predictive mitigation of timing channels in interactive
play

Predictive Mitigation of Timing Channels in Interactive Systems - PowerPoint PPT Presentation

Dec 02, 2023 •270 likes •664 views

Predictive Mitigation of Timing Channels in Interactive Systems Danfeng Zhang , Aslan Askarov, Andrew C. Myers Cornell University CCS 2011 Timing Channels Hard to detect and prevent 10/20/2011 2 Timing Channels: Examples Cryptographic

  1. Predictive Mitigation of Timing Channels in Interactive Systems Danfeng Zhang , Aslan Askarov, Andrew C. Myers Cornell University CCS 2011

  2. Timing Channels Hard to detect and prevent 10/20/2011 2

  3. Timing Channels: Examples • Cryptographic timing attacks [Kocher 96, Brumley&Boneh 05, Osvik et. al. 06] – RSA, AES keys are leaked by decryption time • Cross-site timing attacks [Bortz&Boneh 07] – Load time of a web-page reveals login status, as well as the size and contents of shopping cart • Use as covert channels [Meer&Slaviero 07] – Transmit confidential data by controlling response time, e.g., combined with SQL injection • Timing channels are big threats to security! 10/20/2011 3

  4. Timing Channel Mitigation • Limitations of known approaches – Delay to the worst-case execution time – bad performance – Add random delays – linear leakage – Input blinding – specialized to cryptography • Our solution: – Asymptotically logarithmic leakage – Effective in practice – Applies to general computation 10/20/2011 4

  5. Outline • Background on predictive black-box mitigation (CCS’10) • Predictive mitigation for interactive systems (e.g., web services) – Prediction with public information – Generalized penalty policy & leakage analysis – Composition of mitigators • Evaluation 10/20/2011 5

  6. Background: Predictive Black-Box Mitigation of Timing Channels (CCS’10) source delayed events events buffer system mitigator Issue events according to schedules Strong attacker model : timing of source events may be controlled 10/20/2011 6

  7. Example: Doubling When mitigator expects to deliver events predictions time S(2) S(4) S(6) S(8) S(10) S(12) S(14) Mitigator starts with a fixed schedule S S(i) – prediction for i -th event 10/20/2011 7

  8. Example: Doubling misprediction events X time S(2) S(4) S(6) S(8) S(10) S(12) S(14) When event comes before or at the little information leaked prediction – delay the event 10/20/2011 8

  9. Example: Doubling new schedule events X time S(2) S 2 (3) S 2 (4) S 2 (5) S 2 (6) S 2 (7) S 2 (8) Adversary observes mispredictions information leaked! New fixed schedule S 2 penalizes the event source 10/20/2011 9

  10. Example: Doubling Epoch : period of time during which mitigator meets all predictions X time S(2) S 2 (3) S 2 (4) S 2 (5) S 2 (6) S 2 (7) S 2 (8) epoch 1 epoch 2 Little information leaked in each epoch 10/20/2011 10

  11. Leakage & Variations Variations observable by the attacker • Leakage measurement (log of # timing variations) – Also bounds • mutual information (Shannon entropy) • min-entropy 10/20/2011 11

  12. Important Features • Information leaks via mispredictions ! • General class of timing mitigators – Doubling scheme 2 T (log ) Leakage ≤ O bits – Adaptive transitions – ... 10/20/2011 12

  13. Outline • Background on predictive black-box mitigation (CCS’10) • Predictive mitigation for interactive systems (e.g., web services) – Prediction with public information – Generalized penalty policy & leakage analysis – Composition of mitigators • Evaluation 10/20/2011 13

  14. Insight: Use Public Information • Previous black-box model safe – No misprediction: events delivered according to schedule – Misprediction: entire schedule is statically determined (difficult for interactive systems) Mitigator No misprediction ? source events delayed events Yes Schedule Generator current schedule 10/20/2011 14

  15. Insight: Use Public Information • Previous black-box model – Schedule is dynamically calculated by prediction algorithm – No misprediction: schedule is deterministic given public info. – Misprediction: select a new prediction algorithm safe Mitigator No misprediction ? source events delayed events Yes Algorithm any public current prediction Generator algorithm information 10/20/2011 15

