casym cache aware symbolic execution for side channel
play

CaSym: Cache Aware Symbolic Execution for Side Channel Detection - PowerPoint PPT Presentation

Apr 30, 2023 •177 likes •390 views

CaSym: Cache Aware Symbolic Execution for Side Channel Detection and Mitigation Robert Brotzman, Shen Liu, Danfeng Zhang, Gang Tan, Mahmut Kandemir Pennsylvania State University Cache Side Channels Process Data CPU Cache Program Side

  1. CaSym: Cache Aware Symbolic Execution for Side Channel Detection and Mitigation Robert Brotzman, Shen Liu, Danfeng Zhang, Gang Tan, Mahmut Kandemir Pennsylvania State University

  2. Cache Side Channels Process Data CPU Cache Program • Side Channel • Unintentional information transfer Robert Brotzman – Pennsylvania State University 2

  3. Cache Side Channels Process Data CPU Cache Program • Side Channel • Unintentional information transfer Robert Brotzman – Pennsylvania State University 3

  4. How Severe is the Problem? • High band width attack • Work on secure enclaves • Can be launched across VM’s in the cloud Finding vulnerabilities in code is challenging! Robert Brotzman – Pennsylvania State University 4

  5. Prior Work • CacheAudit (Doychev et al. Security ‘13) • Uses abstract interpretation • Computes upper bound on leakage • Does not provide location of leakage • CacheD (Wang et al. Security ‘17) • Uses symbolic execution • Can detect where leakage happens • May miss side channels (not sound) • Requires concrete inputs • Does not provide fixes Robert Brotzman – Pennsylvania State University 5

  6. Introducing CaSym • Uses cache-aware symbolic execution • Soundly models cache side channels • Memory accesses • Branches • Detects cause of side channel • Provides simple fix mechanisms • Flexible cache models • Infinite • Age • LRU Robert Brotzman – Pennsylvania State University 6

  7. CaSym: Overview Source LLVM Clang Code IR Code Fixed Apply Mitigations Code Cache Model: Attack Model: Infinite Access Age Trace LRU Localization Report Cache Cache Model Z3 Analysis Formula Robert Brotzman – Pennsylvania State University 7

  8. Example: Square & Multiply • Does modular exponentiation • Used in asymmetric encryption • RSA, ElGamal, etc Iterates over each bit of key Localization Report 1: result = 0 ; Problem: Key Dependent Branch 2: for( int i = expLen - 1 ; i > 0 ; i --) Detected at: Line 6 3: { Key 4: result = result * result ; Witnesses: … 5: result = result % mod ; 6: if(( 1 << i ) & exp ) 7: { 8: result = base * result ; 9: result = result % mod ; 10: } Causes different 11: } observable cache states Robert Brotzman – Pennsylvania State University 8

  9. Symbolic Execution • Program variables • Treats all program variables symbolically Toy Program • Cache variables int a , b; • Creates cache variable for each program variable int PRIV key ; • Cache variables values are determined by cache model if( key == 1 ) Cache Variables { a cache a = 0 ; b cache } key cache else { b = 0 ; } Robert Brotzman – Pennsylvania State University 9

  10. Verification • Run program twice • Cache and public variables are same between runs • Sensitive variables must be different • Vulnerability reported when two different cache states are achieved = Cache Variables Cache Variables Toy Program Toy Program ≠ a cache a’ cache int a , b; int a’ , b’; b cache b’ cache int PRIV key ; int PRIV key’ ; key cache key’ cache if( key == 1 ) if( key’ == 1 ) { { a = 0 ; a’ = 0 ; } } = ≠ else Cache Variables Cache Variables else a cache a’ cache { { b cache b’ cache b = 0 ; b’ = 0 ; } } key cache key’ cache Robert Brotzman – Pennsylvania State University 10

  11. Cache Models Motivation • Cache implementations are complex • Replacement policies, hierarchies, inclusivity, etc. • Vary amongst processors Infinite Age LRU • Treats cache as an • Assigns an age to • Also assigns ages infinite set all variables to all variables • Never evicts data • Overapproximates • Youngest n from cache real replacement variables are policies cached Robert Brotzman – Pennsylvania State University 11

