Malicious cloud provider can intentionally undervolt cloud infrastructure for additional savings on the electricity bill. ARM processors are low power processors which can lead to substantial energy saving for cloud providers. In our scenario we consider a scrooge cloud provider which undervolts its ARM
infrastructure for profit. The instances can be undervolted in a stealthy manner by avoiding critical voltage regions.
Applications running under critical undervolting conditions can
malfunction. These conditions can be exploited by a cloud user to uncover the undervolted instances. For this novel attack scenario we present a detection method for cloud users. The detection method injects non-selectively faults into processes with the intend to crash the cloud instance. Even if the cloud
provider can spoof temperature and voltage readings of the processor, the cloud user is capable to uncover undervolted instances. By crashing instances simultaneously using the detection method, the cloud user is covered by the service licence agreement and exposes the scrooge cloud provider.
Generative Artificial Intelligence: How generative AI works.pdf
Scrooge Attack: Undervolting ARM Processors for Profit
1. 40th International Symposium on Reliable Distributed Systems 2021
Chicago, USA
Scrooge Attack:
Undervolting ARM Processors for Profit
Christian Göttel∗, Konstantinos Parasyris†, Osman Unsal‡, Pascal Felber∗,
Marcelo Pasin∗, Valerio Schiavoni∗
∗University of Neuchâtel, Complex Systems, Switzerland
†Lawrence Livermore National Laboratory, USA
‡Barcelona Supercomputing Center, Spain
SRDS’21 22.09.2021 | IIUN, LLNL & BSC | Christian Göttel | christian.goettel@unine.ch
Scrooge Attack: Undervolting ARM Processors for Profit 1 / 15
2. Introduction
Expanding cloud market share of ARM-based instances
Before the Neoverse architecture, custom-developed or application-grade
microarchitectures were used for sever-grade platforms
Examples: Ampere eMAG, AWS Graviton, Marvell ThunderX
Conservative voltage margin due to process variation
Power management mechnanisms
Undervolted cloud infrastructure for profit
Danger
Low Voltage
SRDS’21 22.09.2021 | IIUN, LLNL & BSC | Christian Göttel | christian.goettel@unine.ch
Scrooge Attack: Undervolting ARM Processors for Profit 2 / 15
3. Introduction
Undervolting:
Decreasing CPU voltage below nominal value
Conserving power
Reducing core aging
Maintining computational performance
Weakening reliability
Introducing errors due to timing violations
0 50 100 150 200 250
0.85
0.9
0.95
1
1.05
Throughput [Mop/s]
ETR
(normalized)
3B 3B+ 4B
SRDS’21 22.09.2021 | IIUN, LLNL & BSC | Christian Göttel | christian.goettel@unine.ch
Scrooge Attack: Undervolting ARM Processors for Profit 3 / 15
4. Introduction
Consequences of undervotling for cloud user and cloud provider
Exploitable by malicious cloud user (out of scope)
Plundervolt [Murdock et al. S&P’20]
V0ltpwn [Kenjar et al. USENIX Security’20]
Detection method: crashing instances such that the user is covered by SLA
Heat dissipation adjusted by processor load and operating points
Temperature has always been a major issue
Non-selective fault injection method
Research questions:
1. What is necessary for a malicious cloud provider in order to pull off a stealthy
undervolting strategy?
2. Does a cloud user have the ability to uncover such an undervolting strategy?
SRDS’21 22.09.2021 | IIUN, LLNL & BSC | Christian Göttel | christian.goettel@unine.ch
Scrooge Attack: Undervolting ARM Processors for Profit 4 / 15
5. Background
ARM in Data Centers
3
B
3
B
+
4
B
B
r
o
a
d
w
e
l
l
K
a
b
y
L
a
k
e
E
P
Y
C
H
a
r
p
e
r
t
o
w
n
0
0.1
0.2
Energy
[J/op]
CPU-bound
3
B
3
B
+
4
B
B
r
o
a
d
w
e
l
l
K
a
b
y
L
a
k
e
E
P
Y
C
H
a
r
p
e
r
t
o
w
n
1
2
Energy
[J/op]
Memory-bound
0
Low power processor design using ARM instances
Energy efficiency is comparable across architectures for CPU-bound benchmarks
26 % (4B) up to 122 % (3B+) less energy efficient than AMD EPYC
60 % (4B) more and 7 % (3B+) less energy efficient than Intel Kaby Lake
Memory-bound benchmarks are less energy efficient due to LPDDR performance
SRDS’21 22.09.2021 | IIUN, LLNL & BSC | Christian Göttel | christian.goettel@unine.ch
Scrooge Attack: Undervolting ARM Processors for Profit 5 / 15
6. Background
Power management
Frequency scaling
(Dynamic) frequency regulation (overlocking, underclocking)
Conserving power and reducing heat dissipation
Voltage scaling
Open loop system (regulated by external setting)
Influences charging & discharging rate of capacitances (frequency)
Dynamic Voltage and Frequency Scaling (DVFS)
Simultaneous software-controlled voltage and frequency regulation
Operating performance points (frequency and voltage pairs)
Adaptive Voltage Scaling (AVS)
Closed loop system (regulated by feedback loop of sensor data)
Accounts for process variation and aging
SRDS’21 22.09.2021 | IIUN, LLNL & BSC | Christian Göttel | christian.goettel@unine.ch
Scrooge Attack: Undervolting ARM Processors for Profit 6 / 15
7. Background
Raspberry Pi
Raspberry Pi 3B v1.2
Level Voltage
+25 mV
-25 mV
0
1
-1
2
-2
1.280 V
1.305 V
1.330 V
1.230 V
1.255 V
...
