prevention of microarchitectural covert channels on an
play

Prevention of Microarchitectural Covert Channels on an Open-Source - PowerPoint PPT Presentation

Feb 06, 2023 •166 likes •750 views

Prevention of Microarchitectural Covert Channels on an Open-Source 64-bit RISC-V Core Fourth Workshop on Computer Architecture Research with RISC-V (CARRV 2020) May 29 th , 2020 Nils Wistoff Moritz Schneider Frank K. Grkaynak Luca Benini

  1. Prevention of Microarchitectural Covert Channels on an Open-Source 64-bit RISC-V Core Fourth Workshop on Computer Architecture Research with RISC-V (CARRV 2020) May 29 th , 2020 Nils Wistoff Moritz Schneider Frank K. Gürkaynak Luca Benini Gernot Heiser

  2. Outline 1. Covert channels? 2. Measure 3. Mitigate 4. Costs 5. Conclusion Integrated Systems Laboratory 2

  3. Covert Channel security boundary File System Mail Client Supervisor (OS) Hardware Integrated Systems Laboratory 3

  4. Covert Channel security boundary File System Mail Client Supervisor (OS) Hardware Integrated Systems Laboratory 4

  5. Microarchitectural Timing Channel security boundary Application A Application B Trojan Spy Integrated Systems Laboratory 5

  6. Microarchitectural Timing Channel security boundary Application A Application B Trojan Spy Indirectly modify Measure execution depending on secret time Microarchitectural State Temporally shared HW Integrated Systems Laboratory 6

  7. Example: D$ Timing Channel D$ Application A Trojan Main memory Application B Spy (1) Spy: (2) OS: (3) Trojan: (4) OS: (5) Spy: Prime Cont. sw. Encode s Cont. sw. Probe Integrated Systems Laboratory 7

  8. Example: D$ Timing Channel – Prime D$ Application A Trojan Main memory Application B Spy (1) Spy: (2) OS: (3) Trojan: (4) OS: (5) Spy: Prime Cont. sw. Encode s Cont. sw. Probe Integrated Systems Laboratory 8

  9. Example: D$ Timing Channel – Prime D$ Application A Trojan Main memory Application B Spy (1) Spy: (2) OS: (3) Trojan: (4) OS: (5) Spy: Prime Cont. sw. Encode s Cont. sw. Probe Integrated Systems Laboratory 9

  10. Example: D$ Timing Channel – Context switch D$ Application A Trojan Main memory Application B Spy (1) Spy: (2) OS: (3) Trojan: (4) OS: (5) Spy: Prime Cont. sw. Encode s Cont. sw. Probe Integrated Systems Laboratory 10

  11. Example: D$ Timing Channel – Encode s D$ Application A Trojan Main memory s lines Application B Spy (1) Spy: (2) OS: (3) Trojan: (4) OS: (5) Spy: Prime Cont. sw. Encode s Cont. sw. Probe Integrated Systems Laboratory 11

  12. Example: D$ Timing Channel – Encode s D$ Application A Trojan Main memory s lines Application B Spy (1) Spy: (2) OS: (3) Trojan: (4) OS: (5) Spy: Prime Cont. sw. Encode s Cont. sw. Probe Integrated Systems Laboratory 12

  13. Example: D$ Timing Channel – Context Switch D$ Application A Trojan Main memory Application B Spy (1) Spy: (2) OS: (3) Trojan: (4) OS: (5) Spy: Prime Cont. sw. Encode s Cont. sw. Probe Integrated Systems Laboratory 13

  14. Example: D$ Timing Channel – Probe D$ Application A Trojan Main memory Application B Spy (1) Spy: (2) OS: (3) Trojan: (4) OS: (5) Spy: Prime Cont. sw. Encode s Cont. sw. Probe Integrated Systems Laboratory 14

  15. Example: D$ Timing Channel – Probe D$ Application A Trojan Main memory s lines Application B Spy (1) Spy: (2) OS: (3) Trojan: (4) OS: (5) Spy: Prime Cont. sw. Encode s Cont. sw. Probe Integrated Systems Laboratory 15

  16. Spatial Partitioning D$ Application A Trojan OS Main memory Application B Spy (1) Spy: (2) OS: (3) Trojan: (4) OS: (5) Spy: Prime Cont. sw. Encode s Cont. sw. Probe Integrated Systems Laboratory 16

  17. Spatial Partitioning D$ Application A Trojan OS Main memory Application B Spy (1) Spy: (2) OS: (3) Trojan: (4) OS: (5) Spy: Prime Cont. sw. Encode s Cont. sw. Probe Integrated Systems Laboratory 17

