bankrupt covert channel
play

Bankrupt Covert Channel: Turning Network Predictability into - PowerPoint PPT Presentation

Dec 07, 2022 •255 likes •564 views

Bankrupt Covert Channel: Turning Network Predictability into Vulnerability Dmitrii Ustiugov , Plamen Petrov, Siavash Katebzadeh, Boris Grot University of Edinburgh This work is supported by ARM Center of Excellence at University of Edinburgh

  1. Bankrupt Covert Channel: Turning Network Predictability into Vulnerability Dmitrii Ustiugov , Plamen Petrov, Siavash Katebzadeh, Boris Grot University of Edinburgh This work is supported by ARM Center of Excellence at University of Edinburgh

  2. Data Breaches Never Been More Relevant 2

  3. Containing Data Breaches in Public Cloud Data breaches happen ☹ Spyware, side channels, … ● Secure cloud environment Outside world Spy with Receiver How to extract secret? secret Cloud vendors strive to contain stolen info Firewalls, authentication, … ● 3

  4. Containing Data Breaches in Public Cloud Data breaches happen ☹ Spyware, side channels, … ● Secure cloud environment Outside world Isolation layers Spy with Receiver How to extract secret? secret Cloud vendors strive to contain stolen info Image by Lynn Willis, source Process and virtual machine isolation Firewalls, authentication, … ● ● Physical server isolation ● Virtual network isolation ● 4

  5. Containing Data Breaches in Public Cloud Virtual network isolation Data breaches happen ☹ Physical server isolation Spyware, side channels, … ● VM isolation Spy with Receiver Secret extraction? secret Cloud vendors strive to contain stolen info Firewalls, authentication, … ● Are secrets safe now? 5

  6. Covert Channels Definition : Communication without using legitimate data transfer mechanisms Usually via resource sharing (e.g., CPU cache) ● Example: Timing channel via access latency modulation ● High latency for transmitting “1”, low for “0” ○ Image by Rick Leche (flipped vertically), source Covert channels allow bypassing isolation layers 6

  7. Network Covert Channels Virtual network isolation Allow communication across cluster/datacenter Physical server isolation Breach many isolation layers at once VM isolation Spy with Receiver Secret extraction secret Stereotypical thinking: Networks are noisy ⇨ low accuracy and low throughput channels But… Are modern networks noisy? 7

  8. Emerging Networks in Public Cloud Node A One-sided CPU RDMA read Remote Direct Memory Access (RDMA) Memory Data Today most cloud providers offer RDMA networks NIC ● AWS, Azure, Alibaba, Oracle, … ○ RDMA network RDMA network packets bypass destination CPU Node B NIC Low round-trip latency: 2-4μsec ● High BW with commodity NICs: 100+Gb/s Memory ● Remote region for A Data Nodes use one-sided reads/writes to CPU their private data in remote node’s memory 8

  9. Network BW vs. Memory BW Discrepancy Node A CPU First glance at bandwidth in modern servers Memory RDMA NICs offer 100-200Gb/s NIC ● Memory delivers >100GB/s (=800Gb/s) ● Network BW 100Gb/s Expectation: Memory BW always much larger Memory BW Node B NIC 100GB/s=800Gb/s Memory CPU 9

  10. Network BW vs. Memory BW Discrepancy Node A CPU First glance at bandwidth in modern servers Memory RDMA NICs offer 100-200Gb/s NIC ● Memory delivers >100GB/s (=800Gb/s) ● Network BW 100Gb/s Expectation: Memory BW always much larger Wrong! Memory BW Node B NIC 100GB/s=800Gb/s Memory has 100s of internal devices (banks) ● Memory 10Gb/s Each bank delivers just ~10Gb/s ● … 100s of banks E.g., same for both Micron DDR2, DDR4 ○ CPU Bank behaves as FIFO: ~50ns fixed service time ○ Network traffic can easily congest one memory bank 10

