cross vm side channels and
play

Cross-VM Side Channels and Their Use to Extract Private Keys - PowerPoint PPT Presentation

Feb 11, 2023 •368 likes •775 views

Cross-VM Side Channels and Their Use to Extract Private Keys Yinqian Zhang (UNC-Chapel Hill) Ari Juels (RSA Labs) Michael K. Reiter (UNC-Chapel Hill) Thomas Ristenpart (U Wisconsin-Madison) Motivation Security Isolation by Virtualization VM

  1. Cross-VM Side Channels and Their Use to Extract Private Keys Yinqian Zhang (UNC-Chapel Hill) Ari Juels (RSA Labs) Michael K. Reiter (UNC-Chapel Hill) Thomas Ristenpart (U Wisconsin-Madison)

  2. Motivation

  3. Security Isolation by Virtualization VM VM Crypto Keys Attacker Victim Virtualization Layer Computer Hardware

  4. Access-Driven Cache Timing Channel VM VM Crypto Keys Attacker Victim Side Channels Virtualization (Xen) An open problem: Are cryptographic side channel attacks possible in virtualization environment?

  5. Related Work Multi- w/o Publication Virtualization Target Core SMT Percival 2005 RSA Osvik et al. 2006 AES Neve et al. 2006 AES Aciicmez 2007 RSA Aciicmez et al. 2010 DSA Bangerter 2011 AES

  6. Related Work Multi- w/o Publication Virtualization Target Core SMT Percival 2005 RSA Osvik et al. 2006 AES Neve et al. 2006 AES Aciicmez 2007 RSA Ristenpart el al. 2009 load Aciicmez et al. 2010 DSA Bangerter 2011 AES

  7. Related Work Multi- w/o Publication Virtualization Target Core SMT Percival 2005 RSA Osvik et al. 2006 AES Neve et al. 2006 AES Aciicmez 2007 RSA Ristenpart el al. 2009 load Aciicmez et al. 2010 DSA Bangerter 2011 AES Our work ElGamal

  8. Outline Stage 1 Stage 2 Cross-VM Cache Vectors of cache Side Channel Pattern measurements Probing Classification Sequences of SVM- classified labels Noise Code-Path Fragments of code path Reduction Reassembly Stage 3 Stage 4

  9. Digress: Prime-Probe Protocol PRIME PRIME-PROBE Interval PROBE Time 4-way set associative Cache Set L1 I-Cache

  10. Cross-VM Side Channel Probing VM VM Victim Attacker Virtualization (Xen) L1 L1 L1 L1 I-Cache I-Cache I-Cache I-Cache

  11. Challenge: Observation Granularity VM/VCPU VM/VCPU • W/ SMT: tiny prime- probe intervals Attacker Victim • W/o SMT: gaming schedulers L1 I-Cache Time 30ms 30ms

  12. Ideally … Time 1 instruction? • Use Interrupts to preempt the victim: • Timer interrupts? • Network interrupts? • HPET interrupts? • Inter-Processor interrupts (IPI)!

  13. Inter-Processor Interrupts Attacker VM For( ; ; ) { send_IPI(); VM/VCPU Delay(); } Attacker IPI Victim VCPU VCPU Virtualization (Xen) CPU core CPU core

  14. Cross-VM Side Channel Probing Time 2.5 µs 2.5 µs 2.5 µs

  15. Outline Stage 1 Stage 2 Cross-VM Cache Vectors of cache Side Channel Pattern measurements Probing Classification Sequences of SVM- classified labels Noise Code-Path Fragments of code path Reduction Reassembly Stage 3 Stage 4

  16. Square-and-Multiply

  17. Square-and-Multiply (mod)

  18. Square-and-Multiply (libgcrypt) /* y = x e mod N , from libgcrypt */ Modular Exponentiation (x, e, N): e i = 1 → “SRMR” let e n … e 1 be the bits of e e i = 0 → “SR” y ← 1 for e i in {e n …e 1 } y ← Square (y) (S) y ← Reduce (y, N) (R) if e i = 1 then y ← Multi (y, x) (M) y ← Reduce (y, N) (R)

  19. Cache Pattern Classification Key observation: Footprints of different functions are distinct in the I-Cache ! • Square(): cache set 1, 3, …, 59 • Multi(): cache set 2, 5, …, 60, 61 • Reduce(): cache set 2, 3, 4, …, 58 Square() Multi() Classification Reduce()