  16. Outline • Background on predictive black-box mitigation (CCS’10) • Predictive mitigation for interactive systems (e.g., web services) – Prediction with public information – Generalized penalty policy & leakage analysis – Composition of mitigators • Evaluation 10/20/2011 16

  17. Public Information • Public information in interactive systems – Request types : public payloads in requests, such as URLs • www.example.com/index.html vs. www.example.com/background.gif – Public information in system : such as input times – Concurrency model source delayed inputs events events secrets buffer stem system mitigator non-secrets 10/20/2011 17

  18. Prediction with Public Information prediction algorithm Epoch # • Prediction for request type r : p (N, r) • Schedule (output time) for i th event in the N th epoch – Single thread Start time Handling time – Multiple, concurrent threads • Calculated in similar ways Schedules are computed dynamically within each epoch using only public information 10/20/2011 18

  19. Information Leakage • Information still leaks via mispredictions ! • Formal result # of epochs # of messages   Leakage ≤ bits N log( M 1 ) 10/20/2011 19

  20. Outline • Background on predictive black-box mitigation (CCS’10) • Predictive mitigation for interactive systems (e.g., web services) – Prediction with public information – Generalized penalty policy & leakage analysis – Composition of mitigators • Evaluation 10/20/2011 20

  21. Penalty Policy ̶ What misprediction X Type 1 time S(2) S(4) S(6) S(8) S(10) S(12) S(14) Type 2 time S(2) S(4) S(6) S(8) S(10) S(12) S(14) Penalty policy – Which type should be penalized? – How much it should be penalized? 10/20/2011 21

  22. Penalty Policy ̶ Why # of epochs # of messages   Leakage ≤ bits N log( M 1 ) • Concurrency & request types also bring new threats • Request types are penalized separately (local penalty policy) – Attacker controls the timing of R request types • N is proportional to R • Penalize all request types (global penalty policy) – Performance is bad 10/20/2011 22

  23. Grace Period Penalty Policy • Better trade off? – Information leaks via mispredictions ! – “Well - behaved” types • Few mispredictions, leak little information • Share little penalty from other types • l -level grace period policy – type i is penalized by other types only when it triggers more than l mispredictions 10/20/2011 23

  24. Leakage Analysis • Difficult for general penalty policies – Influences between request types – Different predictions – Need to consider all possible input sequences • Principled way of bounding total leakage – Transform into optimization problem with R constraints (formal proof & details provided in paper) # request types 10/20/2011 24

  25. Leakage Analysis Leakage running time # of messages  – Global: O (log T log M ) # request types   – Local: ( log log ) O R T M  – Grace period: O (log T log M ) • Better trade-off 10/20/2011 25

  26. Outline • Background on predictive black-box mitigation (CCS’10) • Predictive mitigation for interactive systems (e.g., web services) – Prediction with public information – Generalized penalty policy & leakage analysis – Composition of mitigators • Evaluation 10/20/2011 26

  27. Composition of Mitigators • Security guarantee on an interactive system that is – composed of mitigated subsystems • Decompose complicated systems into 2 gadgets – Sequential – Parallel 10/20/2011 27

  28. Sequential Case ? 10 bits O 1 O 2 RSA S M 1 S 2 M 2 Theoretical results – Leakage in O 2 ≤ Leakage in O 1 – Valid for • mutual information • min-entropy 10/20/2011 28

  29. Parallel Case 10 bits O 1 ? M1 S RSA M2 20 bits O 2 Theoretical result – Leakage in O 1 and O 2 ≤ Leakage in O 1 + Leakage in O 2 10/20/2011 29

  30. Outline • Background on predictive black-box mitigation (CCS’10) • Predictive mitigation for interactive systems (e.g., web services) – Prediction with public information – Generalized penalty policy & leakage analysis – Composition of mitigators • Evaluation 10/20/2011 30

  31. Evaluation Real-world web applications (with HTTP(S) proxy) M Local network Real-world applications Proxy Client 10/20/2011 31