  11. Bankrupt: RDMA Intra-Cluster Covert Channel Bursts of RDMA reads Sender Receiver Key features Probes (individual RDMA reads) No direct communication between Sender and Receiver ● RDMA network Extremely stealthy! ● Intermediary NIC Basic idea Memory Bank Sender transmits the secret by modulating ● … the latency of one memory bank on an Intermediary node Receiver probes the bank latency and decodes the message ● CPU Intermediary is unrelated innocuous node ● No shared memory between Sender and Receiver Bank delay ○ High 1 0 1 0 1 0 Low Timeline 11

  12. Constructing Bankrupt Bursts of RDMA reads Sender Receiver 1. Search for addresses that map to target bank Probes Challenge: CPU hashes addresses to determine the bank (individual RDMA reads) ● Sender and Receiver search addresses independently ● RDMA network Addresses different for Sender and Receiver ● Recall: No memory sharing! ○ Intermediary NIC Memory Bank 2. Determining communication parameters … Sender side ● How many RDMA reads per burst? ○ CPU Transmission frequency? ○ Receiver side ● Bank delay Receiving (probes) frequency? ○ High 1 0 1 0 1 0 Low Timeline 12

  13. Finding Addresses in Same Bank 13

  14. Virtual Memory Addressing Page offset Virtual address (VA) Cache block offset Virtual addresses translated to physical upon access … p p p p p p p c c c c c c Translation at page granularity 63 5 0 ● Same mechanism for local and remote (over RDMA) accesses ● Translate VA->PA Physical address (PA) ? ? ? ? ? ? ? … ? ? p p p p p p p c c c c c c Arbitrary bits, defined by OS All bits within page are same Within a page, physical address bits same as in virtual address 14

  15. Bank Location Physical address (PA) ? ? ? ? ? ? ? … ? ? p p p p p p p c c c c c c Some physical address bits, “ bank bits ”, define bank Low-order bits to maximize bank-level parallelism Bank bits define bank location ● XOR function How to find addresses in same bank? These addresses have same bank bits ● Bank location Need to find exact bank bits positions 15

  16. Same-Bank Addresses Search: Iteration 1 In page (e.g., 1GB) Virtual address (VA) In cache block Attacker (Sender and Receiver independently): … p p p p p p p 0 0 0 0 0 0 1. Chooses arbitrary addresses in remote memory Reads to same cache blocks (64B) coalesced ○ Throughput ⇨ set {5:0} bits to 0 2. Issues RDMA reads to chosen addresses and measures network throughput Network BW = number of serving banks x10Gb/s ○ … Single bank’s BW = ~10Gb/s (can vary slightly across vendors) Measurements 16

  17. Same-Bank Addresses Search: Iteration 2 In page (e.g., 1GB) Virtual address (VA) In cache block Attacker (Sender and Receiver independently) … p p p p p p 0 0 0 0 0 0 0 1. Reduces subset of addresses Bank bit! a. Set {6:0} bits to 0 Throughput 2. Issues RDMA reads & measures throughput Throughput dropped by 2x ⇨ bit 6 is bank bit Single bank’s BW = ~10Gb/s (can vary slightly across vendors) Measurements 17

  18. Same-Bank Addresses Search: Iteration 3 In page (e.g., 1GB) Virtual address (VA) In cache block Attacker (Sender and Receiver independently) … p p p p p 0 0 0 0 0 0 0 0 1. Reduces subset of addresses Not a bank bit! a. Set {7:0} bits to 0 Throughput 2. Issues RDMA reads & measures throughput Same throughput ⇨ bit 7 is NOT bank bit Single bank’s BW = ~10Gb/s (can vary slightly across vendors) Measurements 18

  19. Same-Bank Addresses Search: Iteration 4 In page (e.g., 1GB) Virtual address (VA) In cache block Attacker (Sender and Receiver independently) … p p p p 0 0 0 0 0 0 0 0 0 1. Reduces subset of addresses a. Set {8:0} bits to 0 Throughput 2. Issues RDMA reads & measures throughput Throughput dropped by 2x ⇨ bit 8 is bank bit … Single bank’s BW = ~10Gb/s (can vary slightly across vendors) Measurements 19