  18. Temporal Partitioning D$ Application A Trojan Main memory Application B Spy (1) Spy: (2) OS: (3) Trojan: (4) OS: (5) Spy: Prime Cont. sw. Encode s Cont. sw. Probe Integrated Systems Laboratory 18

  19. Temporal Partitioning OS : Flush D$ Application A Trojan Main memory Application B Spy (1) Spy: (2) OS: (3) Trojan: (4) OS: (5) Spy: Prime Cont. sw. Encode s Cont. sw. Probe Integrated Systems Laboratory 19

  20. Temporal Partitioning D$ Application A Trojan Main memory Application B Spy (1) Spy: (2) OS: (3) Trojan: (4) OS: (5) Spy: Prime Cont. sw. Encode s Cont. sw. Probe Integrated Systems Laboratory 20

  21. Temporal Partitioning OS : Flush D$ Application A Trojan Main memory Application B Spy (1) Spy: (2) OS: (3) Trojan: (4) OS: (5) Spy: Prime Cont. sw. Encode s Cont. sw. Probe Integrated Systems Laboratory 21

  22. Temporal Partitioning D$ Application A Trojan Main memory Application B Spy (1) Spy: (2) OS: (3) Trojan: (4) OS: (5) Spy: Prime Cont. sw. Encode s Cont. sw. Probe Integrated Systems Laboratory 22

  23. Temporal Partitioning OS : Flush D$ Application A Trojan Main memory Application B Spy (1) Spy: (2) OS: (3) Trojan: (4) OS: (5) Spy: Prime Cont. sw. Encode s Cont. sw. Probe Integrated Systems Laboratory 23

  24. Flush: SW Approach D$ Application A OS OS OS Trojan OS Main memory OS Application B OS OS OS Spy (1) Spy: (2) OS: (3) Trojan: (4) OS: (5) Spy: Prime Cont. sw. Encode s Cont. sw. Probe Integrated Systems Laboratory 24

  25. Evaluation Platform • FPGA (Genesys 2) @50MHz • Add timer peripheral and 512KiB LLC [3] Hardware platform Ariane RV64GC core [4] • Write-through 32KiB L1D$ and 16KiB L1I$ • 16-entry DTLB, 16-entry BTB, 64-entry BHT Integrated Systems Laboratory 25

  26. Evaluation Platform Formally verified  Kernel by Data61 • • Focus on security Supervisor seL4 microkernel [5] • Port to Ariane • Enable cache colouring of LLC • FPGA (Genesys 2) @50MHz • Add timer peripheral and 512KiB LLC [3] Hardware platform Ariane RV64GC core [4] • Write-through 32KiB L1D$ and 16KiB L1I$ • 16-entry DTLB, 16-entry BTB, 64-entry BHT Integrated Systems Laboratory 26

  27. Evaluation Platform Channel bench [1] • Measure covert channels on ARM/x86 • Application Port to RISC-V Tailor attacks to Ariane‘s  Arch • Formally verified  Kernel by Data61 • • Focus on security Supervisor seL4 microkernel [5] • Port to Ariane • Enable cache colouring of LLC • FPGA (Genesys 2) @50MHz • Add timer peripheral and 512KiB LLC [3] Hardware platform Ariane RV64GC core [4] • Write-through 32KiB L1D$ and 16KiB L1I$ • 16-entry DTLB, 16-entry BTB, 64-entry BHT Integrated Systems Laboratory 27

  28. Channel Bench Output: L1 D$ s 0 107 t 0 83316 s 1 11 t 1 80209 s 2 112 t 2 82069 s 3 235 t 3 88152 s 4 246 t 4 88856 s 5 152 t 5 86627 Integrated Systems Laboratory 28

  29. Channel Matrix: L1 D$ N = 10 6 Integrated Systems Laboratory 29

  30. Channel Matrix: L1 D$ N = 10 6 Integrated Systems Laboratory 30

  31. Channel Matrix: L1 D$ N = 10 6 M = 1667.3 mb Integrated Systems Laboratory 31

  32. Channel Bench Output: L1 D$ s 0 107 t 0 83316 s 1 11 t 1 80209 s 2 112 t 2 82069 s 3 235 t 3 88152 s 4 246 t 4 88856 s 5 152 t 5 86627 M Integrated Systems Laboratory 32

