fuchsia data driven debugging for functional side channels
play

FUCHSIA: Data-Driven Debugging for Functional Side Channels Saeid - PowerPoint PPT Presentation

Jun 26, 2023 •108 likes •366 views

FUCHSIA: Data-Driven Debugging for Functional Side Channels Saeid Tizpaz-Niari* , Pavol Cerny, Ashutosh Trivedi *University of Colorado Boulder Functional Case Motivation Side Channels Studies Functional Case Motivation Side Channels

  1. FUCHSIA: Data-Driven Debugging for Functional Side Channels Saeid Tizpaz-Niari* , Pavol Cerny, Ashutosh Trivedi *University of Colorado Boulder

  2. Functional Case Motivation Side Channels Studies

  3. Functional Case Motivation Side Channels Studies

  4. https://www.eclipse.org/jetty/

  5. V1 … m m b a b b b b b c c c c c d d d d d e e e e e f f f f f m m m m m m m … y y y y y y p c c p c p p a a d d d d a e s e e e s e s f f f f f f m y p a s s 0.5 (s) 0.5 (s) 0.5 (s) 1.0 (s) 1.0 (s) 1.5 (s) V2 a b c d e m y p a s s a a b b c c d d e e f f 1.0 (s) 0.5 (s) 0.5 (s) ? V3 5

  6. - Time does not exist in the syntax or semantic - Large applications with dynamic features

  7. Data-Driven Di ff erential Debugging: Program Analysis + ML 7

  8. V3 jetty.security… jetty.security… StringEquals_bblock_5 StringEquals_bblock_106 jetty.security… jetty.security… StringEquals_bblock_5 StringEquals_bblock_106 Secret Guess password aa1234 password pa12cd password … Secret=‘pass’ mypass a1b2c3 Time Time Guess=‘a’ Guess=‘abcdefgh’ Guess=‘abcd’ Guess=‘abcde’ Guess=‘abc’ Guess=‘ab’ Guess=‘b’ mypass mypa … … Time Time Time Time Public Input (Guess) Public Input (Guess) Public Input (Guess) Public Input (Guess) Public Input (Guess) Public Input 8

  9. V3 jetty.security… jetty.security… StringEquals_bblock_5 StringEquals_bblock_106 jetty.security… jetty.security… StringEquals_bblock_5 StringEquals_bblock_106 Secret Guess password aa1234 password pa12cd password … Secret=‘pass’ mypass a1b2c3 Time Time Guess=‘a’ Guess=‘abcdefgh’ Guess=‘abcd’ Guess=‘abcde’ Guess=‘abc’ Guess=‘ab’ Guess=‘b’ mypass mypa … … Time Time Time Time Public Input (Guess) Public Input (Guess) Public Input (Guess) Public Input (Guess) Public Input (Guess) Public Input 9

  10. Functional Case Motivation Side Channels Studies

  11. Secret Input Secret Input Secret Input Secret Input Secret Input Output Output Output Output Output “1010” “1010” “1010” “110” 1025 24 5 5 3 “110” Public Input Public Input Public Input Public Input Public Input “1000” “101” “10” “1” “0” Time Time Time Time Time 40 32 4 2 2 Time secret = “1010” secret = “110” p1 p2 … pN Public Input 11

  12. Attacker’s Local Observations Attacker’s Remote Observations s%2=1 | s%2=0 Time (ms) Time (ms) s%2=1 s%2=1 6 6 5 5 4 4 s%2=0 s%2=0 3 3 2 2 1 1 p1 p2 … pN p1 p2 … pN Public Input Public Input s%2=0 s%2=1 s%2=1 Time (ms) Time (ms) 6 6 5 5 4 4 s%2=0 s%2=0 3 3 2 2 1 1 p1 p2 … pN p1 p2 … pN Public Input Public Input 12

  13. Point-wise Noninterference: Nilizadeh et al., ICSE’19 P1 P2 Time Time Public Input Public Input “011” “1010” “1010” “1111” “1111” “011” “0” “1” “011” “1111” Functional Noninterference: Tizpaz-Niari et al., NDSS’20 Time Time Public Input Public Input 13

  14. Clustering: Distinguishable Functional Observations

  15. dist ( f 0 , f 4 ) > ϵ f 20 f 8 f 4 Time Time f 0 p1 p2 … pN p1 p2 … pN Public Input Public Input ( f 0 , f 8 ) in the same cluster ! ( f 0 , f 20 ) in the same cluster ! ( f 0 , f 4 ) in the same cluster ! 15

