Open-source release of "Everywhere All at Once: Co-Location Attacks on Public Cloud FaaS" (ASPLOS'24). This repo contains the source code of a Google Cloud Run service that we used for fingerprinting and a library for interacting with the service.
You can clone the repo by running:
git clone https://github.com/zzrcxb/EAAO.git
Our scripts require Python >= 3.9
and Python libraries that are listed in requirements.txt
.
You can install those libraries by executing
pip3 install -r requirements.txt --user
Please refer to this Google Cloud documentation on installing Google Cloud CLI. I recommend the Docker option.
finp_service/
directory contains the source code of a Google Cloud Run service
that helps fingerprinting a Google Cloud physical host.
To deploy the service using Google Cloud CLI, you can execute a command similar to:
gcloud run deploy <Service name> \
--region=<GCR region> --source=<Path to service directory> \
--memory=<Memory requirement in MiB>Mi --cpu=<CPU requirement> \
--max-instances=1000 --concurrency=1 --timeout=3600 \
--session-affinity --allow-unauthenticated
Please refer to Google Cloud's documentation on the command and documentation about deploying GCR services in general.
Please note that our experiment script requires setting concurrency=1
so that
each WebSocket connection corresponds to exactly one container.
It is also required to enable unauthenticated accesses --allow-unauthenticated
.
The default service configuration that we used is:
--memory=512Mi --cpu=1 --max-instances=1000 --concurrency=1 \
--timeout=3600 --session-affinity --allow-unauthenticated
To learn more about deploying a service to Google Cloud Run via CLI, you can execute:
gcloud run deploy --help
After the deployment, you will get an URL to invoke the service. Please save the URL.
toolkit/
directory contains Python helper code that helps interact with the
fingerprinting service.
These interactions include launching and connecting to individual container instances,
fingerprinting the physical host, running the rdseed
covert channel to verify co-location,
and executing arbitrary command in the container instance.
For example, validate.ipynb
provides an example that uses the toolkit
to launch containers and verify co-location
(please follow the comment in the first block of the Jupyter notebook and put your service URL).
Figure 6 in the paper requires a minor correction. Please refer to here for more details. This correction does not change fingerprint results nor co-location results.