predictive mitigation of timing channels in interactive
play

Predictive Mitigation of Timing Channels in Interactive Systems - PowerPoint PPT Presentation

Dec 02, 2023 •270 likes •664 views

Predictive Mitigation of Timing Channels in Interactive Systems Danfeng Zhang , Aslan Askarov, Andrew C. Myers Cornell University CCS 2011 Timing Channels Hard to detect and prevent 10/20/2011 2 Timing Channels: Examples Cryptographic

  1. Predictive Mitigation of Timing Channels in Interactive Systems Danfeng Zhang , Aslan Askarov, Andrew C. Myers Cornell University CCS 2011

  2. Timing Channels Hard to detect and prevent 10/20/2011 2

  3. Timing Channels: Examples • Cryptographic timing attacks [Kocher 96, Brumley&Boneh 05, Osvik et. al. 06] – RSA, AES keys are leaked by decryption time • Cross-site timing attacks [Bortz&Boneh 07] – Load time of a web-page reveals login status, as well as the size and contents of shopping cart • Use as covert channels [Meer&Slaviero 07] – Transmit confidential data by controlling response time, e.g., combined with SQL injection • Timing channels are big threats to security! 10/20/2011 3

  4. Timing Channel Mitigation • Limitations of known approaches – Delay to the worst-case execution time – bad performance – Add random delays – linear leakage – Input blinding – specialized to cryptography • Our solution: – Asymptotically logarithmic leakage – Effective in practice – Applies to general computation 10/20/2011 4

  5. Outline • Background on predictive black-box mitigation (CCS’10) • Predictive mitigation for interactive systems (e.g., web services) – Prediction with public information – Generalized penalty policy & leakage analysis – Composition of mitigators • Evaluation 10/20/2011 5

  6. Background: Predictive Black-Box Mitigation of Timing Channels (CCS’10) source delayed events events buffer system mitigator Issue events according to schedules Strong attacker model : timing of source events may be controlled 10/20/2011 6

  7. Example: Doubling When mitigator expects to deliver events predictions time S(2) S(4) S(6) S(8) S(10) S(12) S(14) Mitigator starts with a fixed schedule S S(i) – prediction for i -th event 10/20/2011 7

  8. Example: Doubling misprediction events X time S(2) S(4) S(6) S(8) S(10) S(12) S(14) When event comes before or at the little information leaked prediction – delay the event 10/20/2011 8

  9. Example: Doubling new schedule events X time S(2) S 2 (3) S 2 (4) S 2 (5) S 2 (6) S 2 (7) S 2 (8) Adversary observes mispredictions information leaked! New fixed schedule S 2 penalizes the event source 10/20/2011 9

  10. Example: Doubling Epoch : period of time during which mitigator meets all predictions X time S(2) S 2 (3) S 2 (4) S 2 (5) S 2 (6) S 2 (7) S 2 (8) epoch 1 epoch 2 Little information leaked in each epoch 10/20/2011 10

  11. Leakage & Variations Variations observable by the attacker • Leakage measurement (log of # timing variations) – Also bounds • mutual information (Shannon entropy) • min-entropy 10/20/2011 11

  12. Important Features • Information leaks via mispredictions ! • General class of timing mitigators – Doubling scheme 2 T (log ) Leakage ≤ O bits – Adaptive transitions – ... 10/20/2011 12

  13. Outline • Background on predictive black-box mitigation (CCS’10) • Predictive mitigation for interactive systems (e.g., web services) – Prediction with public information – Generalized penalty policy & leakage analysis – Composition of mitigators • Evaluation 10/20/2011 13

  14. Insight: Use Public Information • Previous black-box model safe – No misprediction: events delivered according to schedule – Misprediction: entire schedule is statically determined (difficult for interactive systems) Mitigator No misprediction ? source events delayed events Yes Schedule Generator current schedule 10/20/2011 14

  15. Insight: Use Public Information • Previous black-box model – Schedule is dynamically calculated by prediction algorithm – No misprediction: schedule is deterministic given public info. – Misprediction: select a new prediction algorithm safe Mitigator No misprediction ? source events delayed events Yes Algorithm any public current prediction Generator algorithm information 10/20/2011 15

