This work uncovers a critical security vulnerability in the caching mechanism of Open vSwitch (OVS) that undermines tenant isolation and communication confidentiality in virtualized environments. By analyzing OVS’s internal cache hierarchy, the study introduces three novel remote side-channel attack primitives capable of establishing cross-VM covert channels, reconstructing packet header fields, and monitoring packet transmission rates. Leveraging cache behavior modeling, timing-based side-channel analysis, and remote probing techniques, the authors demonstrate the practical feasibility of these attacks in real-world virtual networks. This research provides the first concrete evidence that OVS’s cache design poses a tangible threat to security isolation and systematically evaluates the effectiveness of existing mitigation strategies.

Virtualization is widely adopted in cloud systems to manage resource sharing among users. A virtualized environment usually deploys a virtual switch within the host system to enable virtual machines to communicate with each other and with the physical network. The Open vSwitch (OVS) is one of the most popular software-based virtual switches. It maintains a cache hierarchy to accelerate packet forwarding from the host to virtual machines. We characterize the caching system inside OVS from a security perspective and identify three attack primitives. Based on the attack primitives, we present three remote attacks via OVS, breaking the isolation in virtualized environments. First, we identify remote covert channels using different caches. Second, we present a novel header recovery attack that leaks a remote user's packet header fields, breaking the confidentiality guarantees from the system. Third, we demonstrate a remote packet rate monitoring attack that recovers the packet rate of a remote victim. To defend against these attacks, we also discuss and evaluate mitigation solutions.