prevention of microarchitectural covert channels on an
play

Prevention of Microarchitectural Covert Channels on an Open-Source - PowerPoint PPT Presentation

Feb 06, 2023 •166 likes •750 views

Prevention of Microarchitectural Covert Channels on an Open-Source 64-bit RISC-V Core Fourth Workshop on Computer Architecture Research with RISC-V (CARRV 2020) May 29 th , 2020 Nils Wistoff Moritz Schneider Frank K. Grkaynak Luca Benini

  1. Prevention of Microarchitectural Covert Channels on an Open-Source 64-bit RISC-V Core Fourth Workshop on Computer Architecture Research with RISC-V (CARRV 2020) May 29 th , 2020 Nils Wistoff Moritz Schneider Frank K. Gürkaynak Luca Benini Gernot Heiser

  2. Outline 1. Covert channels? 2. Measure 3. Mitigate 4. Costs 5. Conclusion Integrated Systems Laboratory 2

  3. Covert Channel security boundary File System Mail Client Supervisor (OS) Hardware Integrated Systems Laboratory 3

  4. Covert Channel security boundary File System Mail Client Supervisor (OS) Hardware Integrated Systems Laboratory 4

  5. Microarchitectural Timing Channel security boundary Application A Application B Trojan Spy Integrated Systems Laboratory 5

  6. Microarchitectural Timing Channel security boundary Application A Application B Trojan Spy Indirectly modify Measure execution depending on secret time Microarchitectural State Temporally shared HW Integrated Systems Laboratory 6

  7. Example: D$ Timing Channel D$ Application A Trojan Main memory Application B Spy (1) Spy: (2) OS: (3) Trojan: (4) OS: (5) Spy: Prime Cont. sw. Encode s Cont. sw. Probe Integrated Systems Laboratory 7

  8. Example: D$ Timing Channel – Prime D$ Application A Trojan Main memory Application B Spy (1) Spy: (2) OS: (3) Trojan: (4) OS: (5) Spy: Prime Cont. sw. Encode s Cont. sw. Probe Integrated Systems Laboratory 8

  9. Example: D$ Timing Channel – Prime D$ Application A Trojan Main memory Application B Spy (1) Spy: (2) OS: (3) Trojan: (4) OS: (5) Spy: Prime Cont. sw. Encode s Cont. sw. Probe Integrated Systems Laboratory 9

  10. Example: D$ Timing Channel – Context switch D$ Application A Trojan Main memory Application B Spy (1) Spy: (2) OS: (3) Trojan: (4) OS: (5) Spy: Prime Cont. sw. Encode s Cont. sw. Probe Integrated Systems Laboratory 10

  11. Example: D$ Timing Channel – Encode s D$ Application A Trojan Main memory s lines Application B Spy (1) Spy: (2) OS: (3) Trojan: (4) OS: (5) Spy: Prime Cont. sw. Encode s Cont. sw. Probe Integrated Systems Laboratory 11

  12. Example: D$ Timing Channel – Encode s D$ Application A Trojan Main memory s lines Application B Spy (1) Spy: (2) OS: (3) Trojan: (4) OS: (5) Spy: Prime Cont. sw. Encode s Cont. sw. Probe Integrated Systems Laboratory 12

  13. Example: D$ Timing Channel – Context Switch D$ Application A Trojan Main memory Application B Spy (1) Spy: (2) OS: (3) Trojan: (4) OS: (5) Spy: Prime Cont. sw. Encode s Cont. sw. Probe Integrated Systems Laboratory 13

  14. Example: D$ Timing Channel – Probe D$ Application A Trojan Main memory Application B Spy (1) Spy: (2) OS: (3) Trojan: (4) OS: (5) Spy: Prime Cont. sw. Encode s Cont. sw. Probe Integrated Systems Laboratory 14

  15. Example: D$ Timing Channel – Probe D$ Application A Trojan Main memory s lines Application B Spy (1) Spy: (2) OS: (3) Trojan: (4) OS: (5) Spy: Prime Cont. sw. Encode s Cont. sw. Probe Integrated Systems Laboratory 15

  16. Spatial Partitioning D$ Application A Trojan OS Main memory Application B Spy (1) Spy: (2) OS: (3) Trojan: (4) OS: (5) Spy: Prime Cont. sw. Encode s Cont. sw. Probe Integrated Systems Laboratory 16

  17. Spatial Partitioning D$ Application A Trojan OS Main memory Application B Spy (1) Spy: (2) OS: (3) Trojan: (4) OS: (5) Spy: Prime Cont. sw. Encode s Cont. sw. Probe Integrated Systems Laboratory 17

