toolkit/ directory contains Python helper code that helps interact with the
fingerprinting service.
These interactions include launching and connecting to individual container instances,
fingerprinting the physical host, running the rdseed covert channel to verify co-location,
and executing arbitrary command in the container instance.
For example, validate.ipynb provides an example that uses the toolkit
to launch containers and verify co-location
(please follow the comment in the first block of the Jupyter notebook and put your service URL).
Minor Correction
Figure 6 in the paper requires a minor correction. Please refer to here for more details. This correction does not change fingerprint results nor co-location results.