covert and side channel attacks and defenses
play

Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 - PowerPoint PPT Presentation

Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from Christopher W. Fletcher Reminder Lab assignment will be released 09/21 Monday Recommend to read Cache missing for fun and profit. (2005).


  1. Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from Christopher W. Fletcher

  2. Reminder • Lab assignment will be released 09/21 Monday • Recommend to read ”Cache missing for fun and profit.” (2005). • Check out the presentation schedule on course website • 7 slots empty, volunteer or invited speaker or Mengjia/Miles 6.888 L4-Covert and Side Channels 2

  3. Resources • Side channel tutorial website • https://sites.google.com/view/arch-sec/home • External resources • Mastik, a toolkit for uarch side channels: https://cs.adelaide.edu.au/~yval/Mastik/ • Survey on microarchitectural timing attacks: https://eprint.iacr.org/2016/613.pdf • Survey on transient execution attacks: https://arxiv.org/abs/1811.05441 6.888 L4-Covert and Side Channels 3

  4. What is Covert and Side Channel? Covert channel: • Intended communication between two or more security parties Side channel: • Unintended communication between two or more security parties In both cases: • Communication should not be possible, following system semantics • The communication medium is not designed to be a communication channel Covert channel can show “best case” leakage 6.888 L4-Covert and Side Channels 4

  5. Scope CIA: Confidentiality, Integrity, Availability Confidentiality/Privacy Side/covert channels Confidentiality: was data being computed upon not revealed to an un-permitted party? Microarchitectural channels Integrity: was the computation performed correctly, returning the correct result? Availability: did the computational resource carry out the task at all? 6.888 L4-Covert and Side Channels 5

  6. Side Channels Are Almost Everywhere

  7. Daily Life Examples • Acoustic side channels • Monitor keystrokes • You only need: a cheap microphone + an ML model • Network traffic contention side channel • If you want to be an active attacker, try stress test 6.888 L4-Covert and Side Channels 7

  8. “Hear” The Screen frequency time Sound Spectogram Genkin et. al. Synesthesia: Detecting Screen Content via Remote Acoustic Side Channels. S&P’19 6.888 L4-Covert and Side Channels 8

  9. “Hear” The Screen (A) is the LCD panel, (B) is the screen’s digital logic and image rendering board and, (C) is the screen’s power supply board. 6.888 L4-Covert and Side Channels 9

  10. Network Side Channels • Website Fingerprinting • Response dependent: • iSideWith.com • Real-time feedback: • Google Search auto-complete Lescisin et. al. Tools for Active and Passive Network Side-Channel Detection for Web Applications. WOOT’18 Cai et. al. Touching from a distance: Website fingerprinting attacks and defenses. CCS’12. 6.888 L4-Covert and Side Channels 10

  11. Physical v.s. Timing v.s. uArch Channel • What can the adversary observe? Microarchitectural Timing channels Physical channels channels Microarch events (e.g., timing, perf. Power, EM, counters, etc.) sound, etc. Processor Processor Processor Response Victim time Victim Victim Attacker Attacker requires measurement Attacker may be remote (e.g., Attacker may be remote, equipment à physical access over an internet connection) or be co-located 6.888 L4-Covert and Side Channels 11

  12. Power Analysis from https://en.wikipedia.org/wiki/Power_analysis 6.888 L4-Covert and Side Channels 12

  13. Victim Application: RSA • Square-and-multiply based exponentiation Input : base b , modulo m , exponent e = ( e n −1 ... e 0 ) 2 Output : b e mod m r = 1 for i = n −1 down to 0 do r = sqr ( r ) r = mod ( r , m ) if e i == 1 then r = mul ( r , b ) r = mod ( r , m ) end end return r 6.888 L4-Covert and Side Channels 13

  14. Power Analysis • Various signal processing techniques to de-noise. • More advanced: differential power analysis (DPA) 6.888 L4-Covert and Side Channels 14

  15. Benign Usage: Non-intrusive Software Monitoring • How to efficiently monitor application for anomaly detection? Sehatbakhsh et al. Spectral Profiling: Observer-Effect-Free Profiling by Monitoring EM Emanations. MICRO’16 6.888 L4-Covert and Side Channels 15

  16. What can you do with these channels? • Violate privilege boundaries • Inter-process communication • Infer an application’s secret • (Semi-Invasive) application profiling Different from traditional software or physical attacks: • Stealthy. Sophisticated mechanisms needed to detect channel • Usually no permanent indication one has been exploited 6.888 L4-Covert and Side Channels 16

  17. uArch Side Channels

  18. Recap: Process Isolation Process 1 Physical Address Space Page Table per process (limited by DRAM size) VA 4KB PA 4KB Process 2 4KB 4KB How to communicate across processes? Virtual Address Space (Programmer's View) 6.888 L4-Covert and Side Channels 18

  19. Normal Cross-process Communication include <socket.h> How to communication void send(bit msg) { without letting OS know? socket.send(msg); } --> Use HW contention bit recv() { return socket.recv(msg); } 6.888 L4-Covert and Side Channels 19