  18. Temporal Partitioning D$ Application A Trojan Main memory Application B Spy (1) Spy: (2) OS: (3) Trojan: (4) OS: (5) Spy: Prime Cont. sw. Encode s Cont. sw. Probe Integrated Systems Laboratory 18

  19. Temporal Partitioning OS : Flush D$ Application A Trojan Main memory Application B Spy (1) Spy: (2) OS: (3) Trojan: (4) OS: (5) Spy: Prime Cont. sw. Encode s Cont. sw. Probe Integrated Systems Laboratory 19

  20. Temporal Partitioning D$ Application A Trojan Main memory Application B Spy (1) Spy: (2) OS: (3) Trojan: (4) OS: (5) Spy: Prime Cont. sw. Encode s Cont. sw. Probe Integrated Systems Laboratory 20

  21. Temporal Partitioning OS : Flush D$ Application A Trojan Main memory Application B Spy (1) Spy: (2) OS: (3) Trojan: (4) OS: (5) Spy: Prime Cont. sw. Encode s Cont. sw. Probe Integrated Systems Laboratory 21

  22. Temporal Partitioning D$ Application A Trojan Main memory Application B Spy (1) Spy: (2) OS: (3) Trojan: (4) OS: (5) Spy: Prime Cont. sw. Encode s Cont. sw. Probe Integrated Systems Laboratory 22

  23. Temporal Partitioning OS : Flush D$ Application A Trojan Main memory Application B Spy (1) Spy: (2) OS: (3) Trojan: (4) OS: (5) Spy: Prime Cont. sw. Encode s Cont. sw. Probe Integrated Systems Laboratory 23

  24. Flush: SW Approach D$ Application A OS OS OS Trojan OS Main memory OS Application B OS OS OS Spy (1) Spy: (2) OS: (3) Trojan: (4) OS: (5) Spy: Prime Cont. sw. Encode s Cont. sw. Probe Integrated Systems Laboratory 24

  25. Evaluation Platform • FPGA (Genesys 2) @50MHz • Add timer peripheral and 512KiB LLC [3] Hardware platform Ariane RV64GC core [4] • Write-through 32KiB L1D$ and 16KiB L1I$ • 16-entry DTLB, 16-entry BTB, 64-entry BHT Integrated Systems Laboratory 25

  26. Evaluation Platform Formally verified  Kernel by Data61 • • Focus on security Supervisor seL4 microkernel [5] • Port to Ariane • Enable cache colouring of LLC • FPGA (Genesys 2) @50MHz • Add timer peripheral and 512KiB LLC [3] Hardware platform Ariane RV64GC core [4] • Write-through 32KiB L1D$ and 16KiB L1I$ • 16-entry DTLB, 16-entry BTB, 64-entry BHT Integrated Systems Laboratory 26

  27. Evaluation Platform Channel bench [1] • Measure covert channels on ARM/x86 • Application Port to RISC-V Tailor attacks to Ariane‘s  Arch • Formally verified  Kernel by Data61 • • Focus on security Supervisor seL4 microkernel [5] • Port to Ariane • Enable cache colouring of LLC • FPGA (Genesys 2) @50MHz • Add timer peripheral and 512KiB LLC [3] Hardware platform Ariane RV64GC core [4] • Write-through 32KiB L1D$ and 16KiB L1I$ • 16-entry DTLB, 16-entry BTB, 64-entry BHT Integrated Systems Laboratory 27

  28. Channel Bench Output: L1 D$ s 0 107 t 0 83316 s 1 11 t 1 80209 s 2 112 t 2 82069 s 3 235 t 3 88152 s 4 246 t 4 88856 s 5 152 t 5 86627 Integrated Systems Laboratory 28

  29. Channel Matrix: L1 D$ N = 10 6 Integrated Systems Laboratory 29

  30. Channel Matrix: L1 D$ N = 10 6 Integrated Systems Laboratory 30

  31. Channel Matrix: L1 D$ N = 10 6 M = 1667.3 mb Integrated Systems Laboratory 31

  32. Channel Bench Output: L1 D$ s 0 107 t 0 83316 s 1 11 t 1 80209 s 2 112 t 2 82069 s 3 235 t 3 88152 s 4 246 t 4 88856 s 5 152 t 5 86627 M Integrated Systems Laboratory 32