  12. Infinite Model Demo Abstract Abstract Cache Cache Toy Program key " 1 key " 0 Initial key " 1 int a , b; int PRIV key ; Used(key) " true Used(key) " false Used(key) " true if( key == 1 ) Used(b) " false ≠ { a = 0 ; Used(a) " false Used(a) " true Used(a) " true } else { Used(b) " false Used(b) " true b = 0 ; } Robert Brotzman – Pennsylvania State University 12

  13. Age Model Demo Used(key) " 1 Abstract Abstract Cache Cache Toy Program key " 0 key " 1 Initial key " 1 int a , b; int PRIV key ; Used(key) " 0 Used(key) " ∞ Used(key) " 1 if( key == 1 ) Used(b) " ∞ ≠ { a = 0 ; Used(a) " 0 Used(a) " ∞ Used(a) " 0 } else { Used(b) " ∞ Used(b) " 0 b = 0 ; } Robert Brotzman – Pennsylvania State University 13

  14. Improving Performance • Array reads are unconstrained • Uses taint analysis to check if read is sensitive • Reset constraints • Breaks program into smaller chunks • Recomputes sensitive variables • Useful for loops • Loop transformation • Soundly rewrite program to be loop free • Makes loop unrolling unnecessary Robert Brotzman – Pennsylvania State University 14

  15. Attack Models Access Model Set of Addresses: {&a, &b, &c, &d, &e, &f} Program access(a); access(b); access(c); access(d); access(e); access(f); Robert Brotzman – Pennsylvania State University 15

  16. Attack Models Sequence of Trace Model Addresses: [&a, &b, &c, &d, Program &e, &f] access(a); access(b); access(c); access(d); access(e); access(f); Robert Brotzman – Pennsylvania State University 16

  17. Crypto Results: Trace Infinite Age LRU (2k) Benchmarks Found Time Found Time Found Time AES libgcrypt 64 8.9 64 16.7 64 635 AES mbed TLS 17 5.9 17 17.0 17 757 Can take 3DES libgcrypt 128 62.5 128 189 128 54.3 Order of accesses is significantly more still different 3DES mbed TLS 48 27.0 48 73.2 48 803 time DES glibc 2 0.92 2 2.65 2 9.2 UFC glibc 0 0.24 0 1.27 0 5.35 Order of magnitude Finds one additional Square & Multiply 4 8.2 4 125 4 180 Most realistic model more time vulnerable location libgcrypt Square & Always Multiply 3 18.9 4 184 3 163 libgcrypt Left-to-Right Modular Exp 3 84.8 3 2618 3 6275 libgcrypt Totals 269 217.36 270 3226.82 269 8881.85 Robert Brotzman – Pennsylvania State University 17

  18. Protected Results Data cached at beginning of function Data cached throughout function Preloading Pinning Infinite Age Infinite Age Functions TP Time (s) TP Time (s) TP Time (s) TP Time (s) AES libgcrypt 0 2.95 64 17.4 0 4.02 0 13.6 AES mbed TLS 0 1.68 17 17.4 0 2.00 0 9.60 3DES libgcrypt 0 84.0 128 170 0 0.61 0 1.53 3DES mbed TLS 0 1.53 48 65.5 0 0.03 0 1.70 DES glibc 0 0.56 2 3.15 0 0.51 0 1.79 Totals 0 90.72 259 273.45 0 7.17 0 28.22 Robert Brotzman – Pennsylvania State University 18

  19. Conclusions • Built CaSym to automatically identify vulnerabilities in programs • CaSym supports a variety of cache models • Easy to get different precision and efficiency • Tested on an assortment of benchmarks • Confirm many existing vulnerabilities in crypto benchmarks • Verified mitigations strategies on crypto benchmarks • Found over 20 new potential vulnerabilities in the PostgreSQL database Robert Brotzman – Pennsylvania State University 19

  20. Thank You! Robert Brotzman – Pennsylvania State University 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Side Channel Analysis Using a Model Counting Constraint Solver and Symbolic Execution Tevfik

Side Channel Analysis Using a Model Counting Constraint Solver and Symbolic Execution Tevfik

Side Channel Analysis Using a Model Counting Constraint Solver and Symbolic Execution Tevfik Bultan Computer Science Department University of California, Santa Barbara (UCSB) Joint work with: Abdulbaki Aydin, Lucas Bang, UCSB Corina

1.1k views • 91 slides
System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud Taesoo Kim, Marcus

System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud Taesoo Kim, Marcus

System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud Taesoo Kim, Marcus Peinado, Gloria Mainar-Ruiz MIT CSAIL Microsoft Research Security is a big concern in cloud adoption Why are cache-based side channel