  33. Channel Bench Output: L1 D$ s 0 107 t 0 83316 s 0 107 t 3 88152 s 1 11 t 1 80209 s 1 11 t 5 86627 t 1 80209 s 2 112 t 2 82069 s 2 112 Shuffle s 3 235 t 3 88152 s 3 235 t 4 88856 s 4 246 t 4 88856 s 4 246 t 0 83316 s 5 152 t 5 86627 s 5 152 t 2 82069 0 M 𝑁 0 Integrated Systems Laboratory 34

  34. Channel Bench Output: L1 D$ s 0 t 2 s 0 t 1 s 1 t 1 s 1 t 2 s 0 107 t 0 83316 s 0 107 t 3 88152 s 2 t 0 s 2 t 0 s 3 t 4 s 3 t 3 s 1 11 t 1 80209 s 1 11 t 5 86627 s 4 t 3 s 4 t 4 s 5 t 5 s 5 t 5 t 1 80209 s 2 112 t 2 82069 s 2 112 1 2 𝑁 0 𝑁 0 Shuffle Repeat s 3 235 t 3 88152 s 3 235 t 4 88856 s 0 t 5 s 0 t 5 s 1 t 2 s 1 t 4 s 4 246 t 4 88856 s 4 246 t 0 83316 s 2 t 0 s 2 t 0 s 3 t 1 s 3 t 3 s 5 152 t 5 86627 s 5 152 t 2 82069 s 4 t 3 s 4 t 1 s 5 t 4 s 5 t 2 0 𝑁 𝑁 0 3 4 𝑁 0 𝑁 0 ∗ 𝑁 0 : 95% confidence interval of 𝑁 0 𝑁 > 𝑁 0 ⇒ covert channel! Integrated Systems Laboratory 35

  35. Channel Matrix: L1 D$ N = 10 6 M = 1667.3 mb M 0 = 0.5 mb Integrated Systems Laboratory 36

  36. Flush: SW Approach D$ Application A OS OS OS Trojan OS Main memory OS Application B OS OS OS Spy (1) Spy: (2) OS: (3) Trojan: (4) OS: (5) Spy: Prime Cont. sw. Encode s Cont. sw. Probe Integrated Systems Laboratory 37

  37. Software Mitigation: L1 D$ Channel Unmitigated L1 D$ prime on context switch N = 10 6 , M = 1667.3 mb, M 0 = 0.5 mb N = 10 6 , M = 1471.5 mb, M 0 = 0.6 mb Integrated Systems Laboratory 38

  38. Software Mitigation: L1 D$ Channel Single L1 D$ prime on context switch Double L1 D$ prime on context switch N = 10 6 , M = 1471.5 mb, M 0 = 0.6 mb N = 10 6 , M = 515.7 mb, M 0 = 1.1 mb Integrated Systems Laboratory 39

  39. Temporal Fence Instruction ( fence.t ) Integrated Systems Laboratory 40

  40. Temporal Fence Instruction ( fence.t ) fence.t select [4] Integrated Systems Laboratory 41

  41. Temporal Fence Instruction ( fence.t ) + Pipeline [4] Integrated Systems Laboratory 42

  42. fence.t : L1 D$ Channel Flush targeted components Unmitigated on context switch N = 10 6 , M = 1667.3 mb, M 0 = 0.5 mb N = 10 6 , M = 7.7 mb, M 0 = 1.4 mb Integrated Systems Laboratory 43

  43. fence.t : L1 D$ Channel Flush targeted components Unmitigated on context switch … but wait! N = 10 6 , M = 1667.3 mb, M 0 = 0.5 mb N = 10 6 , M = 7.7 mb, M 0 = 1.4 mb Integrated Systems Laboratory 44

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

May 26: Covert Channels Covert channels Composition of policies Problem

May 26: Covert Channels Covert channels Composition of policies Problem

May 26: Covert Channels Covert channels Composition of policies Problem Deterministic Noninterference Nondeducibility Generalized Noninterference Restrictiveness May 26, 2017 ECS 235B Spring Quarter 2017 Slide #1

370 views • 33 slides
Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that

Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that

Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that can be exploited by a process to transfer information in a manner that violates the systems security policy US DoD 1985 Basically a

1.04k views • 67 slides
Side Channels and Covert Channels Daniel Bosk Department of Information and Communication Systems

Side Channels and Covert Channels Daniel Bosk Department of Information and Communication Systems

Side Channels Covert Channels References Side Channels and Covert Channels Daniel Bosk Department of Information and Communication Systems (ICS), Mid Sweden University, Sundsvall. 1st May 2017 Daniel Bosk MIUN ICS Side Channels and Covert