  16. Outline • Background on predictive black-box mitigation (CCS’10) • Predictive mitigation for interactive systems (e.g., web services) – Prediction with public information – Generalized penalty policy & leakage analysis – Composition of mitigators • Evaluation 10/20/2011 16

  17. Public Information • Public information in interactive systems – Request types : public payloads in requests, such as URLs • www.example.com/index.html vs. www.example.com/background.gif – Public information in system : such as input times – Concurrency model source delayed inputs events events secrets buffer stem system mitigator non-secrets 10/20/2011 17

  18. Prediction with Public Information prediction algorithm Epoch # • Prediction for request type r : p (N, r) • Schedule (output time) for i th event in the N th epoch – Single thread Start time Handling time – Multiple, concurrent threads • Calculated in similar ways Schedules are computed dynamically within each epoch using only public information 10/20/2011 18

  19. Information Leakage • Information still leaks via mispredictions ! • Formal result # of epochs # of messages   Leakage ≤ bits N log( M 1 ) 10/20/2011 19

  20. Outline • Background on predictive black-box mitigation (CCS’10) • Predictive mitigation for interactive systems (e.g., web services) – Prediction with public information – Generalized penalty policy & leakage analysis – Composition of mitigators • Evaluation 10/20/2011 20

  21. Penalty Policy ̶ What misprediction X Type 1 time S(2) S(4) S(6) S(8) S(10) S(12) S(14) Type 2 time S(2) S(4) S(6) S(8) S(10) S(12) S(14) Penalty policy – Which type should be penalized? – How much it should be penalized? 10/20/2011 21

  22. Penalty Policy ̶ Why # of epochs # of messages   Leakage ≤ bits N log( M 1 ) • Concurrency & request types also bring new threats • Request types are penalized separately (local penalty policy) – Attacker controls the timing of R request types • N is proportional to R • Penalize all request types (global penalty policy) – Performance is bad 10/20/2011 22

  23. Grace Period Penalty Policy • Better trade off? – Information leaks via mispredictions ! – “Well - behaved” types • Few mispredictions, leak little information • Share little penalty from other types • l -level grace period policy – type i is penalized by other types only when it triggers more than l mispredictions 10/20/2011 23

  24. Leakage Analysis • Difficult for general penalty policies – Influences between request types – Different predictions – Need to consider all possible input sequences • Principled way of bounding total leakage – Transform into optimization problem with R constraints (formal proof & details provided in paper) # request types 10/20/2011 24

  25. Leakage Analysis Leakage running time # of messages  – Global: O (log T log M ) # request types   – Local: ( log log ) O R T M  – Grace period: O (log T log M ) • Better trade-off 10/20/2011 25

  26. Outline • Background on predictive black-box mitigation (CCS’10) • Predictive mitigation for interactive systems (e.g., web services) – Prediction with public information – Generalized penalty policy & leakage analysis – Composition of mitigators • Evaluation 10/20/2011 26

  27. Composition of Mitigators • Security guarantee on an interactive system that is – composed of mitigated subsystems • Decompose complicated systems into 2 gadgets – Sequential – Parallel 10/20/2011 27

  28. Sequential Case ? 10 bits O 1 O 2 RSA S M 1 S 2 M 2 Theoretical results – Leakage in O 2 ≤ Leakage in O 1 – Valid for • mutual information • min-entropy 10/20/2011 28

  29. Parallel Case 10 bits O 1 ? M1 S RSA M2 20 bits O 2 Theoretical result – Leakage in O 1 and O 2 ≤ Leakage in O 1 + Leakage in O 2 10/20/2011 29

  30. Outline • Background on predictive black-box mitigation (CCS’10) • Predictive mitigation for interactive systems (e.g., web services) – Prediction with public information – Generalized penalty policy & leakage analysis – Composition of mitigators • Evaluation 10/20/2011 30

  31. Evaluation Real-world web applications (with HTTP(S) proxy) M Local network Real-world applications Proxy Client 10/20/2011 31