  33. Channel Bench Output: L1 D$ s 0 107 t 0 83316 s 0 107 t 3 88152 s 1 11 t 1 80209 s 1 11 t 5 86627 t 1 80209 s 2 112 t 2 82069 s 2 112 Shuffle s 3 235 t 3 88152 s 3 235 t 4 88856 s 4 246 t 4 88856 s 4 246 t 0 83316 s 5 152 t 5 86627 s 5 152 t 2 82069 0 M 𝑁 0 Integrated Systems Laboratory 34

  34. Channel Bench Output: L1 D$ s 0 t 2 s 0 t 1 s 1 t 1 s 1 t 2 s 0 107 t 0 83316 s 0 107 t 3 88152 s 2 t 0 s 2 t 0 s 3 t 4 s 3 t 3 s 1 11 t 1 80209 s 1 11 t 5 86627 s 4 t 3 s 4 t 4 s 5 t 5 s 5 t 5 t 1 80209 s 2 112 t 2 82069 s 2 112 1 2 𝑁 0 𝑁 0 Shuffle Repeat s 3 235 t 3 88152 s 3 235 t 4 88856 s 0 t 5 s 0 t 5 s 1 t 2 s 1 t 4 s 4 246 t 4 88856 s 4 246 t 0 83316 s 2 t 0 s 2 t 0 s 3 t 1 s 3 t 3 s 5 152 t 5 86627 s 5 152 t 2 82069 s 4 t 3 s 4 t 1 s 5 t 4 s 5 t 2 0 𝑁 𝑁 0 3 4 𝑁 0 𝑁 0 ∗ 𝑁 0 : 95% confidence interval of 𝑁 0 𝑁 > 𝑁 0 ⇒ covert channel! Integrated Systems Laboratory 35

  35. Channel Matrix: L1 D$ N = 10 6 M = 1667.3 mb M 0 = 0.5 mb Integrated Systems Laboratory 36

  36. Flush: SW Approach D$ Application A OS OS OS Trojan OS Main memory OS Application B OS OS OS Spy (1) Spy: (2) OS: (3) Trojan: (4) OS: (5) Spy: Prime Cont. sw. Encode s Cont. sw. Probe Integrated Systems Laboratory 37

  37. Software Mitigation: L1 D$ Channel Unmitigated L1 D$ prime on context switch N = 10 6 , M = 1667.3 mb, M 0 = 0.5 mb N = 10 6 , M = 1471.5 mb, M 0 = 0.6 mb Integrated Systems Laboratory 38

  38. Software Mitigation: L1 D$ Channel Single L1 D$ prime on context switch Double L1 D$ prime on context switch N = 10 6 , M = 1471.5 mb, M 0 = 0.6 mb N = 10 6 , M = 515.7 mb, M 0 = 1.1 mb Integrated Systems Laboratory 39

  39. Temporal Fence Instruction ( fence.t ) Integrated Systems Laboratory 40

  40. Temporal Fence Instruction ( fence.t ) fence.t select [4] Integrated Systems Laboratory 41

  41. Temporal Fence Instruction ( fence.t ) + Pipeline [4] Integrated Systems Laboratory 42

  42. fence.t : L1 D$ Channel Flush targeted components Unmitigated on context switch N = 10 6 , M = 1667.3 mb, M 0 = 0.5 mb N = 10 6 , M = 7.7 mb, M 0 = 1.4 mb Integrated Systems Laboratory 43

  43. fence.t : L1 D$ Channel Flush targeted components Unmitigated on context switch … but wait! N = 10 6 , M = 1667.3 mb, M 0 = 0.5 mb N = 10 6 , M = 7.7 mb, M 0 = 1.4 mb Integrated Systems Laboratory 44

Recommend

May 26: Covert Channels Covert channels Composition of policies Problem

May 26: Covert Channels Covert channels Composition of policies Problem

May 26: Covert Channels Covert channels Composition of policies Problem Deterministic Noninterference Nondeducibility Generalized Noninterference Restrictiveness May 26, 2017 ECS 235B Spring Quarter 2017 Slide #1

370 views • 33 slides
Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that

Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that

Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that can be exploited by a process to transfer information in a manner that violates the systems security policy US DoD 1985 Basically a

1.04k views • 67 slides
Side Channels and Covert Channels Daniel Bosk Department of Information and Communication Systems

Side Channels and Covert Channels Daniel Bosk Department of Information and Communication Systems

Side Channels Covert Channels References Side Channels and Covert Channels Daniel Bosk Department of Information and Communication Systems (ICS), Mid Sweden University, Sundsvall. 1st May 2017 Daniel Bosk MIUN ICS Side Channels and Covert