  20. Support Vector Machine Noise: hypervisor context switch Square() Multi() SVM Reduce() Read more on SVM training

  21. Support Vector Machine SVM

  22. Outline Stage 1 Stage 2 Cross-VM Cache Vectors of cache Side Channel Pattern measurements Probing Classification Sequences of SVM- classified labels Noise Code-Path Fragments of code path Reduction Reassembly Stage 3 Stage 4

  23. Noise Reduction requires robust automated error correction

  24. Hidden Markov Model S R M Square Reduce Multi Unkn

  25. Hidden Markov Model S R M Square Reduce Multi Unkn

  26. Hidden Markov Model low confidence

  27. Eliminate Non-Crypto Computation SVM

  28. Eliminate Non-Crypto Computation S R M Square Reduce Multi Unkn

  29. Eliminate Non-Crypto Computation Key Observations S:M Ratio should be roughly 2:1 for long enough sequences! “MM” signals an error (never two sequential multiply operations)

  30. Key Extraction Start Decryption Unkn Unkn Unkn VCPU VCPU Square Reduce Square Reduce Multi Reduce Victim Attacker Virtualization (Xen) L1 L1 L1 L1 I-Cache I-Cache I-Cache I-Cache

  31. Multi-Core Processors 0100011... Another Dom0 VCPU VCPU Victim Attacker IPI VCPU VCPU VCPU L1 L1 L1 L1 I-Cache I-Cache I-Cache I-Cache

  32. Multi-Core Processors ..#####... Dom0 Another VCPU VCPU Victim Attacker IPI VCPU VCPU VCPU L1 L1 L1 L1 I-Cache I-Cache I-Cache I-Cache

  33. Multi-Core Processors ##10100... Dom0 Another VCPU VCPU Victim Attacker IPI VCPU VCPU VCPU L1 L1 L1 L1 I-Cache I-Cache I-Cache I-Cache

  34. From an Attacker’s Perspective

  35. Outline Stage 1 Stage 2 Cross-VM Cache Vectors of cache Side Channel Pattern measurements Probing Classification Sequences of SVM- classified labels Noise Code-Path Fragments of code path Reduction Reassembly Stage 3 Stage 4

  36. Code-Path Reassembly No error bit!

  37. Outline Stage 1 Stage 2 Cross-VM Cache Vectors of cache Side Channel Pattern measurements Probing Classification Sequences of SVM- classified labels Noise Code-Path Fragments of code path Reduction Reassembly Stage 3 Stage 4

  38. Evaluation • Intel Yorkfield processor – 4 cores, 32KB L1 instruction cache • Xen + linux + GnuPG + libgcrypt – Xen 4.0 – Ubuntu 10.04, kernel version 2.6.32.16 – Victim runs GnuPG v.2.0.19 (latest) – libgcrypt 1.5.0 (latest) – ElGamal, 4096 bits

  39. Results • Work-Conserving Scheduler – 300,000,000 prime-probe results (6 hours) – Over 300 key fragments – Brute force the key in ~9800 guesses • Non-Work-Conserving Scheduler – 1,900,000,000 prime-probe results (45 hours) – Over 300 key fragments – Brute force the key in ~6600 guesses

  40. Conclusion • A combination of techniques – IPI + SVM + HMM + Sequence Assembly • Demonstrate a cross-VM access-driven cache- based side-channel attack – Multi-core processors without SMT – Sufficient fidelity to exfiltrate cryptographic keys

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Non-transient Side Channels Mengjia Yan Fall 2020 6.888 L5-Non-transient Side Channels 1 Lab

Non-transient Side Channels Mengjia Yan Fall 2020 6.888 L5-Non-transient Side Channels 1 Lab

Non-transient Side Channels Mengjia Yan Fall 2020 6.888 L5-Non-transient Side Channels 1 Lab Assignment Handout on course website Each (regular) student will receive an email Solo or 2-person group Individual GitHub repo

1.24k views • 102 slides
Non-transient Side Channels Mengjia Yan Fall 2020 6.888 L5-Non-transient Side Channels 1 Lab

Non-transient Side Channels Mengjia Yan Fall 2020 6.888 L5-Non-transient Side Channels 1 Lab

Non-transient Side Channels Mengjia Yan Fall 2020 6.888 L5-Non-transient Side Channels 1 Lab Assignment Handout on course website Each (regular) student will receive an email Solo or 2-person group Individual GitHub repo

978 views • 42 slides
Side Channels and Covert Channels Daniel Bosk Department of Information and Communication Systems

Side Channels and Covert Channels Daniel Bosk Department of Information and Communication Systems