588 views • 38 slides
Cache Timing Side-Channel Vulnerability Checking with Computation Tree Logic Shuwen Deng , Wenjie

Cache Timing Side-Channel Vulnerability Checking with Computation Tree Logic Shuwen Deng , Wenjie

Cache Timing Side-Channel Vulnerability Checking with Computation Tree Logic Shuwen Deng , Wenjie Xiong and Jakub Szefer Yale University HASP June 2, 2018 Memory System Cache Memory CPU Typical set-associative cache sets ways cache

640 views • 25 slides
Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

A tool for the Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all program branches. Inputs are considered symbolic variables. Symbols remain uninstantiated and become constrained at execution

451 views • 24 slides
Symbolic Approach for Side-Channel Resistance Analysis of Masked Assembly Codes Workshop PROOFS

Symbolic Approach for Side-Channel Resistance Analysis of Masked Assembly Codes Workshop PROOFS

Introduction / Motivation Symbolic Method Experiments Conclusion Symbolic Approach for Side-Channel Resistance Analysis of Masked Assembly Codes Workshop PROOFS In` es Ben El Ouahma Quentin Meunier Karine Heydemann Emmanuelle Encrenaz

271 views • 25 slides
TLBleed Translation leak-aside buffer: Defeating cache side-channel protections with TLB

TLBleed Translation leak-aside buffer: Defeating cache side-channel protections with TLB

TLBleed Translation leak-aside buffer: Defeating cache side-channel protections with TLB attack B. Gras, K. Razavi, H. Bos, and C. Giuffrida Presented by Ayoosh Bansal Translation Lookaside Buffer (TLB) It is a cache, where every entry

1.04k views • 25 slides
Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is appealingly simple and useful , but computationally expensive ! We will see how the effective use of symbolic execution boils down to a kind of

494 views • 24 slides
Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on symbolic execution have found serious errors and security vulnerabilities in various systems: Network servers File systems Device drivers

733 views • 40 slides
Memory Hierarchy: Cache Memory hierarchy Cache basics Locality Cache organization Cache-aware

Memory Hierarchy: Cache Memory hierarchy Cache basics Locality Cache organization Cache-aware

Memory Hierarchy: Cache Memory hierarchy Cache basics Locality Cache organization Cache-aware programming How does execution time grow with SIZE? int[] array = new int[SIZE]; fillArrayRandomly(array); int s = 0; for (int i = 0; i &lt;

847 views • 48 slides
(ISSTAC) Side Channel Analysis Corina Pasareanu (CMU&amp;NASA Ames) Project team members

(ISSTAC) Side Channel Analysis Corina Pasareanu (CMU&amp;NASA Ames) Project team members

Integrated Symbolic Execution for Space-Time Analysis of Code (ISSTAC) Side Channel Analysis Corina Pasareanu (CMU&amp;NASA Ames) Project team members Corina Pasareanu Teme Kahsai Kasper Luckow Quoc-Sang

458 views • 23 slides
Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution / / Sbastien Bardin &amp; Richard Bonichon 20180409 CEA LIST 1 1,1,L Model Source qb int foo (int t ) { 0,1,L 0,1,L int y = t * t - 4 * t ;

567 views • 34 slides
Meltdown &amp; Spectre Attacks Overview An analogy CPU cache and use it as side channel

Meltdown &amp; Spectre Attacks Overview An analogy CPU cache and use it as side channel

Meltdown &amp; Spectre Attacks Overview An analogy CPU cache and use it as side channel Meltdown attack Spectre attack Microsoft Interview Question Stealing A Secret Secret: 7 Guard with Memory Eraser Restricted Room CPU

732 views • 30 slides
Input Front side bus A Front side bus B controller Bus #0 HI North bridge Output Bus #0

Input Front side bus A Front side bus B controller Bus #0 HI North bridge Output Bus #0

Calcolatori Elettronici e Sistemi Operativi System architecture example PCI PCI express CPU CPU CPU CPU express dev Memory dev Cache Cache Cache Cache Graphics Input Front side bus A Front side bus B controller Bus #0 HI

414 views • 6 slides
Design and Implementation of an Espionage Network for Cache- based Side Channel Attacks on AES

Design and Implementation of an Espionage Network for Cache- based Side Channel Attacks on AES