689 views • 32 slides
Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography for covert channels and device fingerprinting Steven J. Murdoch and Stephen Lewis http://www.cl.cam.ac.uk/users/ { sjm217 , srl32 } Computer

1.12k views • 37 slides
Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography for covert channels and device fingerprinting Steven J. Murdoch and Stephen Lewis http://www.cl.cam.ac.uk/users/ { sjm217 , srl32 } Computer

915 views • 36 slides
PHY Covert Channels: Can you see the Idles? Ki

PHY Covert Channels: Can you see the Idles? Ki

PHY Covert Channels: Can you see the Idles? Ki Suh Lee Chupja Cornell University Joint work with Han Wang, and Hakim Weatherspoon 1

627 views • 38 slides
COVERT CHANNELS ERIK TEWS <E.TEWS@UTWENTEL.NL> HOUSEKEEPLING Lab on May 30th seems to

COVERT CHANNELS ERIK TEWS <E.TEWS@UTWENTEL.NL> HOUSEKEEPLING Lab on May 30th seems to

COVERT CHANNELS ERIK TEWS <E.TEWS@UTWENTEL.NL> HOUSEKEEPLING Lab on May 30th seems to be problematic for Delft Lab on May 31st seems to be problematic for Twente Systems Security Covert Channels 2 14.05.2018 Prepare to vote 1

1.05k views • 50 slides
Abusing hardware for fun and profit Agenda Cache-based Covert channels w/ demo Spectre

Abusing hardware for fun and profit Agenda Cache-based Covert channels w/ demo Spectre

Abusing hardware for fun and profit Agenda Cache-based Covert channels w/ demo Spectre and Meltdown from covert channels Process isola8on + OS (CS 423) OS paging OS services 0x00000000 Communica<on to other processes

568 views • 15 slides
Hiding in Plain Sight Advances in Malware Covert Communication Channels Pierre-Marc Bureau

Hiding in Plain Sight Advances in Malware Covert Communication Channels Pierre-Marc Bureau

Hiding in Plain Sight Advances in Malware Covert Communication Channels Pierre-Marc Bureau Christian Dietrich Outline 1. Covert Channels 2. Steganography a. Lurk b. Gozi c. Stegoloader 3. Inconspicuous Carrier Protocols a.

674 views • 49 slides
Treating Interference as Noise is Optimal for Covert Communication over Interference Channels

Treating Interference as Noise is Optimal for Covert Communication over Interference Channels

Treating Interference as Noise is Optimal for Covert Communication over Interference Channels Kang-Hee Cho and Si-Hyeon Lee School of Electrical Engineering KAIST 2020 ISIT 1 / 14 Covert Communication ^ Y n W Decoder X n W P n Encoder

386 views • 15 slides
IP Covert Timing Channels: Design and Detection By Serdar Cabuk, Carla E. Brodley, Clay

IP Covert Timing Channels: Design and Detection By Serdar Cabuk, Carla E. Brodley, Clay

IP Covert Timing Channels: Design and Detection By Serdar Cabuk, Carla E. Brodley, Clay Shields. Outline Positive Traits Problems Questions Extensions Other Covert Channels Discussion Positive Traits What are the

496 views • 34 slides
Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic Jo Van Bulck

Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic Jo Van Bulck

Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic Jo Van Bulck Frank Piessens Raoul Strackx imec-DistriNet, KU Leuven ACM CCS, October 2018 Microarchitectural side-channels and where to find them CPU cache

709 views • 47 slides
March 6, 2014 1 Mitigation of Covert Channels 2 About Voting and Computers March 6, 2014 ECS 235B

March 6, 2014 1 Mitigation of Covert Channels 2 About Voting and Computers March 6, 2014 ECS 235B

Mitigation of Covert Channels About Voting and Computers March 6, 2014 1 Mitigation of Covert Channels 2 About Voting and Computers March 6, 2014 ECS 235B Winter Quarter 2014 Slide 1 Mitigation of Covert Channels About Voting and Computers

416 views • 26 slides
May 24: Confinement Confinement, non-VM isolation Program modification Covert channels

May 24: Confinement Confinement, non-VM isolation Program modification Covert channels

May 24: Confinement Confinement, non-VM isolation Program modification Covert channels May 24, 2017 ECS 235B Spring Quarter 2017 Slide #1 Compiling Compiler enforces or validates constraints Type-safe language enforces them

313 views • 27 slides
NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using NetFlow data By: Joey Dreijer, Student OS3 5-07-14 1 NetFlow Analysis: Detecting covert channels on the network Gathering NetFlow data