  32. Mitigating Proxy 10/20/2011 32

  33. Evaluation Measurements – Performance : round-trip latency from the client side – Security : leakage bounds in bits 10/20/2011 33

  34. Experiments with Web Applications Parameters – 5-level grace period policy – Doubling scheme – Various request types • TYPE/HOST • HOST+URLTYPE • TYPE/URL 10/20/2011 34

  35. Experiments with Web Applications Mitigating department homepage via HTTP ( 49 different requests) – Predictive mitigation gains good balance ( HOST+URLTYPE ) • About 30% latency overhead • At most 850bits for 100,000 inputs 30% Performance Security 10/20/2011 35

  36. Experiments with Web Applications Mitigating department webmail server via HTTPS – Secure-sensitive (URL is encrypted) – At most 300 bits for 100,000 inputs – At most 450 bits for 32M inputs (1 input/sec for one year) Less than 1 second Performance Security 10/20/2011 36

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Mitigation of Timing Channels Danfeng Zhang , Aslan Askarov, Andrew C. Myers Cornell

Mitigation of Timing Channels Danfeng Zhang , Aslan Askarov, Andrew C. Myers Cornell

Language-Based Control and Mitigation of Timing Channels Danfeng Zhang , Aslan Askarov, Andrew C. Myers Cornell Harvard Cornell PLDI 2012 Timing Channels Hard to detect and prevent 2 Timing Channels: Examples

662 views • 30 slides
New methods for controlling timing channels Andrew Myers Cornell University (with Danfeng

New methods for controlling timing channels Andrew Myers Cornell University (with Danfeng

New methods for controlling timing channels Andrew Myers Cornell University (with Danfeng Zhang, Aslan Askarov) Timing channels e adversary can learn (a lot) from timing measurements. Known to exist Hard to detect Hard to prevent

639 views • 40 slides
Timing of Consciousness 1. Eagleman: is perception predictive, online, or

Timing of Consciousness 1. Eagleman: is perception predictive, online, or

4/25/17 Diffusion model of a perceptual decision I.e. integrates the difference between evidence for and against Timing of Consciousness 1. Eagleman: is perception predictive, online, or postdictive 2. Libet: subjective

383 views • 5 slides
GPS INTEGRITY ASSESSMENT Interference for TIMING and NAVIGATION Detection & Mitigation

GPS INTEGRITY ASSESSMENT Interference for TIMING and NAVIGATION Detection & Mitigation

GAARDIAN GNSS AVAILABILITY ACCURACY RELIABILITY anD GPS INTEGRITY ASSESSMENT Interference for TIMING and NAVIGATION Detection & Mitigation A Technology Strategy Board funded collaboration Charles Curry, B.Eng, FIET MD

513 views • 25 slides
March 6, 2014 1 Mitigation of Covert Channels 2 About Voting and Computers March 6, 2014 ECS 235B

March 6, 2014 1 Mitigation of Covert Channels 2 About Voting and Computers March 6, 2014 ECS 235B

Mitigation of Covert Channels About Voting and Computers March 6, 2014 1 Mitigation of Covert Channels 2 About Voting and Computers March 6, 2014 ECS 235B Winter Quarter 2014 Slide 1 Mitigation of Covert Channels About Voting and Computers

416 views • 26 slides
Determinating Timing Channels in Compute Clouds Amittai Aviram, Sen Hu, Bryan Ford Yale

Determinating Timing Channels in Compute Clouds Amittai Aviram, Sen Hu, Bryan Ford Yale

Determinating Timing Channels in Compute Clouds Amittai Aviram, Sen Hu, Bryan Ford Yale University http://dedis.cs.yale.edu/ Ramakrishna Gummadi University of Massechusetts Amherst CCSW, October 8, 2010 Timing Attacks Cooperative attacks

471 views • 30 slides
IP Covert Timing Channels: Design and Detection By Serdar Cabuk, Carla E. Brodley, Clay

IP Covert Timing Channels: Design and Detection By Serdar Cabuk, Carla E. Brodley, Clay