Design and Implementation of an Espionage Network for Cache- based Side Channel Attacks on AES Bholanath Roy Research Scholar Advanced Encryption Standard(AES) Design of an Espionage Network : Attack Architecture Espionage Infrastructure

435 views • 4 slides
Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

CSE 403: Software Engineering, Winter 2016 courses.cs.washington.edu/courses/cse403/16wi/ Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution? How does it work? State-of-the-art tools 2

637 views • 34 slides
Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem Visser) Docker Image Install Docker Download: https://docs.docker.com/engine/installation/ Check: docker --version

446 views • 10 slides
CSU Channel Islands Data Governance Council 6.16.2016 Agenda Team Reports Data Knowledge

CSU Channel Islands Data Governance Council 6.16.2016 Agenda Team Reports Data Knowledge

CSU Channel Islands Data Governance Council 6.16.2016 Agenda Team Reports Data Knowledge Cookbook Overview Training Update Team Reports Data Request Process Update: Initial Meeting w/iData Process integrated into the

457 views • 10 slides
Learning Explanatory Rules from Noisy Data Richard Evans, Ed Grefenstette Overview Our system,

Learning Explanatory Rules from Noisy Data Richard Evans, Ed Grefenstette Overview Our system,

Learning Explanatory Rules from Noisy Data Richard Evans, Ed Grefenstette Overview Our system, ILP, learns logic programs from examples. ILP learns by back-propagation. It is robust to noisy and ambiguous data. Learning Explanatory

638 views • 61 slides
Computations by groups DATA MAN IP ULATION W ITH DATA.TABLE IN R Matt Dowle, Arun Srinivasan

Computations by groups DATA MAN IP ULATION W ITH DATA.TABLE IN R Matt Dowle, Arun Srinivasan

Computations by groups DATA MAN IP ULATION W ITH DATA.TABLE IN R Matt Dowle, Arun Srinivasan Instructors, DataCamp The by argument The by argument allows computations for each unique value of the (grouping) columns specied in by # How

449 views • 20 slides
Securing NFN-style data flow processing NDN retreat, UCSD, Feb 5+6, 2015 Christian Tschudin with

Securing NFN-style data flow processing NDN retreat, UCSD, Feb 5+6, 2015 Christian Tschudin with

Securing NFN-style data flow processing NDN retreat, UCSD, Feb 5+6, 2015 Christian Tschudin with contributions from Claudio Marxer, University of Basel Overview 1. Named Function Networking (NFN) in two slides 2. Problem statement (NDNex) 3.

350 views • 16 slides
Classification &amp; The Noisy Channel Model CMSC 473/673 UMBC September 13 th , 2017 Some

Classification &amp; The Noisy Channel Model CMSC 473/673 UMBC September 13 th , 2017 Some

Classification &amp; The Noisy Channel Model CMSC 473/673 UMBC September 13 th , 2017 Some slides adapted from 3SLP Recap from last time Three people have been fatally shot, p ( ) and five people, including a mayor, were seriously

1.2k views • 91 slides
Data Cleaning Tools Survey Final G1 Lukas Bodner, Daniel Geiger, Lorenz Leitner 1 of 28

Data Cleaning Tools Survey Final G1 Lukas Bodner, Daniel Geiger, Lorenz Leitner 1 of 28

Data Cleaning Tools Survey Final G1 Lukas Bodner, Daniel Geiger, Lorenz Leitner 1 of 28 Motivation Introduction Data Sets Feature Matrix 2 of 28 Motivation Why is clean data important? Low-quality data leads to: Incorrect results

554 views • 29 slides
Data Analysis Modeling and Parsing 15-110 Friday 11/13 Learning Goals Read and write

Data Analysis Modeling and Parsing 15-110 Friday 11/13 Learning Goals Read and write

Data Analysis Modeling and Parsing 15-110 Friday 11/13 Learning Goals Read and write data from files Interpret data according to different protocols: plaintext, CSV, and JSON Reformat data to find, add, remove, or reinterpret

428 views • 28 slides
High-throughput processing of telemetry data D.J. Lee Brigham Young University C. Mike and V.E.

High-throughput processing of telemetry data D.J. Lee Brigham Young University C. Mike and V.E.

High-throughput processing of telemetry data D.J. Lee Brigham Young University C. Mike and V.E. Howle Texas Tech University R.A. Erickson Upper Midwest Environmental Sciences Center United States Geological Survey Core Science Systems

258 views • 21 slides

More recommend