  20. Same-Bank Addresses Search: Iteration N In page (e.g., 1GB) Virtual address (VA) In cache block Attacker (Sender and Receiver independently) … p p 0 0 0 0 0 0 0 0 0 0 0 1. Reduces subset of addresses a. Set {N-6:0} bits to 0 Throughput 2. Issues RDMA reads & measures throughput Knowing bank bits locations, choose arbitrary addresses with bank bits equal to 0 ● … Throughput saturated cache block bits equal to 0 ● ⇨ all bank bits zeroed Single bank’s BW = ~10Gb/s (can vary slightly across vendors) Measurements Trivial complexity: Remote attacker finds addresses in <1 second 20

  21. Bursts of RDMA reads Sender Receiver Probes (individual RDMA reads) RDMA network Determining Intermediary NIC Communication Parameters Memory Bank … CPU Bank delay High 1 0 1 0 1 0 Low Timeline 21

  22. Sender Side Optimization Space Key parameter : Sender’s burst size Transmission accuracy Larger bursts more pronounced ● ⇨ higher accuracy Especially in noisy networks ○ Smaller bursts drain quicker ● Transmission frequency ⇨ higher frequency Burst size 22

  23. Receiver Side Probe Round-Trip Delay Transmission period estimation Transmission period Transmitted packets comprise fixed-size preamble and payload ● Example: 32-bit preamble & 200-bit payload ○ Receiver iteratively determines the transmission period by ● looking for pre-agreed preamble value 1 0 Measurements Key parameter : Probing frequency Several probes (measurements) per transmission period ● Timeline Found little sensitivity on decoding accuracy with probing ● frequency > 2MHz (1/0.5μseconds) 23

  24. Evaluation Platforms Private Cluster Public Cloud: CloudLab Utah (isolated and loaded network ) (80% utilized during measurements) Cluster size: 6 nodes Cluster size: 200 nodes Infiniband Infiniband CPU: Xeon E5-2630v4 (Broadwell) CPU: Xeon E5-2640v4 (Broadwell) RAM: 64GB, DDR4-2400 RAM: 64GB, DDR4-2400 NIC: Mellanox CX-5, 56Gb/s NIC: Mellanox CX-4, 50Gb/s 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

+ Side Channel and Covert Channel A1acks on Microkernel

+ Side Channel and Covert Channel A1acks on Microkernel

+ Side Channel and Covert Channel A1acks on Microkernel Architectures WAMOS 2015 Advanced Opera3ng Systems Hochschule RheinMain Alexander Baumgrtner and

539 views • 25 slides
Abusing the Windows WiFi native API to create a covert channel Andrs Blanco Ezequiel Gutesman

Abusing the Windows WiFi native API to create a covert channel Andrs Blanco Ezequiel Gutesman

Abusing the Windows WiFi native API to create a covert channel Andrs Blanco Ezequiel Gutesman 1 Outline Covert Channels Attack Vectors and Scenarios IEEE 802.11 Fundamentals Covert Channel Design Implementation

766 views • 38 slides
Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that

Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that

Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that can be exploited by a process to transfer information in a manner that violates the systems security policy US DoD 1985 Basically a

1.04k views • 67 slides
VMS SAN Technology Spring 2002 John Covert 3C01 Fibre Channel Fibre Channel Fibre Channel

VMS SAN Technology Spring 2002 John Covert 3C01 Fibre Channel Fibre Channel Fibre Channel

VMS SAN Technology Spring 2002 John Covert 3C01 Fibre Channel Fibre Channel Fibre Channel ANSI standard network and storage interconnect OpenVMS, and most others, use it for SCSI storage TCI/IP and VIA also possible 1.06

460 views • 19 slides
I DPID It My Way! A Covert Timing Channel in Software-Defined Networks Robert Kro sche,

I DPID It My Way! A Covert Timing Channel in Software-Defined Networks Robert Kro sche,