Side Channels Covert Channels References Side Channels and Covert Channels Daniel Bosk Department of Information and Communication Systems (ICS), Mid Sweden University, Sundsvall. 1st May 2017 Daniel Bosk MIUN ICS Side Channels and Covert

689 views • 32 slides
Screaming Ch Channels When Electromagnetic Side Channels Meet Radio Transceivers Giovanni

Screaming Ch Channels When Electromagnetic Side Channels Meet Radio Transceivers Giovanni

Screaming Ch Channels When Electromagnetic Side Channels Meet Radio Transceivers Giovanni Camurati, Sebastian Poeplau, Marius Muench, Tom Hayes, Aurlien Francillon Whats this all about? - A nov novel attack ex exploiting g EM side

886 views • 77 slides
Exploiting Out-of-Order-Execution Processor Side Channels to Enable Cross VM Code Execution Sophia

Exploiting Out-of-Order-Execution Processor Side Channels to Enable Cross VM Code Execution Sophia

Exploiting Out-of-Order-Execution Processor Side Channels to Enable Cross VM Code Execution Sophia DAntoine REcon 2015 The Cloud 06/19/2015 Exploiting Out-of-Order-Execution 2/46 Cloud Computing (IaaS) Virtual instances Hypervisors

491 views • 46 slides
Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that

Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that

Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that can be exploited by a process to transfer information in a manner that violates the systems security policy US DoD 1985 Basically a

1.04k views • 67 slides
FUCHSIA: Data-Driven Debugging for Functional Side Channels Saeid Tizpaz-Niari* , Pavol Cerny,

FUCHSIA: Data-Driven Debugging for Functional Side Channels Saeid Tizpaz-Niari* , Pavol Cerny,

FUCHSIA: Data-Driven Debugging for Functional Side Channels Saeid Tizpaz-Niari* , Pavol Cerny, Ashutosh Trivedi *University of Colorado Boulder Functional Case Motivation Side Channels Studies Functional Case Motivation Side Channels

366 views • 24 slides
Side Channels CS 161: Computer Security Prof. David Wagner April 23, 2013 UI Side Channel

Side Channels CS 161: Computer Security Prof. David Wagner April 23, 2013 UI Side Channel

Side Channels CS 161: Computer Security Prof. David Wagner April 23, 2013 UI Side Channel Snooping Scenario: Ann the Attacker works in a building across the street from Victor the Victim. Late one night Ann can see Victor hard at work in

727 views • 44 slides
CSE 127: I ntroduction to Security Lecture 16: Side Channels and Constant-Time Code Nadia

CSE 127: I ntroduction to Security Lecture 16: Side Channels and Constant-Time Code Nadia

CSE 127: I ntroduction to Security Lecture 16: Side Channels and Constant-Time Code Nadia Heninger and Deian Stefan UCSD Fall 2019 Some material from Dan Boneh, Stefan Savage Reminder: Side-channel attacks You saw before how timing

1.37k views • 81 slides
Nomad : Mitigating Arbitrary Cloud Side Channels via Provider-Assisted Migration Soo-Jin Moon,

Nomad : Mitigating Arbitrary Cloud Side Channels via Provider-Assisted Migration Soo-Jin Moon,

Nomad : Mitigating Arbitrary Cloud Side Channels via Provider-Assisted Migration Soo-Jin Moon, Vyas Sekar Michael K. Reiter Co-residency side-channel attacks in clouds Stealing secrets (e.g., keys) VM VM VM Machine Machine Many

1.03k views • 69 slides
Loose Ends: Side Channels, Government Surveillance & Targeted

Loose Ends: Side Channels, Government Surveillance & Targeted

CSE 484 / CSE M 584: Computer Security and Privacy Loose Ends: Side Channels, Government Surveillance & Targeted Attacks Spring 2015 Franziska

622 views • 27 slides
Outline Side and covert channels Transient execution CSci 5271 Introduction to Computer

Outline Side and covert channels Transient execution CSci 5271 Introduction to Computer

Outline Side and covert channels Transient execution CSci 5271 Introduction to Computer Security Transient execution and kernel isolation: Meltdown Day 11: Side Channels and Transient Execution Stephen McCamant Transient execution and kernel

496 views • 4 slides
Off-Path Round Trip Time Measurement via TCP/IP Side Channels Geoffrey Alexander and Jedidiah R.

Off-Path Round Trip Time Measurement via TCP/IP Side Channels Geoffrey Alexander and Jedidiah R.