...
Component Raspberry Pi
Arm Cortex-A Processor
SoC
Broadcom®
VideoCore GPU
Memory 1 GiB and 4 GiB LPDDR
Disk microSD
Ethernet 10 Mbit/s to 1000 Mbit/s
Voltage adjustable in 25 mV steps
4B has no undervolting support
Mimicking server-grade ARM instance
SRDS’21 22.09.2021 | IIUN, LLNL & BSC | Christian Göttel | christian.goettel@unine.ch
Scrooge Attack: Undervolting ARM Processors for Profit 7 / 15
8. Threat Model
shutdown deployed firmware request
reboot voltage reading
boot
deploy ❶ ❷ ❶ ❹ ❺
❸
❻
❷
¶ Exchange undervolted with nominal configuration
· Exchange back nominal with undervolted configuration
¸ Intercept voltage reading requests
¹ Forward voltage reading request
º Return voltage reading request
» Substitute undervolted voltage value by some nominal value
SRDS’21 22.09.2021 | IIUN, LLNL & BSC | Christian Göttel | christian.goettel@unine.ch
Scrooge Attack: Undervolting ARM Processors for Profit 8 / 15
9. Evaluation
Setup
Raspberry Pi 3B, 3B+, 4B
Alciom PowerSpy2
Network-enabled power strip
UART-to-USB cable
Bluetooth dongle
Auxiliary machine
SRDS’21 22.09.2021 | IIUN, LLNL & BSC | Christian Göttel | christian.goettel@unine.ch
Scrooge Attack: Undervolting ARM Processors for Profit 9 / 15
10. Evaluation
Temperature-based Guardband Analysis
30 40 50 60 70 80
1.20
1.25
1.30
Temperature [°C]
Voltage
[V]
safe critical failure nominal
Raspberry Pi 3B
30 40 50 60 70
1.20
1.30
Temperature [°C]
Voltage
[V]
safe critical failure nominal
Raspberry Pi 3B+
30 40 50 60 70 80
0.82
0.84
0.86
Temperature [°C]
Voltage
[V]
safe nominal undervolted
Raspberry Pi 4B
Measurement procedure
Start at nominal voltage and run benchmark
If successful, lower voltage configuration, restart, run benchmark again
Otherwise, reset to nominal voltage, increase temperature and repeat
SRDS’21 22.09.2021 | IIUN, LLNL & BSC | Christian Göttel | christian.goettel@unine.ch
Scrooge Attack: Undervolting ARM Processors for Profit 10 / 15
11. Evaluation
Benchmark
Heat map indicating the relative energy efficiency for an undervolted setup compared to a
nominal setup
C
o
o
l
i
n
g
M
o
d
e
l
U
n
d
e
r
v
o
l
t
a
t
o
m
i
c
b
s
e
a
r
c
h
c
l
o
c
k
f
o
r
k
h
s
e
a
r
c
h
i
c
a
c
h
e
k
i
l
l
m
e
r
g
e
s
o
r
t
m
s
g
p
i
p
e
p
o
l
l
t
i
m
e
r
t
s
e
a
r
c
h
u
r
a
n
d
o
m
v
m
-
r
w
w
c
s
active
3B −75 mV 0.95 0.96 0.95 0.92 0.95 0.95 0.93 0.94 0.91 0.96 0.95 0.94 0.99 0.95 0.96 0.94
3B+ −75 mV 0.94 0.93 0.93 0.87 0.95 0.94 0.96 0.94 0.95 0.92 0.95 0.94 0.95 0.95 0.97 0.94
4B −15 mV 0.99 1.02 0.99 1.02 1.00 0.98 1.04 1.00 0.97 0.70 0.98 0.97 0.91 0.98 1.00 0.99
passive
3B −75 mV 0.95 0.92 0.93 0.91 0.94 0.94 0.94 0.93 0.92 1.03 0.93 0.92 0.96 0.94 0.96 0.93
3B+ −75 mV 0.95 0.96 0.95 0.98 0.95 0.95 0.95 0.95 0.95 0.96 0.94 0.95 0.97 0.96 0.97 0.95
4B −15 mV 0.97 1.02 0.99 1.01 0.99 1.03 1.00 1.00 1.03 1.01 1.00 1.00 0.91 0.99 0.97 0.99
Benchmark of choice: stress-ng (16 out of 169 shown)
The darker the shade, the more energy-efficient the stressor
None of the stressors crashed an undervolted instance
SRDS’21 22.09.2021 | IIUN, LLNL & BSC | Christian Göttel | christian.goettel@unine.ch
Scrooge Attack: Undervolting ARM Processors for Profit 11 / 15