  32. Mitigating Proxy 10/20/2011 32

  33. Evaluation Measurements – Performance : round-trip latency from the client side – Security : leakage bounds in bits 10/20/2011 33

  34. Experiments with Web Applications Parameters – 5-level grace period policy – Doubling scheme – Various request types • TYPE/HOST • HOST+URLTYPE • TYPE/URL 10/20/2011 34

  35. Experiments with Web Applications Mitigating department homepage via HTTP ( 49 different requests) – Predictive mitigation gains good balance ( HOST+URLTYPE ) • About 30% latency overhead • At most 850bits for 100,000 inputs 30% Performance Security 10/20/2011 35

  36. Experiments with Web Applications Mitigating department webmail server via HTTPS – Secure-sensitive (URL is encrypted) – At most 300 bits for 100,000 inputs – At most 450 bits for 32M inputs (1 input/sec for one year) Less than 1 second Performance Security 10/20/2011 36

Recommend

Mitigation of Timing Channels Danfeng Zhang , Aslan Askarov, Andrew C. Myers Cornell

Mitigation of Timing Channels Danfeng Zhang , Aslan Askarov, Andrew C. Myers Cornell

Language-Based Control and Mitigation of Timing Channels Danfeng Zhang , Aslan Askarov, Andrew C. Myers Cornell Harvard Cornell PLDI 2012 Timing Channels Hard to detect and prevent 2 Timing Channels: Examples

662 views • 30 slides
New methods for controlling timing channels Andrew Myers Cornell University (with Danfeng

New methods for controlling timing channels Andrew Myers Cornell University (with Danfeng

New methods for controlling timing channels Andrew Myers Cornell University (with Danfeng Zhang, Aslan Askarov) Timing channels e adversary can learn (a lot) from timing measurements. Known to exist Hard to detect Hard to prevent

639 views • 40 slides
Timing of Consciousness 1. Eagleman: is perception predictive, online, or

Timing of Consciousness 1. Eagleman: is perception predictive, online, or

4/25/17 Diffusion model of a perceptual decision I.e. integrates the difference between evidence for and against Timing of Consciousness 1. Eagleman: is perception predictive, online, or postdictive 2. Libet: subjective

383 views • 5 slides
GPS INTEGRITY ASSESSMENT Interference for TIMING and NAVIGATION Detection & Mitigation

GPS INTEGRITY ASSESSMENT Interference for TIMING and NAVIGATION Detection & Mitigation

GAARDIAN GNSS AVAILABILITY ACCURACY RELIABILITY anD GPS INTEGRITY ASSESSMENT Interference for TIMING and NAVIGATION Detection & Mitigation A Technology Strategy Board funded collaboration Charles Curry, B.Eng, FIET MD

514 views • 25 slides
March 6, 2014 1 Mitigation of Covert Channels 2 About Voting and Computers March 6, 2014 ECS 235B

March 6, 2014 1 Mitigation of Covert Channels 2 About Voting and Computers March 6, 2014 ECS 235B

Mitigation of Covert Channels About Voting and Computers March 6, 2014 1 Mitigation of Covert Channels 2 About Voting and Computers March 6, 2014 ECS 235B Winter Quarter 2014 Slide 1 Mitigation of Covert Channels About Voting and Computers

416 views • 26 slides
Determinating Timing Channels in Compute Clouds Amittai Aviram, Sen Hu, Bryan Ford Yale

Determinating Timing Channels in Compute Clouds Amittai Aviram, Sen Hu, Bryan Ford Yale

Determinating Timing Channels in Compute Clouds Amittai Aviram, Sen Hu, Bryan Ford Yale University http://dedis.cs.yale.edu/ Ramakrishna Gummadi University of Massechusetts Amherst CCSW, October 8, 2010 Timing Attacks Cooperative attacks

471 views • 30 slides
IP Covert Timing Channels: Design and Detection By Serdar Cabuk, Carla E. Brodley, Clay

IP Covert Timing Channels: Design and Detection By Serdar Cabuk, Carla E. Brodley, Clay