I DPID It My Way! A Covert Timing Channel in Software-Defined Networks Robert Kro sche, Kashyap Thimmaraju , Liron Schiff and Stefan Schmid IFIP Networking 2018 14-16 May, 2018, Zurich, Switzerland 1 Outline 1. Motivation 2. Covert

999 views • 95 slides
A covert channel A covert channel hiding data in in packet headers packet headers hiding data

A covert channel A covert channel hiding data in in packet headers packet headers hiding data

A covert channel A covert channel hiding data in in packet headers packet headers hiding data Craig Rowland s covert_tcp proof s covert_tcp proof- -of of- -concept program concept program Craig Rowland David Morgan Covert

251 views • 6 slides
Covert channel detection using flow-data Guido Pineda Reyes MSc. Systems and Networking

Covert channel detection using flow-data Guido Pineda Reyes MSc. Systems and Networking

Covert channel detection using flow-data Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 1 / 46 Outline

594 views • 46 slides
Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from

Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from

Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from Christopher W. Fletcher Reminder Lab assignment will be released 09/21 Monday Recommend to read Cache missing for fun and profit. (2005).

1.03k views • 66 slides
Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from

Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from

Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from Christopher W. Fletcher Reminder Lab assignment will be released 09/21 Monday Recommend to read Cache missing for fun and profit. (2005).

562 views • 38 slides
Covert Channel Detection Using Process Query Systems Annarita Giani Vincent Berk George Cybenko

Covert Channel Detection Using Process Query Systems Annarita Giani Vincent Berk George Cybenko

Covert Channel Detection Using Process Query Systems Annarita Giani Vincent Berk George Cybenko Institute for Security Technology Studies Thayer School of Engineering Dartmouth College Hanover, NH FLoCon 2005 1 MOTIVATION CNN.COM

234 views • 19 slides
May 26: Covert Channels Covert channels Composition of policies Problem

May 26: Covert Channels Covert channels Composition of policies Problem

May 26: Covert Channels Covert channels Composition of policies Problem Deterministic Noninterference Nondeducibility Generalized Noninterference Restrictiveness May 26, 2017 ECS 235B Spring Quarter 2017 Slide #1

370 views • 33 slides
Mitigating Covert Compromises: A Game-Theoretic Model of Targeted and Non-Targeted Covert Attacks

Mitigating Covert Compromises: A Game-Theoretic Model of Targeted and Non-Targeted Covert Attacks

Mitigating Covert Compromises: A Game-Theoretic Model of Targeted and Non-Targeted Covert Attacks Aron Laszka 1 , 2 Benjamin Johnson 3 Jens Grossklags 1 1 Pennsylvania State University 2 Budapest University of Technology and Economics 3 University

867 views • 43 slides
SECURE SYSTEMS ENGINEERING ERIK TEWS &lt;E.TEWS@UTWENTEL.NL&gt; HOUSEKEEPING The covert

SECURE SYSTEMS ENGINEERING ERIK TEWS &lt;E.TEWS@UTWENTEL.NL&gt; HOUSEKEEPING The covert

SECURE SYSTEMS ENGINEERING ERIK TEWS &lt;E.TEWS@UTWENTEL.NL&gt; HOUSEKEEPING The covert channel traces are online You get always 5 traces from the unmodified app 5 traces from Other student submissions My own implementation

971 views • 63 slides
CHANNEL ALLOCATION Channel Language Translation Channel Translation Language Channel 1 German

CHANNEL ALLOCATION Channel Language Translation Channel Translation Language Channel 1 German

CHANNEL ALLOCATION Channel Language Translation Channel Translation Language Channel 1 German Kanal 1 Deutsch Channel 2 English Channel 2 English Channel 3 Italian Canale 3 Italiano Channel 4 Spanish Canal 4 Espaol Channel 5

708 views • 34 slides
Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography for covert channels and device fingerprinting Steven J. Murdoch and Stephen Lewis http://www.cl.cam.ac.uk/users/ { sjm217 , srl32 } Computer

915 views • 36 slides
Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography for covert channels and device fingerprinting Steven J. Murdoch and Stephen Lewis http://www.cl.cam.ac.uk/users/ { sjm217 , srl32 } Computer