  16. Classification: Root Cause of Timing Side Channels

  17. Secret Public “110” “0” “110” “1” Instrumented Program “110” “00” … … BasicBlock_13 Basic_Block_18 “0110” “0” “0110” “1” BasicBlock_13 Basic_Block_18 “0110” “00” … … Secret = “0110” Secret = “0110” Secret = “110” Secret = “110” BasicBlock_13 Basic_Block_18 BasicBlock_13 Basic_Block_18 Public 1 “01” 2 1 2 “111” 3 3 1 3 “1101” 1 4 4 4 … … … … min(3,y) 1 * y min(4,y) 1 * y 17

  18. Secret Public “110” “0” “110” “1” Instrumented Program “110” “00” … … BasicBlock_13 Basic_Block_18 “0110” “0” “0110” “1” BasicBlock_13 Basic_Block_18 “0110” “00” … … Secret = “0110” Secret = “0110” Secret = “110” Secret = “110” Secret Basic_Block_18 BasicBlock_13 … Label BasicBlock_13 Basic_Block_18 BasicBlock_13 Basic_Block_18 “1” min(1,y) y … Public “10” min(2,y) y … 1 “01” 2 1 2 “110” min(3,y) y … “111” 3 3 1 3 “1101” “1101” min(4,y) y … 1 4 4 4 “0110” min(4,y) y … … … … … …. … … … min(3,y) 1 * y min(4,y) 1 * y 18

  19. Functional Case Motivation Side Channels Studies

  20. Regular Expressions in Java (#Methods: 620)

  21. Regex Library java.util.regex.Pattern. java.util.regex.Patter call_bblock_10 n. Slice_bblock_3964 java.util.regex.Pattern. java.util.regex.Patter call_bblock_10 n. Slice_bblock_3964 Secret Guess “abc123” “aa123” “abc123” “mypa" “abc123” … “mypass” “aa123” “mypass” “mypa” Time (micro-s) Time (micro-s) … … Public Input Public Input 21

  22. Regex Library java.util.regex.Pattern. java.util.regex.Patter call_bblock_10 n. Slice_bblock_3964 java.util.regex.Pattern. java.util.regex.Patter call_bblock_10 n. Slice_bblock_3964 Secret Guess “abc123” “aa123” “abc123” “mypa" “abc123” … “mypass” “aa123” “mypass” “mypa” Time (micro-s) Time (micro-s) … … Public Input Public Input 22

  23. iControl-SOAP (User Credential) #Method: 41,541 Java X (Crypto) #Method: 63 SnapBuddy (Social Network) #Method: 3,071 Stegosaurus (Message Service) #Method: 273

  24. Thank you for your attention! Saeid.Tizpazniari@colorado.edu

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Non-transient Side Channels Mengjia Yan Fall 2020 6.888 L5-Non-transient Side Channels 1 Lab

Non-transient Side Channels Mengjia Yan Fall 2020 6.888 L5-Non-transient Side Channels 1 Lab

Non-transient Side Channels Mengjia Yan Fall 2020 6.888 L5-Non-transient Side Channels 1 Lab Assignment Handout on course website Each (regular) student will receive an email Solo or 2-person group Individual GitHub repo

978 views • 42 slides
Non-transient Side Channels Mengjia Yan Fall 2020 6.888 L5-Non-transient Side Channels 1 Lab

Non-transient Side Channels Mengjia Yan Fall 2020 6.888 L5-Non-transient Side Channels 1 Lab

Non-transient Side Channels Mengjia Yan Fall 2020 6.888 L5-Non-transient Side Channels 1 Lab Assignment Handout on course website Each (regular) student will receive an email Solo or 2-person group Individual GitHub repo

1.24k views • 102 slides
Side Channels and Covert Channels Daniel Bosk Department of Information and Communication Systems

Side Channels and Covert Channels Daniel Bosk Department of Information and Communication Systems

Side Channels Covert Channels References Side Channels and Covert Channels Daniel Bosk Department of Information and Communication Systems (ICS), Mid Sweden University, Sundsvall. 1st May 2017 Daniel Bosk MIUN ICS Side Channels and Covert

689 views • 32 slides
Screaming Ch Channels When Electromagnetic Side Channels Meet Radio Transceivers Giovanni

Screaming Ch Channels When Electromagnetic Side Channels Meet Radio Transceivers Giovanni

Screaming Ch Channels When Electromagnetic Side Channels Meet Radio Transceivers Giovanni Camurati, Sebastian Poeplau, Marius Muench, Tom Hayes, Aurlien Francillon Whats this all about? - A nov novel attack ex exploiting g EM side