IP Covert Timing Channels: Design and Detection By Serdar Cabuk, Carla E. Brodley, Clay Shields. Outline Positive Traits Problems Questions Extensions Other Covert Channels Discussion Positive Traits What are the

496 views • 34 slides
Remote IP Protection Using Timing Channels Ariano-Tim Donda 1 , 2 Peter Samarin 1 , 2 Jacek

Remote IP Protection Using Timing Channels Ariano-Tim Donda 1 , 2 Peter Samarin 1 , 2 Jacek

Remote IP Protection Using Timing Channels Ariano-Tim Donda 1 , 2 Peter Samarin 1 , 2 Jacek Samotyja 1 Kerstin Lemke-Rust 1 Christof Paar 2 1 Bonn-Rhein-Sieg University of Applied Sciences, Germany 2 Ruhr University Bochum, Germany December 4, 2014

197 views • 18 slides
Notice Correlation and Covert-Timing Channels Michael Dopheide & Ross Gegan BroCon ESnet

Notice Correlation and Covert-Timing Channels Michael Dopheide & Ross Gegan BroCon ESnet

Notice Correlation and Covert-Timing Channels Michael Dopheide & Ross Gegan BroCon ESnet Austin, TX Lawrence Berkeley National Laboratory Sept, 13, 2016 Table of Contents Introduction Something Important Part 1: Multi-Notice

862 views • 52 slides
Integrating Predictive Models with Interactive Visualization Jian Zhao, Ph.D. , Assistant

Integrating Predictive Models with Interactive Visualization Jian Zhao, Ph.D. , Assistant

Integrating Predictive Models with Interactive Visualization Jian Zhao, Ph.D. , Assistant Professor Cheriton School of Computer Science University of Waterloo www.jeffjianzhao.com | jianzhao@uwaterloo.ca Short bio Researcher Assistant

972 views • 65 slides
Chapter 6 Marks and Channels Vis/Visual Analytics, Chap 6 Marks/Channels 1 CGGM Lab., CS

Chapter 6 Marks and Channels Vis/Visual Analytics, Chap 6 Marks/Channels 1 CGGM Lab., CS

Chapter 6 Marks and Channels Vis/Visual Analytics, Chap 6 Marks/Channels 1 CGGM Lab., CS Dept., NCTU Jung Hong Chuang The Big Picture Marks Basic graphical elements in an image Channels Visual channels to control the

667 views • 43 slides
Why the Best Predictive What Do We Mean by . . . Models Are Often Different Main Result: . . .

Why the Best Predictive What Do We Mean by . . . Models Are Often Different Main Result: . . .

Predictive vs. . . . Remaining Problem: . . . Need for Formalization What Do We Mean by . . . Why the Best Predictive What Do We Mean by . . . Models Are Often Different Main Result: . . . Proof for Predictive Case from the Best Explanatory

900 views • 28 slides
Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic Jo Van Bulck

Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic Jo Van Bulck

Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic Jo Van Bulck Frank Piessens Raoul Strackx imec-DistriNet, KU Leuven ACM CCS, October 2018 Microarchitectural side-channels and where to find them CPU cache

709 views • 47 slides
Predictive Analytics for Capacity Planning HIC 2015 Andrae Gaeth What is predictive

Predictive Analytics for Capacity Planning HIC 2015 Andrae Gaeth What is predictive

Evaluating Predictive Analytics for Capacity Planning HIC 2015 Andrae Gaeth What is predictive analytics? Predictive analytics is the practice of extracting information from existing data sets, and then applying various techniques (eg,

452 views • 15 slides
Other Communication Channels Select channels of communication that will reach your audiences.

Other Communication Channels Select channels of communication that will reach your audiences.