1.12k views • 37 slides
What to use for the default supernova burst model(s)? K. Scholberg DAQ Physics Performance WG

What to use for the default supernova burst model(s)? K. Scholberg DAQ Physics Performance WG

What to use for the default supernova burst model(s)? K. Scholberg DAQ Physics Performance WG October 10, 2019 It would be nice to have a robust prediction of the mean expected signal , as well as the an expected range of signals , in

392 views • 11 slides
BurScale: Using Burstable Instances for Cost-Effective Autoscaling in the Public Cloud Ata Fatahi

BurScale: Using Burstable Instances for Cost-Effective Autoscaling in the Public Cloud Ata Fatahi

BurScale: Using Burstable Instances for Cost-Effective Autoscaling in the Public Cloud Ata Fatahi , Timothy Zhu, Bhuvan Urgaonkar 1 Problem and Motivation 1 day Wikipedia access trace Context: Autoscaling in the cloud Load Variability

715 views • 13 slides
Module 6.1 Memory Access Performance DRAM Bandwidth Objective To learn that memory

Module 6.1 Memory Access Performance DRAM Bandwidth Objective To learn that memory

GPU Teaching Kit Accelerated Computing Module 6.1 Memory Access Performance DRAM Bandwidth Objective To learn that memory bandwidth is a first-order performance factor in a massively parallel processor DRAM bursts, banks, and

464 views • 12 slides
Burst Photography ! EE367/CS448I: Computational Imaging and Display ! stanford.edu/class/ee367 !

Burst Photography ! EE367/CS448I: Computational Imaging and Display ! stanford.edu/class/ee367 !

Burst Photography ! EE367/CS448I: Computational Imaging and Display ! stanford.edu/class/ee367 ! Lecture 7 ! Gordon Wetzstein ! Stanford University ! Motivation ! wikipedia ! exposure sequence ! -4 stops ! Motivation ! wikipedia ! exposure sequence

1.41k views • 69 slides
Operating Systems Operating Systems CMPSC 473 CMPSC 473 CPU Scheduling CPU Scheduling

Operating Systems Operating Systems CMPSC 473 CMPSC 473 CPU Scheduling CPU Scheduling

Operating Systems Operating Systems CMPSC 473 CMPSC 473 CPU Scheduling CPU Scheduling February 12, 2008 - Lecture February 12, 2008 - Lecture 8 8 Instructor: Trent Jaeger Instructor: Trent Jaeger Last class: Threads Today:

558 views • 29 slides
DynaBurst: Dynamically Assemblying DRAM Bursts over a Multitude of Random Accesses Mikhail

DynaBurst: Dynamically Assemblying DRAM Bursts over a Multitude of Random Accesses Mikhail

DynaBurst: Dynamically Assemblying DRAM Bursts over a Multitude of Random Accesses Mikhail Asiatici and Paolo Ienne Processor Architecture Laboratory (LAP) School of Computer and Communication Sciences EPFL FPL 2019, Barcelona, Spain 11

804 views • 36 slides
Scheduling Sanzheng Qiao Department of Computing and Software January, 2013 Introduction In

Scheduling Sanzheng Qiao Department of Computing and Software January, 2013 Introduction In

Scheduling Sanzheng Qiao Department of Computing and Software January, 2013 Introduction In this part, well talk about resources , the things operated upon by processes (CPU time, disk space, etc). Resources fall into two classes:

721 views • 12 slides
Extending Pluto-Style Polyhedral Scheduling with Consecutivity Sven Verdoolaege 1 Alexandre Isoard

Extending Pluto-Style Polyhedral Scheduling with Consecutivity Sven Verdoolaege 1 Alexandre Isoard

January 23, 2018 1 / 29 Extending Pluto-Style Polyhedral Scheduling with Consecutivity Sven Verdoolaege 1 Alexandre Isoard 2 1 KU Leuven and Polly Labs 2 Xilinx January 23, 2018 January 23, 2018 2 / 29 Outline Introduction 1 Consecutivity

1.11k views • 74 slides

More recommend