When Oblivious is Not: Attacks against OPAM WOOT20@USENIX-SECURITY - PowerPoint PPT Presentation

When Oblivious is Not: Attacks against OPAM WOOT’20@USENIX-SECURITY Nirjhar Roy (Indian Institute of Technology - Kanpur) Nikhil Bansal (Indian Institute of Technology - Kanpur) Gourav Takhar (Indian Institute of Technology - Kanpur) Nikhil Mittal (Fortanix Inc) Pramod Subramanyan (Indian Institute of Technology - Kanpur) 1

Presentation Roadmap ● Introduction ● Attacks on InvisiPage/OPAM ● Covert Channels using Reuse Distances and its evaluation ● Conclusion 2

Enclaves Demystified Enclaves: hardware-supported environment for isolated execution with strong application-level security guarantees despite the presence of malicious/compromised privileged software 3

Introducing ORAMs Untrusted Server ● Interface between a client and and Access Oblivious Client i an untrusted server Client ● Shuffles the data from time to time [i] Read D[i] Interface ORAM ● Hides access patterns and access D[[i]] frequencies ● Examples: Square root ORAM, Tree-based ORAMs including Path ORAM, Ring ORAM, etc. 4

ORAM Meets Demand Paging and Enclaves Threat Model 3 ● The Host OS/apps are considered malicious ORAM Interface 5 trying to find out access pattern/access frequency/memory content of the pages 2 6 being read or written 4 Runtime OS Untrusted ● The OS observes only a random set of Memory pages ( encrypted) getting read/written after in step 3. 1 7 ● The attacker can choose to tamper the Enclave app pages but that will detected after step 6 in Runtime Trusted world Untrusted world outside of enclave inside the enclave (ORAM Server) ● Attackers having physical access to the (ORAM Client) memory will also see cipher text 5

Our Contributions ● Discovering vulnerability in InvisiPage ● Implementation of a demand paging system inside Keystone ● Exploiting it to design new attacks:- ○ The reuse distance attacks ○ The level tracking attack ● Designing a covert channel using Reuse Distances 6

Attacks on InvisiPage Shaizeen Aga and Satish Narayanasamy. 2019. InvisiPage: oblivious demand paging for secure enclaves. In Proceedings of the 46th International Symposium on Computer Architecture ( ISCA ’19 ). 7

Introduction to Invisipage/OPAM Access (88, Fetch) Metadata Tree Data Tree 100 100 All dec+ auth and checked 692 250 692 250 468 D 88 605 468 D 88 605 Leaf = 0 Leaf = 1 Leaf = 2 Leaf = 3 Leaf = 0 Leaf = 1 Leaf = 2 Leaf = 3 Dec + auth 468 → 0, … 88→ 2, 250→ 2, 100 → 2 468 → 0, … 88→ 0, 250→ 2, 100 → 2 Position map Updated Position map ORAM Path Read 8

Introduction to Invisipage/OPAM Metadata Tree Data Tree Access (88, Fetch) D D 692 100 692 100 All ecn + auth and sent 468 D 250 605 468 D 250 605 Leaf = 0 Leaf = 1 Leaf = 2 Leaf = 3 Leaf = 0 Leaf = 1 Leaf = 2 Leaf = 3 468 → 0, … 88→ 0, 250→ 2, 100 → 2 Updated Position map ORAM Path Write/Shuffle 9

Vulnerability in OPAM (Invisipage) ● On every page fault or ORAM access exactly one page gets transferred. ● The adversary is able to observe which page got exchanged ● Transferred page is the page of interest and is definitely NOT a dummy page. ● Adversary can calculate number of intervening ORAM accesses ● This in fact leaks information and makes OPAM access not oblivious. 10

Introducing Reuse Distance Attack ● Reuse Distance:- # of faults between the time a page gets evicted and when the page is brought back to the enclave (i.e, reused). ● This sequence of reuse distances will be different for different types of memory accesses/applications. ● We use this fact to distinguish and predict/identify the secret applications running inside the enclave. 11

Example of Reuse Distance Attack 2k 2k 2k 2k 2k 2k 2k 2k 2 2 2 2 ... 0 1 3 7 0 2 5 12 0 1 2 3 Iteration 1 Iteration 2 Figure (a) Linear scan over an array Figure (b) Repeated Binary Tree Traversal ● Enclave has 2 physical pages available and LRU is used. ● In Figure (a) every page is reused after 2 page faults and ● In Figure (b), the reuse distance of the root is 2 because the root node is accessed in every iteration and for non-root pages are multiples of 2 because non-root pages may or may not be accessed in successive iterations. 12

Attack Methodology 3 (ocalls) Training 4 Access (88, Record (88, evict) ocall Evict) . Invisipage Records other Interface . 5 faults ● Collect trace of reuse distances for many . (ocalls) Record (88, Read) ocall Access apps on many inputs (88,Fetch) 2 6 ● Train CNN sequence classifier on these OS ● Classes are the different applications Runtime Testing 1 7 ● Run app on a new input never seen before Enclave app ● Measure classification accuracy Untrusted world outside of enclave Trusted world inside (Invisipage Client) the enclave (Invisipage Client) 13

Secret Application Classification Accuracy (OPAM) Methodology ● Execute with many (~100-200) inputs and collecte reuse distances traces ● Data divided into training and test in 3:1 ratio and evaluation repeated 10 times ● Reuse distance trace is used as the input feature ● Random splits of the data into training and test datasets 14

Covert Channels Using Reuse Distances 15

Basic Idea ● Reuse distance leakage of provides Reuse distance Covert Channel Model a covert channel to leak secret Message information (e.g. an input genome Passing data). Enclave App Host OS (colluding) (colluding) ● Engineering the access patterns to cause a particular sequence of Page Trace faults to exchanges receive bits page faults and associated reuse (paging) distances Untrusted Memory ● Interpret the reuse distances to leak the bits 16

Threat Model ● Standard enclave threat model corresponding to a software attacker ● Enclave RT and the hardware platform are trusted and we do not use microarchitectural side-channels and/or HW access to DRAM ● Enclave app colludes with host OS to leak sensitive input data ● Host OS is aware of the encoding used by the enclave application 17

Example of an Encoding With Reuse Distance A A A A A A A A A A A A A A A A A A A A 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 1 9 10 2 E E E E E E E E E E E E E E E E 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 RU = 12 RU = 14 ● Application wants to transmit a message 1001, n = 4 and k = 2 RU = 5 ● Page replacement policy is FIFO and enclave has P = 4 pages RU = 5 ● To transmit a bit 1, reuse distance in range [8, 16) (Pages 1-8) ● To transmit a bit 0, reuse distance in the range [0, 8)(Pages 9-16) ● Generate reuse distance sequence (12, 5, 5, 14) corresponding to message 1001 18

Bit Leakage Bandwidth Analysis ● We see a peak bandwidth with arity 4 ● As we increase k, more data is transmitted with each page fault, but the number of page-faults required to setup the algorithm also increases and the overheads associated with increased number of initial page faults dominate and we see a steady decline in transmission bandwidth. 19

Conclusions ● Introduction of a new side channel attack, The Reuse Distance attack, which is able to infer confidential information about an enclave’s execution ● Introduction of a new covert channel using reuse distances ● Found and systematically exploited a vulnerability in state-of-the-art approach to secure demand paging enclave (Invisipage/OPAM) 20

In Memory of Dr. Pramod Subramanyan 8th June 1984 - 8th July 2020 21

Thank you 22