Researchers Reveal Scheduler Weaknesses Allowing Co‑location Attacks in Serverless Cloud Platforms

Global: Researchers Reveal Scheduler Weaknesses Allowing Co‑location Attacks in Serverless Cloud Platforms

Researchers have demonstrated that serverless cloud schedulers can be manipulated to place attacker and victim instances on the same physical hardware, creating opportunities for micro‑architectural side‑channel attacks. The findings, detailed in an arXiv preprint (ID 2512.10361), describe a systematic methodology for exposing exploitable scheduling features and introduce a defensive mechanism called the Double‑Dip scheduler.

Background

Serverless computing abstracts away infrastructure management, allowing developers to focus on code while the cloud provider handles resource allocation. However, this abstraction can conceal the underlying placement decisions made by cloud schedulers, which, if predictable, may enable attackers to achieve co‑location with target workloads.

Methodology

According to the arXiv paper, the authors crafted a comprehensive approach that probes scheduling algorithms through standard user interfaces. By analyzing response times, resource availability signals, and deployment patterns, they identified indicators that reveal how the scheduler assigns instances.

Experimental Findings

In controlled experiments, the team successfully induced co‑location on widely used open‑source serverless frameworks as well as on Microsoft Azure Functions. The results confirm that the identified scheduler characteristics can be exploited to place malicious instances alongside victim workloads, thereby facilitating side‑channel leakage.

Proposed Mitigation

The authors propose the Double‑Dip scheduler, a strategy that randomizes placement decisions and introduces additional isolation checks to disrupt predictable co‑location. Preliminary evaluations suggest that the mitigation reduces the success rate of targeted placement without imposing significant performance overhead.

Implications for Cloud Providers

These findings underscore the need for cloud operators to reassess scheduling policies and incorporate stronger randomness or isolation mechanisms. Failure to address the vulnerabilities could expose multi‑tenant environments to sophisticated side‑channel threats.

Next Steps

The study recommends broader testing across diverse serverless platforms and collaboration with cloud vendors to refine mitigation techniques. Ongoing research may explore integration of the Double‑Dip approach into production schedulers and assess its impact on large‑scale workloads.

This report is based on information from arXiv, licensed under Academic Preprint / Open Access. Based on the abstract of the research paper. Full text available via ArXiv.