IP Covert Timing Channels: Design and Detection By Serdar Cabuk, Carla E. Brodley, Clay Shields. Outline Positive Traits Problems Questions Extensions Other Covert Channels Discussion Positive Traits What are the

496 views • 34 slides
Remote IP Protection Using Timing Channels Ariano-Tim Donda 1 , 2 Peter Samarin 1 , 2 Jacek

Remote IP Protection Using Timing Channels Ariano-Tim Donda 1 , 2 Peter Samarin 1 , 2 Jacek

Remote IP Protection Using Timing Channels Ariano-Tim Donda 1 , 2 Peter Samarin 1 , 2 Jacek Samotyja 1 Kerstin Lemke-Rust 1 Christof Paar 2 1 Bonn-Rhein-Sieg University of Applied Sciences, Germany 2 Ruhr University Bochum, Germany December 4, 2014

197 views • 18 slides
Notice Correlation and Covert-Timing Channels Michael Dopheide & Ross Gegan BroCon ESnet

Notice Correlation and Covert-Timing Channels Michael Dopheide & Ross Gegan BroCon ESnet

Notice Correlation and Covert-Timing Channels Michael Dopheide & Ross Gegan BroCon ESnet Austin, TX Lawrence Berkeley National Laboratory Sept, 13, 2016 Table of Contents Introduction Something Important Part 1: Multi-Notice

862 views • 52 slides
Integrating Predictive Models with Interactive Visualization Jian Zhao, Ph.D. , Assistant

Integrating Predictive Models with Interactive Visualization Jian Zhao, Ph.D. , Assistant

Integrating Predictive Models with Interactive Visualization Jian Zhao, Ph.D. , Assistant Professor Cheriton School of Computer Science University of Waterloo www.jeffjianzhao.com | jianzhao@uwaterloo.ca Short bio Researcher Assistant

972 views • 65 slides
Chapter 6 Marks and Channels Vis/Visual Analytics, Chap 6 Marks/Channels 1 CGGM Lab., CS

Chapter 6 Marks and Channels Vis/Visual Analytics, Chap 6 Marks/Channels 1 CGGM Lab., CS

Chapter 6 Marks and Channels Vis/Visual Analytics, Chap 6 Marks/Channels 1 CGGM Lab., CS Dept., NCTU Jung Hong Chuang The Big Picture Marks Basic graphical elements in an image Channels Visual channels to control the

667 views • 43 slides
Why the Best Predictive What Do We Mean by . . . Models Are Often Different Main Result: . . .

Why the Best Predictive What Do We Mean by . . . Models Are Often Different Main Result: . . .

Predictive vs. . . . Remaining Problem: . . . Need for Formalization What Do We Mean by . . . Why the Best Predictive What Do We Mean by . . . Models Are Often Different Main Result: . . . Proof for Predictive Case from the Best Explanatory

900 views • 28 slides
Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic Jo Van Bulck

Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic Jo Van Bulck

Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic Jo Van Bulck Frank Piessens Raoul Strackx imec-DistriNet, KU Leuven ACM CCS, October 2018 Microarchitectural side-channels and where to find them CPU cache

709 views • 47 slides
Predictive Analytics for Capacity Planning HIC 2015 Andrae Gaeth What is predictive

Predictive Analytics for Capacity Planning HIC 2015 Andrae Gaeth What is predictive

Evaluating Predictive Analytics for Capacity Planning HIC 2015 Andrae Gaeth What is predictive analytics? Predictive analytics is the practice of extracting information from existing data sets, and then applying various techniques (eg,

452 views • 15 slides
Other Communication Channels Select channels of communication that will reach your audiences.

Other Communication Channels Select channels of communication that will reach your audiences.