Off-Path Round Trip Time Measurement via TCP/IP Side Channels Geoffrey Alexander and Jedidiah R. Crandall University of New Mexico, USA How do you measure something? Interact directly T ake samples Multiple tests 2 Problem How

533 views • 26 slides
Isolation and side-channels Nadia Heninger and Deian Stefan Some slides adopted from John

Isolation and side-channels Nadia Heninger and Deian Stefan Some slides adopted from John

CSE 127: Computer Security Isolation and side-channels Nadia Heninger and Deian Stefan Some slides adopted from John Mitchell, Dan Boneh, and Stefan Savage Today Lecture objectives: Understand basic principles for building secure systems

1.08k views • 78 slides
Transient Side Channels Mengjia Yan Fall 2020 Based on slides from Christopher W. Fletcher

Transient Side Channels Mengjia Yan Fall 2020 Based on slides from Christopher W. Fletcher

Transient Side Channels Mengjia Yan Fall 2020 Based on slides from Christopher W. Fletcher Reminder 1 st paper review due midnight on 09/27 (before the next lecture) You will receive an invitation from HotCRP

1.46k views • 78 slides
Transient Side Channels Mengjia Yan Fall 2020 Based on slides from Christopher W. Fletcher

Transient Side Channels Mengjia Yan Fall 2020 Based on slides from Christopher W. Fletcher

Transient Side Channels Mengjia Yan Fall 2020 Based on slides from Christopher W. Fletcher Reminder 1 st paper review due midnight on 09/27 (before the next lecture) You will receive an invitation from HotCRP

561 views • 27 slides
Extracting Descriptions of Location Relations from Implicit Textual Networks Andreas Spitz,

Extracting Descriptions of Location Relations from Implicit Textual Networks Andreas Spitz,

Extracting Descriptions of Location Relations from Implicit Textual Networks Andreas Spitz, Gloria Feher, Michael Gertz Heidelberg University, Institute of Computer Science Database Systems Research Group { spitz,gertz }

747 views • 38 slides
Automatic Extraction of Sliced Object State Machines for Component Interfaces Tao Xie David

Automatic Extraction of Sliced Object State Machines for Component Interfaces Tao Xie David

Automatic Extraction of Sliced Object State Machines for Component Interfaces Tao Xie David Notkin Dept. of Computer Science & Engineering University of Washington, Seattle SAVCBS 04 Oct. 2004 1 Motivation Software components

303 views • 29 slides
Does Automated Refactoring Obviate Systematic Editing? Na Meng*

Does Automated Refactoring Obviate Systematic Editing? Na Meng*

Does Automated Refactoring Obviate Systematic Editing? Na Meng* Lisa Hua* Miryung Kim + Kathryn S. McKinley The University of Texas at

340 views • 19 slides
Learning to Extract Folktale Keywords Dolf Trieschnigg, Dong

Learning to Extract Folktale Keywords Dolf Trieschnigg, Dong

Folktales As Classifiable Texts Learning to Extract Folktale Keywords Dolf Trieschnigg, Dong Nguyen and Marit Theune Once upon a time There was

421 views • 23 slides
CSC2542 Planning-Graph Techniques The lecture in 2 weeks will be given by our TA, Christian

CSC2542 Planning-Graph Techniques The lecture in 2 weeks will be given by our TA, Christian

Administrative Announcements Tutorial Time: If youre taking the course for credit, please (re)vist the doodle poll and see whether you can work towards finding a time when we can all meet. Were at an impass! I will be posting a

106 views • 8 slides
Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution Jo

Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution Jo

Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution Jo Van Bulck 1 Marina Minkin 2 Ofir Weisse 3 Daniel Genkin 3 Baris Kasikci 3 Frank Piessens 1 Mark Silberstein 2 Thomas F. Wenisch 3 Yuval Yarom 4 Raoul

601 views • 56 slides
RECSM Summer School: Scraping the web Pablo Barber a School of International Relations

RECSM Summer School: Scraping the web Pablo Barber a School of International Relations

RECSM Summer School: Scraping the web Pablo Barber a School of International Relations University of Southern California pablobarbera.com Networked Democracy Lab www.netdem.org Course website: github.com/pablobarbera/big-data-upf

571 views • 40 slides
Feature Extraction 7-1 Ronald Peikert SciVis 2007 - Feature Extraction What are features?

Feature Extraction 7-1 Ronald Peikert SciVis 2007 - Feature Extraction What are features?

Feature Extraction 7-1 Ronald Peikert SciVis 2007 - Feature Extraction What are features? Features are inherent properties of data, independent of coordinate frames etc. Dimension of a feature: 0: point feature (often defined by n

840 views • 30 slides

More recommend