689 views • 32 slides
Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography for covert channels and device fingerprinting Steven J. Murdoch and Stephen Lewis http://www.cl.cam.ac.uk/users/ { sjm217 , srl32 } Computer

1.12k views • 37 slides
Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography for covert channels and device fingerprinting Steven J. Murdoch and Stephen Lewis http://www.cl.cam.ac.uk/users/ { sjm217 , srl32 } Computer

915 views • 36 slides
PHY Covert Channels: Can you see the Idles? Ki

PHY Covert Channels: Can you see the Idles? Ki

PHY Covert Channels: Can you see the Idles? Ki Suh Lee Chupja Cornell University Joint work with Han Wang, and Hakim Weatherspoon 1

627 views • 38 slides
COVERT CHANNELS ERIK TEWS <E.TEWS@UTWENTEL.NL> HOUSEKEEPLING Lab on May 30th seems to

COVERT CHANNELS ERIK TEWS <E.TEWS@UTWENTEL.NL> HOUSEKEEPLING Lab on May 30th seems to

COVERT CHANNELS ERIK TEWS <E.TEWS@UTWENTEL.NL> HOUSEKEEPLING Lab on May 30th seems to be problematic for Delft Lab on May 31st seems to be problematic for Twente Systems Security Covert Channels 2 14.05.2018 Prepare to vote 1

1.05k views • 50 slides
Abusing hardware for fun and profit Agenda Cache-based Covert channels w/ demo Spectre

Abusing hardware for fun and profit Agenda Cache-based Covert channels w/ demo Spectre

Abusing hardware for fun and profit Agenda Cache-based Covert channels w/ demo Spectre and Meltdown from covert channels Process isola8on + OS (CS 423) OS paging OS services 0x00000000 Communica<on to other processes

568 views • 15 slides
Hiding in Plain Sight Advances in Malware Covert Communication Channels Pierre-Marc Bureau

Hiding in Plain Sight Advances in Malware Covert Communication Channels Pierre-Marc Bureau

Hiding in Plain Sight Advances in Malware Covert Communication Channels Pierre-Marc Bureau Christian Dietrich Outline 1. Covert Channels 2. Steganography a. Lurk b. Gozi c. Stegoloader 3. Inconspicuous Carrier Protocols a.

674 views • 49 slides
Treating Interference as Noise is Optimal for Covert Communication over Interference Channels

Treating Interference as Noise is Optimal for Covert Communication over Interference Channels

Treating Interference as Noise is Optimal for Covert Communication over Interference Channels Kang-Hee Cho and Si-Hyeon Lee School of Electrical Engineering KAIST 2020 ISIT 1 / 14 Covert Communication ^ Y n W Decoder X n W P n Encoder

386 views • 15 slides
IP Covert Timing Channels: Design and Detection By Serdar Cabuk, Carla E. Brodley, Clay

IP Covert Timing Channels: Design and Detection By Serdar Cabuk, Carla E. Brodley, Clay

IP Covert Timing Channels: Design and Detection By Serdar Cabuk, Carla E. Brodley, Clay Shields. Outline Positive Traits Problems Questions Extensions Other Covert Channels Discussion Positive Traits What are the

496 views • 34 slides
Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic Jo Van Bulck

Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic Jo Van Bulck

Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic Jo Van Bulck Frank Piessens Raoul Strackx imec-DistriNet, KU Leuven ACM CCS, October 2018 Microarchitectural side-channels and where to find them CPU cache

709 views • 47 slides
March 6, 2014 1 Mitigation of Covert Channels 2 About Voting and Computers March 6, 2014 ECS 235B

March 6, 2014 1 Mitigation of Covert Channels 2 About Voting and Computers March 6, 2014 ECS 235B

Mitigation of Covert Channels About Voting and Computers March 6, 2014 1 Mitigation of Covert Channels 2 About Voting and Computers March 6, 2014 ECS 235B Winter Quarter 2014 Slide 1 Mitigation of Covert Channels About Voting and Computers

416 views • 26 slides
May 24: Confinement Confinement, non-VM isolation Program modification Covert channels

May 24: Confinement Confinement, non-VM isolation Program modification Covert channels

May 24: Confinement Confinement, non-VM isolation Program modification Covert channels May 24, 2017 ECS 235B Spring Quarter 2017 Slide #1 Compiling Compiler enforces or validates constraints Type-safe language enforces them

313 views • 27 slides
NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using NetFlow data By: Joey Dreijer, Student OS3 5-07-14 1 NetFlow Analysis: Detecting covert channels on the network Gathering NetFlow data