Other Communication Channels Select channels of communication that will reach your audiences. During Preplanning Ask: Which channels are available? (Consider your schedule and resources.) Which channels will target audiences find

280 views • 12 slides
CSE 127: I ntroduction to Security Lecture 16: Side Channels and Constant-Time Code Nadia

CSE 127: I ntroduction to Security Lecture 16: Side Channels and Constant-Time Code Nadia

CSE 127: I ntroduction to Security Lecture 16: Side Channels and Constant-Time Code Nadia Heninger and Deian Stefan UCSD Fall 2019 Some material from Dan Boneh, Stefan Savage Reminder: Side-channel attacks You saw before how timing

1.37k views • 81 slides
Whats wrong with the world today? Joseph Bonneau (University of Cambridge) Whats in a Name?

Whats wrong with the world today? Joseph Bonneau (University of Cambridge) Whats in a Name?

N EW D IRECTIONS IN D IGITAL P ROTEST Joseph Bonneau jcb82@cl.cam.ac.uk Computer Laboratory Financial Crypto Rump Session Tenerife, Spain January 26, 2010 Joseph Bonneau (University of Cambridge) Whats in a Name? January 26, 2010 1 / 9

431 views • 24 slides
Effective Workplace Writing 1 Professional Writing How do you feel about this sentence? After

Effective Workplace Writing 1 Professional Writing How do you feel about this sentence? After

Professional Writing Effective Workplace Writing 1 Professional Writing How do you feel about this sentence? After establishing the efficacy of leveraging the capacities of the employee-management interface, management opportunities will be

567 views • 44 slides
TOLERATING BUSINESS FAILURES IN HOSTED APPLICATIONS Jean-Sbastien Lgar Dutch T. Meyer,

TOLERATING BUSINESS FAILURES IN HOSTED APPLICATIONS Jean-Sbastien Lgar Dutch T. Meyer,

TOLERATING BUSINESS FAILURES IN HOSTED APPLICATIONS Jean-Sbastien Lgar Dutch T. Meyer, Mark Spear, Alexandru Totolici, Sara Bainbridge, Kalan MacRow, Robert Sumi, Quinlan Jung, Dennis Tjandra, David Williams-King, William Aiello, Andrew

567 views • 29 slides
DSA BOF #DebConf16 Agenda delegation membership looking back moving forward

DSA BOF #DebConf16 Agenda delegation membership looking back moving forward

DSA BOF #DebConf16 Agenda delegation membership looking back moving forward service requirements port requirements port status contact us Delegation (what do we do) Maintaining the user database (LDAP).

452 views • 13 slides
Knowledge is Power and Portable: An In-Depth Look at the Right to Data Portability K Royal ,

Knowledge is Power and Portable: An In-Depth Look at the Right to Data Portability K Royal ,

April 4, 2019 Knowledge is Power and Portable: An In-Depth Look at the Right to Data Portability K Royal , Director, Consulting, TrustArc Margaret Gloeckle , Privacy & Compliance Counsel, A+E Networks Debra Bromson , Assistant General

493 views • 35 slides
Understanding the use of stolen account credentials by cybercriminals Gianluca Stringhini

Understanding the use of stolen account credentials by cybercriminals Gianluca Stringhini

Understanding the use of stolen account credentials by cybercriminals Gianluca Stringhini University College London Abuse on online services [NDSS2017] [NDSS2013] [ACSAC2010] Malware Spam [AsiaCCS2017] [TDSC2016] [USENIX2011]

325 views • 17 slides
Darwinism via Forensics People Make Dumb Decisions With Todays Technology Bill Dean, CCE

Darwinism via Forensics People Make Dumb Decisions With Todays Technology Bill Dean, CCE

Darwinism via Forensics People Make Dumb Decisions With Todays Technology Bill Dean, CCE Senior Manager, LBMC Information Security February 7, 2017 Todays Agenda Digital Forensics Basics How Does it work? Applicable Case Studies

646 views • 40 slides
Using Secure Internet and Technology to Support Education in Prison Agenda *** Webinar will be

Using Secure Internet and Technology to Support Education in Prison Agenda *** Webinar will be

November 7, 2019 Using Secure Internet and Technology to Support Education in Prison Agenda *** Webinar will be recorded *** Introduction from Vera Current State and Lessons Learned from North Carolina, Iowa, and Wisconsin Q&A

251 views • 21 slides

More recommend