346 views • 16 slides
On Robust Covert Channels Inside DNS Lucas Nussbaum , Pierre Neyron and Olivier Richard

On Robust Covert Channels Inside DNS Lucas Nussbaum , Pierre Neyron and Olivier Richard

On Robust Covert Channels Inside DNS Lucas Nussbaum , Pierre Neyron and Olivier Richard Laboratoire dInformatique de Grenoble / INRIA Lucas Nussbaum, Pierre Neyron and Olivier Richard On Robust Covert Channels Inside DNS 1 / 18 Introduction

784 views • 18 slides
Abusing the Windows WiFi native API to create a covert channel Andrs Blanco Ezequiel Gutesman

Abusing the Windows WiFi native API to create a covert channel Andrs Blanco Ezequiel Gutesman

Abusing the Windows WiFi native API to create a covert channel Andrs Blanco Ezequiel Gutesman 1 Outline Covert Channels Attack Vectors and Scenarios IEEE 802.11 Fundamentals Covert Channel Design Implementation

766 views • 38 slides
Notice Correlation and Covert-Timing Channels Michael Dopheide & Ross Gegan BroCon ESnet

Notice Correlation and Covert-Timing Channels Michael Dopheide & Ross Gegan BroCon ESnet

Notice Correlation and Covert-Timing Channels Michael Dopheide & Ross Gegan BroCon ESnet Austin, TX Lawrence Berkeley National Laboratory Sept, 13, 2016 Table of Contents Introduction Something Important Part 1: Multi-Notice

862 views • 52 slides
Assessing the Feasibility of Machine Learning to Detect Network Covert Channels Name: Diogo

Assessing the Feasibility of Machine Learning to Detect Network Covert Channels Name: Diogo

Assessing the Feasibility of Machine Learning to Detect Network Covert Channels Name: Diogo Barradas PhD Stage: Planner Advisors: Prof. Lus Rodrigues & Prof. Nuno Santos Research Area: Privacy-Enhancing Technologies Diogo Barradas - EuroSys

395 views • 15 slides
Stealth Communication with Vanishing Power over Binary Symmetric Channels Diego Lentner, Gerhard

Stealth Communication with Vanishing Power over Binary Symmetric Channels Diego Lentner, Gerhard

Stealth Communication with Vanishing Power over Binary Symmetric Channels Diego Lentner, Gerhard Kramer Technical University of Munich Institute for Communications Engineering ISIT 2020 Covert Communication Covert Communication vs. Secrecy:

269 views • 16 slides
Keyboards and Covert Channels G. Shah, A. Molina, M. Blaze USENIX 2006 Eric Hennenfent The

Keyboards and Covert Channels G. Shah, A. Molina, M. Blaze USENIX 2006 Eric Hennenfent The

Keyboards and Covert Channels G. Shah, A. Molina, M. Blaze USENIX 2006 Eric Hennenfent The Humble Keylogger Malware Malicious Hardware In-Cable Devices Malicious Keyboards Supply Chain Attacks Malicious BIOS

591 views • 14 slides
PSUDP: A PASSIVE APPROACH TO NETWORK-WIDE COVERT COMMUNICATION KENTON BORN

PSUDP: A PASSIVE APPROACH TO NETWORK-WIDE COVERT COMMUNICATION KENTON BORN

PSUDP: A PASSIVE APPROACH TO NETWORK-WIDE COVERT COMMUNICATION KENTON BORN KENTON.BORN@GMAIL.COM Black Hat USA 2010 GREATEST CAPTCHA EVER Las Vegas, casino floor Wi-Fi (4/6/10) ROADMAP DNS Refresher Covert Channels DNS Tunnels My

435 views • 42 slides
Outline Side and covert channels Transient execution CSci 5271 Introduction to Computer

Outline Side and covert channels Transient execution CSci 5271 Introduction to Computer

Outline Side and covert channels Transient execution CSci 5271 Introduction to Computer Security Transient execution and kernel isolation: Meltdown Day 11: Side Channels and Transient Execution Stephen McCamant Transient execution and kernel

496 views • 4 slides
Efficient Receipt-Free Ballot Casting Resistant to Covert Channels Ben Adida C. Andrew Neff

Efficient Receipt-Free Ballot Casting Resistant to Covert Channels Ben Adida C. Andrew Neff

Efficient Receipt-Free Ballot Casting Resistant to Covert Channels Ben Adida C. Andrew Neff EVT / WOTE August 11th, 2009 Montreal, Canada Andy uses a voting machine to prepare a ballot. Andy wants to verify that the machine properly

637 views • 32 slides

More recommend