886 views • 77 slides
Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that

Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that

Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that can be exploited by a process to transfer information in a manner that violates the systems security policy US DoD 1985 Basically a

1.04k views • 67 slides
Part I: Functional Programming A pure functional program consists of data, functions, and an

Part I: Functional Programming A pure functional program consists of data, functions, and an

Part I: Functional Programming A pure functional program consists of data, functions, and an expression which describes a result. Missing: variables, assignment, side-effects. A processor of a functional program is essentially a

833 views • 36 slides
Side Channels CS 161: Computer Security Prof. David Wagner April 23, 2013 UI Side Channel

Side Channels CS 161: Computer Security Prof. David Wagner April 23, 2013 UI Side Channel

Side Channels CS 161: Computer Security Prof. David Wagner April 23, 2013 UI Side Channel Snooping Scenario: Ann the Attacker works in a building across the street from Victor the Victim. Late one night Ann can see Victor hard at work in

727 views • 44 slides
Racing in Hyperspace: Closing Hyper-Threading Side Channels on SGX with Contrived Data Races

Racing in Hyperspace: Closing Hyper-Threading Side Channels on SGX with Contrived Data Races

Racing in Hyperspace: Closing Hyper-Threading Side Channels on SGX with Contrived Data Races CS 563 Young Li 10/31/18 Intel Software Guard eXtensions (SGX) and Hyper-Threading What is Intel SGX? Set of CPU instructions Present in

718 views • 44 slides
Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks Juraj

Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks Juraj

Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks Juraj Somorovsky Ruhr University Bochum 3curity GmbH juraj.somorovsky@3curity.de About me Security Researcher at: Chair for Network and Data Security,

818 views • 53 slides
CSE 127: I ntroduction to Security Lecture 16: Side Channels and Constant-Time Code Nadia

CSE 127: I ntroduction to Security Lecture 16: Side Channels and Constant-Time Code Nadia

CSE 127: I ntroduction to Security Lecture 16: Side Channels and Constant-Time Code Nadia Heninger and Deian Stefan UCSD Fall 2019 Some material from Dan Boneh, Stefan Savage Reminder: Side-channel attacks You saw before how timing

1.37k views • 81 slides
Nomad : Mitigating Arbitrary Cloud Side Channels via Provider-Assisted Migration Soo-Jin Moon,

Nomad : Mitigating Arbitrary Cloud Side Channels via Provider-Assisted Migration Soo-Jin Moon,

Nomad : Mitigating Arbitrary Cloud Side Channels via Provider-Assisted Migration Soo-Jin Moon, Vyas Sekar Michael K. Reiter Co-residency side-channel attacks in clouds Stealing secrets (e.g., keys) VM VM VM Machine Machine Many

1.03k views • 69 slides
Cognitive Asessment for the Determination of Mental Residual Functional Capacity David J.

Cognitive Asessment for the Determination of Mental Residual Functional Capacity David J.

Cognitive Asessment for the Determination of Mental Residual Functional Capacity David J. Schretlen, PhD OIDAP Meeting April 29, 2009 Person-Side Job-Side Abstract/ Hypothetical Level 5 Mental/ Interpersonal/ Things Data People

669 views • 47 slides
CaSym: Cache Aware Symbolic Execution for Side Channel Detection and Mitigation Robert

CaSym: Cache Aware Symbolic Execution for Side Channel Detection and Mitigation Robert

CaSym: Cache Aware Symbolic Execution for Side Channel Detection and Mitigation Robert Brotzman, Shen Liu, Danfeng Zhang, Gang Tan, Mahmut Kandemir Pennsylvania State University Cache Side Channels Process Data CPU Cache Program Side

390 views • 20 slides
Loose Ends: Side Channels, Government Surveillance & Targeted

Loose Ends: Side Channels, Government Surveillance & Targeted

CSE 484 / CSE M 584: Computer Security and Privacy Loose Ends: Side Channels, Government Surveillance & Targeted Attacks Spring 2015 Franziska

622 views • 27 slides
Outline Side and covert channels Transient execution CSci 5271 Introduction to Computer

Outline Side and covert channels Transient execution CSci 5271 Introduction to Computer

Outline Side and covert channels Transient execution CSci 5271 Introduction to Computer Security Transient execution and kernel isolation: Meltdown Day 11: Side Channels and Transient Execution Stephen McCamant Transient execution and kernel