  20. Covert Channels 101: Through the Page Fault DRAM (limited size) 4KB Process 1 Process 2 (Sender) (Receiver) 4KB if ( send ‘1’ ) t1 = rdtsc() if (t2 – t1 > THRESH) accesses many pages Accesses many pages read ‘1’ else t2 = rdtsc() else idle read ‘0’ 6.888 L4-Covert and Side Channels 20

  21. Another Example of Using Caches Cache: # ways Process 1 Process 2 # sets (Sender) (Receiver) if ( send ‘1’ ) if (t2 – t1 > THRESH) t1 = rdtsc() Fill up the cache read ‘1’ Fill up the cache else else t2 = rdtsc() idle read ‘0’ 6.888 L4-Covert and Side Channels 21

  22. Faster Communication Cache: # ways Process 1 Process 2 # sets (Sender) (Receiver) if ( send ‘1’ ) if (t2 – t1 > THRESH) t1 = rdtsc() Fill set i read ‘1’ Fill set i else else t2 = rdtsc() idle read ‘0’ 6.888 L4-Covert and Side Channels 22

  23. Generalizes to Channels Beyond Caches Hardware Sender Receiver resource if ( send ‘1’ ) t1 = rdtsc() if (t2 – t1 > THRESH) Use resource Use resource read ‘1’ else t2 = rdtsc() else idle read ‘0’ 6.888 L4-Covert and Side Channels 23

  24. HW Resource Contention Processor Chip (socket) Processor Chip (socket) core core core core … … L1/L2 L1/L2 L1/L2 L1/L2 LLC LLC System Bus (logically) Non-volatile Memory (DRAM) other I/O Devices storage device 6.888 L4-Covert and Side Channels 24

  25. The Memory Hierarchy • L1, L2 Processor Chip (socket) Processor Chip (socket) • Shared by threads on the same core core core core core • LLC: … … L1/L2 L1/L2 L1/L2 L1/L2 • Shared by threads on different cores • Directory: LLC LLC • Shared by threads on different sockets • DRAM row buffer: • Shared by ….. Memory (DRAM) Cache is a popular attack target. Why? 6.888 L4-Covert and Side Channels 25

  26. Protocol 101: Prime+Probe in the Cache Sender Receiver # ways Cache Set Shared Cache 6.888 L4-Covert and Side Channels 26

  27. Prime+Probe Sender line Sender Receiver Receiver line # ways Time Cache Set Prime Shared Cache 6.888 L4-Covert and Side Channels 27

  28. Prime+Probe – Send “1” Sender line Sender Receiver Receiver line # ways Access Time Cache Set Prime Wait Shared Cache 6.888 L4-Covert and Side Channels 28

  29. Prime+Probe – Receive “1” Sender line Sender Receiver Receiver line # ways Access Time Cache Set Probe Prime Wait Shared Cache Receive “1” = 16 accesses à 1 miss 6.888 L4-Covert and Side Channels 29

  30. Prime+Probe – Send “0” Sender line Sender Receiver Receiver line # ways NO Time Access Cache Set Prime Wait Shared Cache 6.888 L4-Covert and Side Channels 30

  31. Prime+Probe – Receive “0” Sender line Sender Receiver Receiver line # ways NO Time Access Cache Set Probe Prime Wait Shared Cache Receive “0” = 16 accesses à 0 miss 6.888 L4-Covert and Side Channels 31

  32. A Complete Protocol -- Synchronization Sample window length Sender Probe Probe Prime Wait Prime Wait Receiver Receiver Question: how to distinguish between noise • Window size agreed on by sender and receiver and actual transmission? • Each window transmits some bits • Sender & receiver need to perform an window alignment at the start 6.888 L4-Covert and Side Channels 32

  33. Bandwidth Error-free bitrate of send() à recv() send(msg) recv() Channel Depends on what hardware structure is used to build the channel. • RDRAND unit: 7-200 Kbps [EP’16] • Ld/st performance counters: ~75-150 Kbps [HKRVDT‘15] • MemBus/AES-NI contention: ~550-650 Kbps [HKRVDT‘15] • LLC: 1.2 Mbps [MNHF’15] • Various structures on GPGPU: up to 4 Mbps [NKG’17] 6.888 L4-Covert and Side Channels 33

  34. From Covert à Side Channels Hardware Victim Attacker resource Side channel: Covert channel: t1 = rdtsc() if (t2 – t1 > THRESH) if ( secret ) Use resource read ‘1’ if ( send ‘1’ ) Use resource t2 = rdtsc() else Use resource else read ‘0’ else idle idle 6.888 L4-Covert and Side Channels 34

  35. uArch Side Channels Spectre/ Meltdown Non-transient + Any structure Transient + Cache e.g, Foreshadow Transient + Any structure e.g., RamBleed, RIDDLE Micro-architecture Side Channels 6.888 L4-Covert and Side Channels 35

Recommend


More recommend