Other Communication Channels Select channels of communication that will reach your audiences. During Preplanning Ask: Which channels are available? (Consider your schedule and resources.) Which channels will target audiences find

280 views • 12 slides
CSE 127: I ntroduction to Security Lecture 16: Side Channels and Constant-Time Code Nadia

CSE 127: I ntroduction to Security Lecture 16: Side Channels and Constant-Time Code Nadia

CSE 127: I ntroduction to Security Lecture 16: Side Channels and Constant-Time Code Nadia Heninger and Deian Stefan UCSD Fall 2019 Some material from Dan Boneh, Stefan Savage Reminder: Side-channel attacks You saw before how timing

1.37k views • 81 slides
Hazard Mitigation Planning Katie Sommers State Hazard Mitigation Officer Roxanne Gray

Hazard Mitigation Planning Katie Sommers State Hazard Mitigation Officer Roxanne Gray

Hazard Mitigation Planning Katie Sommers State Hazard Mitigation Officer Roxanne Gray Mitigation Section Supervisor What is Mitigation? According to the Federal Emergency Management Agency (FEMA): Mitigation is any sustained action taken

905 views • 71 slides
Multiple Input and Output Channels Multiple Input and Output Channels Multiple Input Channels In

Multiple Input and Output Channels Multiple Input and Output Channels Multiple Input Channels In

2/23/2019 channels slides Multiple Input and Output Channels Multiple Input and Output Channels Multiple Input Channels In [1]: import d2l from mxnet import nd def corr2d_multi_in(X, K): # First, traverse along the 0th dimension (channel

457 views • 6 slides
Automating Predictive Analytics www.xpanseanalytics.com Agenda Predictive Analytics vs

Automating Predictive Analytics www.xpanseanalytics.com Agenda Predictive Analytics vs

Automating Predictive Analytics www.xpanseanalytics.com Agenda Predictive Analytics vs Classification The Problem 3 Case Studies The Solution Demo Time Q&A xpanse analytics - confidential materials Some real-life examples from the

318 views • 12 slides
Mitigation mitigation midSH()n/ noun the action of reducing the severity,

Mitigation mitigation midSH()n/ noun the action of reducing the severity,

Mitigation mitigation midSH()n/ noun the action of reducing the severity, seriousness, or painfulness of something. "the emphasis is on the identification and mitigation of pollution" Two Mitigation Issues

293 views • 27 slides
Liquidating Distributions IRC 754 Elections, Section 736(b) Payments, Character and Timing of

Liquidating Distributions IRC 754 Elections, Section 736(b) Payments, Character and Timing of

Presenting a live 90-minute webinar with interactive Q&A Structuring Redemptions of Partnership and LLC Interests: Navigating Issues Unique to Liquidating Distributions IRC 754 Elections, Section 736(b) Payments, Character and Timing of

656 views • 41 slides
Hazard Mitigation Assistance Hazard Mitigation Assistance Hazard Mitigation Assistance

Hazard Mitigation Assistance Hazard Mitigation Assistance Hazard Mitigation Assistance

Fort Bend County, TX Commissioners Court Workshop July 27, 2016 Hazard Mitigation Assistance Hazard Mitigation Assistance Hazard Mitigation Assistance Purpose To investigate and report findings to Commissioners Court regarding Federal

494 views • 23 slides
Remote Timing Attacks on TPMs, AKA TPM-Fail Daniel Moghimi About Me Daniel Moghimi

Remote Timing Attacks on TPMs, AKA TPM-Fail Daniel Moghimi About Me Daniel Moghimi

Remote Timing Attacks on TPMs, AKA TPM-Fail Daniel Moghimi About Me Daniel Moghimi @danielmgmi https://moghimi.org Security Researcher PhD Candidate @ WPI Microarchitectural Attacks Side Channels Breaking Crypto

1.2k views • 71 slides
FRAME STRUCTURE & TIMING ADVANCE IN IN GSM ECE 2526 MOBILE COMMUNICATION Monday, 20 May

FRAME STRUCTURE & TIMING ADVANCE IN IN GSM ECE 2526 MOBILE COMMUNICATION Monday, 20 May

FRAME STRUCTURE & TIMING ADVANCE IN IN GSM ECE 2526 MOBILE COMMUNICATION Monday, 20 May 2018 NUMBER OF CHANNELS IN GSM Freq. Carrier: 200 kHz TDMA: 8 time slots per freq carrier No. of carriers = 25 MHz / 200 kHz = 125

687 views • 20 slides

More recommend