496 views • 4 slides
tidyfun : Tidy Functional Data A new framework for working with functional data in R Fabian Scheipl

tidyfun : Tidy Functional Data A new framework for working with functional data in R Fabian Scheipl

tidyfun : Tidy Functional Data A new framework for working with functional data in R Fabian Scheipl 1 Jeff Goldsmith 2 1 : Dept. of Statistics, LMU Munich 2 : Columbia University Mailman School of Public Health Functional Data Painful to work with:

969 views • 61 slides
Groups, Formal Language Theory and Decidability Sam Jones Supervised by: Rick Thomas Department

Groups, Formal Language Theory and Decidability Sam Jones Supervised by: Rick Thomas Department

Groups, Formal Language Theory and Decidability Sam Jones Supervised by: Rick Thomas Department of Computer Science, University of Leicester August 2013 1 What is an algorithm? Informally: A finite sequence of steps to follow in order to

289 views • 16 slides
CSE 105 THEORY OF COMPUTATION Fall 2016 http://cseweb.ucsd.edu/classes/fa16/cse105-abc/ This

CSE 105 THEORY OF COMPUTATION Fall 2016 http://cseweb.ucsd.edu/classes/fa16/cse105-abc/ This

CSE 105 THEORY OF COMPUTATION Fall 2016 http://cseweb.ucsd.edu/classes/fa16/cse105-abc/ This Week Beyond Theory of Computation: Computational Complexity Reading: Sipser Chapter 7 Not covered in final exam Revisit

521 views • 22 slides
Weather Typing as a Potential Tool to Analyze Tropical-Extratropical Interactions ngel G.

Weather Typing as a Potential Tool to Analyze Tropical-Extratropical Interactions ngel G.

Advanced School on Tropical-Extratropical Interactions Weather Typing as a Potential Tool to Analyze Tropical-Extratropical Interactions ngel G. Muoz agms@princeton.edu Atmospheric and Oceanic Sciences (AOS). Princeton University Advanced

584 views • 29 slides
Part 2 MDL in L in Ac Actio ion Jilles V Vreeke ken 1 Explicit Coding Ad hoc sounds bad,

Part 2 MDL in L in Ac Actio ion Jilles V Vreeke ken 1 Explicit Coding Ad hoc sounds bad,

Part 2 MDL in L in Ac Actio ion Jilles V Vreeke ken 1 Explicit Coding Ad hoc sounds bad, but is it really? Bayesian learning for instance, is in inherent ntly ly subjectiv ive, plus biasing search is a time-honoured tradition in

676 views • 52 slides
W HAT IS LOGISTICS ? Logistics is the design and administration of systems to control movement

W HAT IS LOGISTICS ? Logistics is the design and administration of systems to control movement

L OGISTICS & EOQ M ODEL P ROFESSOR D AVID G ILLEN (U NIVERSITY OF B RITISH C OLUMBIA ) & P ROFESSOR B ENNY M ANTIN (U NIVERSITY OF W ATERLOO ) Istanbul Technical University Logistic Management in Air Transport Air Transportation

826 views • 69 slides
Charm baryons on the lattice M. PADMANATH Institute for Physics, University of Graz, Graz,

Charm baryons on the lattice M. PADMANATH Institute for Physics, University of Graz, Graz,

Charm baryons on the lattice M. PADMANATH Institute for Physics, University of Graz, Graz, Austria. CHARM 2015 May 21, 2015 Collaborators : R. G. Edwards, N. Mathur and M. Peardon (For HSC) Acknowledgements : TIFR, Mumbai &

623 views • 60 slides
Peter Brown Chairman of the Board 1 2008 AGM agenda 1. Official Business of the Meeting

Peter Brown Chairman of the Board 1 2008 AGM agenda 1. Official Business of the Meeting

August 8, 2008 message from Peter Brown Chairman of the Board 1 2008 AGM agenda 1. Official Business of the Meeting Terrence A. Lyons, Lead Director 2. Fiscal 2008 and the Years Ahead Paul D. Reynolds, President & CEO 3. Audience

621 views • 12 slides
Selected Exposures Financial Stability Board | 2 Results as at 30.06.2009 Disclaimer Figures

Selected Exposures Financial Stability Board | 2 Results as at 30.06.2009 Disclaimer Figures

1 based on recommendations of the Selected Exposures Financial Stability Board | 2 Results as at 30.06.2009 Disclaimer Figures included in this presentation are unaudited. This presentation includes forward-looking statements based on current

373 views • 18 slides

More recommend