346 views • 16 slides
On Robust Covert Channels Inside DNS Lucas Nussbaum , Pierre Neyron and Olivier Richard

On Robust Covert Channels Inside DNS Lucas Nussbaum , Pierre Neyron and Olivier Richard

On Robust Covert Channels Inside DNS Lucas Nussbaum , Pierre Neyron and Olivier Richard Laboratoire dInformatique de Grenoble / INRIA Lucas Nussbaum, Pierre Neyron and Olivier Richard On Robust Covert Channels Inside DNS 1 / 18 Introduction

784 views • 18 slides
The generalized split probe problem Celina Miraglia Herrera de Figueiredo workshop on graphs and

The generalized split probe problem Celina Miraglia Herrera de Figueiredo workshop on graphs and

The generalized split probe problem Celina Miraglia Herrera de Figueiredo workshop on graphs and algorithms In honor of Derek Corneils contributions to graph theory and computer science C probe graphs Given a graph class C , a graph G = ( V ,

557 views • 16 slides
DTrace/SystemTap SDT Probes in OpenAFS Andrew Deason June 2019 OpenAFS Workshop 2019 1

DTrace/SystemTap SDT Probes in OpenAFS Andrew Deason June 2019 OpenAFS Workshop 2019 1

DTrace/SystemTap SDT Probes in OpenAFS Andrew Deason June 2019 OpenAFS Workshop 2019 1 Userspace DTrace Background Specify triggers on events (function calls) No special support needed Complex functionality builtin threading

310 views • 14 slides
Dynamic VM Monitoring using Hypervisor Probes Z. J. Estrada , C. Pham, F. Deng, L. Yan, Z.

Dynamic VM Monitoring using Hypervisor Probes Z. J. Estrada , C. Pham, F. Deng, L. Yan, Z.

Dynamic VM Monitoring using Hypervisor Probes Z. J. Estrada , C. Pham, F. Deng, L. Yan, Z. Kalbarczyk, R. K. Iyer European Dependable Computing Conference 2015-09-09 ECE ILLINOIS 1 Department of Electrical and Computer Engineering Dynamic VM

1.08k views • 76 slides
On the spectral features of robust probing security Maria Chiara Molteni 1 Vittorio Zaccaria 2 1

On the spectral features of robust probing security Maria Chiara Molteni 1 Vittorio Zaccaria 2 1

Context Theoretical contribution Applications Complexity Conclusion On the spectral features of robust probing security Maria Chiara Molteni 1 Vittorio Zaccaria 2 1 Dipartimento di Informatica Giovanni Degli Antoni Universit` a degli

1.03k views • 52 slides
Detecting Probe-resistant Proxies Sergey Frolov, Jack Wampler, Eric Wustrow University of

Detecting Probe-resistant Proxies Sergey Frolov, Jack Wampler, Eric Wustrow University of

Detecting Probe-resistant Proxies Sergey Frolov, Jack Wampler, Eric Wustrow University of Colorado Boulder Proxies Censored User obfs3 proxy Censor-Controlled Network Active Probing obfs3?? Lets confirm! Censored User obfs3 proxy

479 views • 46 slides
Thank you. Two of my coauthors are here today, Derekand the first author, Zander. 1 Let us

Thank you. Two of my coauthors are here today, Derekand the first author, Zander. 1 Let us

Thank you. Two of my coauthors are here today, Derekand the first author, Zander. 1 Let us begin with breakdown of the lighting factors in this scene 2 Heres the scene with direct illumination and no materials. What I want you to notice

1.47k views • 59 slides
DTrace Topics: -> java/lang/System.arraycopy <- java/lang/System.arraycopy Java <-

DTrace Topics: -> java/lang/System.arraycopy <- java/lang/System.arraycopy Java <-

# ./jflow.d <- java/lang/Thread.sleep -> Greeting.greet -> java/io/PrintStream.println -> java/io/PrintStream.print -> java/io/PrintStream.write -> java/io/PrintStream.ensureOpen <- java/io/PrintStream.ensureOpen ->

632 views • 34 slides
What is the Vehicle Probe Project? The VPP works with a traffic probe data marketplace

What is the Vehicle Probe Project? The VPP works with a traffic probe data marketplace

What is the Vehicle Probe Project? The VPP works with a traffic probe data marketplace first created in 2008. Three highly qualified vendors (HERE, INRIX and TomTom) were selected by a team of agency members to provide data to agencies

280 views • 14 slides

More recommend