Plugging Side-Channel Leaks with Timing Information Flow Control - - PowerPoint PPT Presentation
Plugging Side-Channel Leaks with Timing Information Flow Control Bryan Ford Yale University http://dedis.cs.yale.edu/ USENIX HotCloud, June 13, 2012 The Long History of Timing Attacks Cooperative attacks apply to: Mandatory Access
– Mandatory Access Control (MAC) systems
– Decentralized Information Flow Control (DIFC)
– Processes/VMs sharing a CPU core
– Including VM configurations typical of clouds
– Equalize AES path lengths, cache footprint, …
– Requires new or modified hardware in general
– Can't oversubscribe, stat-mux resources
➔ Not economically feasible in an “elastic” cloud!
– DIFC, Asbestos/HiStar/Flume – Label variables, processes, messages, etc.
– How would one “label time”? – What would we do with “timing labels”?
– Represent ownership of information in the
– Represent ownership of information affecting
Internet: Public Timing Domain Customer A's Private Timing Domain Trusted, Shared Timing Domain
Customer A's Job
Timing Firewall
Remote Customer's Job
Timing Firewall
Public Infrastructure Cloud Provider's Computing/Network Infrastructure unrestricted interaction Physically isolated timing domains
– {Alice,Bob} ≡ “contains Alice's & Bob's data”
– e.g., If process P holds capability {Alice-},
– Tag Af indicates a timing channel might leak
– Tag A indicates a timing channel might leak
– Message channel labeled {A/Bf} indicates:
Alice's Gateway {A+,A-} Bob's Gateway {B+,B-}
Alice Bob Cloud Provider's Infrastructure
Job {A/A∞} Result {A/A∞}
Alice's Compute Server Bob's Compute Server
Job {B/B∞} Result {B/B∞}
Bob's (Short) Job Time unused capacity Alice Submits {A/A∞} Compute Core Schedules Job Done {A/A∞} Alice's Job Bob's (Long) Job Time unused capacity Alice Submits {A/A∞} Compute Core Schedules Job Done {A/A∞} Alice's Job Bob's job is “long” Alice's job completion time not dependent
Bob's job is “short”
Alice's Gateway {A+,A-} Bob's Gateway {B+,B-}
Alice Alice Bob
Job {A/A∞} Result {A/A∞}
Shared Compute Server
Job {B/B∞} Result {B/B∞}
Reservation-Based Scheduler {-/-}
Control {-/-} no demand feedback
Bob's Job Time unused capacity Bob's Job Alice's Job Time Submit {A/A∞} Shared Core Schedule Done {A/A∞} Alice's Job Submit {A/A∞} Done {A/A∞} Alice's job completion time still not dependent on Bob's job Bob's job is short Bob's job is long
– OS/VMM ensures that a job's outputs depend
– Input jobs/messages at any rate – Output jobs/messages on a fixed schedule
Alice's Gateway {A+,A-,Bf-} Bob's Gateway {B+,B-,Af-}
Alice Alice Bob
Job {A/A∞} Result {A/A∞,B∞}
Shared Deterministic Compute Server
Job {B/B∞} Result {B/A∞,B∞}
Demand Scheduler {A,B/A∞,B∞}
Control
{A,B/A∞,B∞}
Demand
{A,B/A∞,B∞}
Pacer freq f Pacer freq f Result {A/Af,Bf} Job {B/B∞} Result {B/Af,Bf}
– The single bit of information per clock tick
Bob's (Short) Job Time Bob's (Long) Job Time Alice's Job {A/A∞} Compute Schedule Result {A/A∞,B∞} Alice's Job {A/A∞} Result {A/A∞,B∞} (b) Schedule: Bob's job short (b) Schedule: Bob's job long Paced result at tick 3 {A/Af,Bf} Pacer Schedule Paced result at tick 4 {A/Af,Bf}
– Potentially applicable at systems or PL levels – Integrate Myers' “predictive mitigation” ideas
– Ongoing, based on Determinator [OSDI '10]
– Can model support interactive applications? – Can model support transactional apps?
– Physical partitioning – Demand-insensitive timesharing – Elastic computing via deterministic job model
– Feasible on unmodified hardware – Suitable for stat-muxed clouds