12. Evaluation
Failure Rate
30 40 50 60 70 80
0
0.2
0.4
0.6
0.8
1
Temperature [◦
C]
Failure
rate
3B 0mV 3B -75mV 3B -100mV
3B+ 0mV 3B+ -75mV 3B+ -100mV
Analysis of 265 failed out of 741 multiplication benchmarks
No incorrect benchmark results: multiplication not on timing-critical path
Highest crash probability at 60 °C (40 % 3B+, 90 % 3B)
Crash temperature decreases with undervolting
Process failure injection: 34 % user, 15 % kernel, 51 % unknown
SRDS’21 22.09.2021 | IIUN, LLNL & BSC | Christian Göttel | christian.goettel@unine.ch
Scrooge Attack: Undervolting ARM Processors for Profit 12 / 15
13. Evaluation
Detection Method
Raspberry Pi 3B Raspberry Pi 3B+
Bare metal
[0; 200) [200; 400) [400; 600) [600; 800)
0
5
10
15
20
Run-time [s]
Frequency
[0; 20) [20; 40) [40; 60) [60; 80)
0
5
10
15
20
Temperature [°C]
Frequency
[0; 500) [500; 1,000) [1,000; 1,500)
0
5
10
15
20
Run-time [s]
Frequency
[0; 20) [20; 40) [40; 60) [60; 80)
0
5
10
15
20
Temperature [°C]
Frequency
Container
[0; 200) [200; 400) [400; 600) [600; 800)
0
5
10
15
20
Run-time [s]
Frequency
[0; 20) [20; 40) [40; 60) [60; 80)
0
5
10
15
20
Temperature [°C]
Frequency
[0; 0.5) [0.5; 1) [1; 1.5) [1.5; 2)
·103
0
5
10
15
20
Run-time [s]
Frequency
[0; 20) [20; 40) [40; 60) [60; 80)
0
5
10
15
20
Temperature [°C]
Frequency
Bare-metal: 175 s and 145 s (62 °C, 3B vs 3B+)
Container: 30 s and 250 s
SRDS’21 22.09.2021 | IIUN, LLNL & BSC | Christian Göttel | christian.goettel@unine.ch
Scrooge Attack: Undervolting ARM Processors for Profit 13 / 15
14. Conclusion & Future Work
Conclusion:
Novel attack scenario based on undervolting by a scrooge cloud provider
Undervolting can save on average 5 % and up to 37 % energy
Aggressive undervolting is susceptible to thermal running
Active cooling can mitigate to some extend thermal running
Benchmarks are not the correct approach to guardband analysis
Future:
Apply Scrooge Attack on ARM server architecture
Include virtual machines in the evaluation
Develop a detection method that simultaneously crashes instances
SRDS’21 22.09.2021 | IIUN, LLNL & BSC | Christian Göttel | christian.goettel@unine.ch
Scrooge Attack: Undervolting ARM Processors for Profit 14 / 15
15. Thank you
Thank you for your attention!
The Scrooge Attack data set is publicly available under
https://github.com/ChrisG55/Scrooge-Attack
The views and opinions of the authors do not necessarily reflect those of the U.S. government or
Lawrence Livermore National Security, LLC neither of whom nor any of their employees make any
endorsements, express or implied warranties or representations or assume any legal liability or
responsibility for the accuracy, completeness, or usefulness of the information contained herein. This
work was partially prepared by LLNL under Contract DE-AC52-07NA27344 (LLNL-CONF-817551) and by
the European Union’s Horizon 2020 research and innovation programme under the LEGaTO Project
(legato-project.eu), grant agreement No 780681.
SRDS’21 22.09.2021 | IIUN, LLNL & BSC | Christian Göttel | christian.goettel@unine.ch
Scrooge Attack: Undervolting ARM Processors for Profit 15 / 15