Contents I. Introduction
Cloud providers continuosly upgrade their commercial offerings to adapt to market and customer needs. While the vast majority of them offer computing instances based on x86 processors, the availability of ARM-based cloud instances is quickly expanding. ARM processors are increasing their market share of server-grade machines [1]–[8], thanks to additional energy and performance improvements. Before ARM announced its Neoverse [9] microarchitecture, there were no server-grade ARM processors to license. Companies had to customize application-grade ARM processor designs for their server-grade platforms [5], [7]. Recent ARM server-grade processors [1], [3], [7], [8] are based on custom-developed ARMv8 microarchitectures. For example, Amazon [5] deploys ARM-based processors currently shipped in off-the-shelf ARM hardware. Their AWS Graviton processor is essentially a more powerful quad-Raspberry Pi 4B [10]. Scaleway offered instances based on custom-made ARM SoCs with servers smaller than a business card [11]. Table I summarizes a subset of available server-grade ARM processors, supported instruction set architectures (ISA), and providers deploying this hardware. Several generations of ARM processors [1], [2], [5]–[7] are currently available across cloud providers. ARM processors also started reaching into the supercomputing market segment. We expect an increasing availability of ARM Neoverse processors and future server-grade ARM instances to close the performance gap to x86. On the one hand processor manufacturers specify conservative voltage margins due to process variation [12]. On the other hand processors offer different power management mechanisms to adjust frequencies and voltages. While marginal energy savings on a single device appear unimportant, it is of importance at scale, especially since power savings of the cloud infrastructure accumulate for each CPU. The energy footprint of a single execution step (i.e., one single instruction on a processor) is fairly independent of the CPU frequency but dependent on the CPU voltage [13]. Decreasing the CPU voltage below the nominal value to conserve power is called undervolting
Notice that Dynamic Voltage and Frequency Scaling (DVFS) differs from undervolting by decreasing frequency as well as voltage.
. Besides energy savings, undervolting directly influences core temperature and can also reduce core aging [14]. Undervolting, however, incurs the risk of introducing soft [15] and hard-errors related to timing violations [16]. These types of errors can be mitigated by carefully analyzing the guardband of processors [17]. In this practical experience report, we consider a scenario where processors supporting a cloud infrastructure are undervolted by an excessively economic and malicious cloud provider (a scrooge §III-A) to profit from additional electricity bill savings, while cloud users (from here on referred to as users) observe similar performance. Unfortunately, undervolting cannot be applied arbitrarily. In fact, it comes at the cost of processor reliability when the supplied voltage is insufficient to drive the processor's frequency. We believe this is a risk that malicious cloud providers are willing to take. For users, undervolting opens up a new attack vector against their cloud applications (see our threat model in §III). The main research questions we address in this work are:What is necessary for a malicious cloud provider in order to pull off a stealthy undervolting strategy?
Does a cloud user have the ability to uncover such an undervolting strategy?
List of server-grade and mimicking ARM processors with their supported ISA. ‘*’: Used in our evaluation (see §V).| Processor | ISA | Cloud provider |
|---|---|---|
| Ampere Altra | ARMv8.2+ | Equinix, Oracle |
| Ampere eMAG 8180 | ARMv8 | Equinix |
| AWS Graviton | ARMv8 | AWS |
| AWS Graviton 2 | ARMv8.2 | AWS |
| Fujitsu A64FX | ARMv8.2 | ‐ |
| Huawei Kunpeng 920 | ARMv8.2 | ‐ |
| Marvell ThunderX | ARMv8 | Equinix |
| Marvell ThunderX2 | ARMv8.1 | Microsoft Azure |
| NVIDIA Grace | TBA | ‐ |
| Broadcom BCM2837(B0)* | ARMv8 | ‐ |
| Broadcom BCM2711* | ARMv8 | ‐ |
