specu sp culative t taint t track cking st stt a comp
play

Specu Sp culative T Taint T Track cking ( (ST STT): A Comp - PowerPoint PPT Presentation

Nov 17, 2022 •18 likes •298 views

Specu Sp culative T Taint T Track cking ( (ST STT): A Comp Comprehensive Prot otection on for or Transiently Accessed Secrets Ac Jiyong Yu, Mengjia Yan, Artem Khyzha,* Adam Morrison,* Josep Torrellas, Christopher W. Fletcher

  1. Specu Sp culative T Taint T Track cking ( (ST STT): A Comp Comprehensive Prot otection on for or Transiently Accessed Secrets Ac Jiyong Yu, Mengjia Yan, Artem Khyzha,* Adam Morrison,* Josep Torrellas, Christopher W. Fletcher University of Illinois at Urbana-Champaign ∗ Tel Aviv University The Blavatnik School of Computer Science The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

  2. Open Enclave Workshop Speculative Taint Tracking: A Comprehensive Protection for Transiently Accessed Secrets Sc Scope pe: Protecting ng Trans nsient Se Secrets over any Covert Ch Chan annel Transient Covert channel Start speculative Instruction accesses secret transmits secret execution “Access instruction” e.g., Spectre Variant 1: if (addr < N) { // start speculation secret = A[addr]; // access secret d = transmit( secret ); // covert channel } The Blavatnik School of Computer Science 2 The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

  3. Ad Adver ersary Powerful attacker ● Observes HW resource contention at FF/cycle granularity ● I.e., monitors every uarch covert channel transmit( secret ) ● From within same thread ○ Adjacent SMT context ○ Another core ○ Etc. ○ The Blavatnik School of Computer Science 3 The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

  4. Open Enclave Workshop Speculative Taint Tracking: A Comprehensive Protection for Transiently Accessed Secrets Ma Main I Insight of of ST STT It is safe to execute and forward the results of transient access instructions Up until those results reach a covert channel Start speculation Access instruction Covert channel Issue more work early à Lower performance overhead If squash: Execute access + unreachable dependent instructions If no squash : if (addr < N) { Execute after delay Safe to execute secret = A[addr]; Safe to execute secret’ = secret - 1; Delayed/Unreachable d = transmit( secret’ ); } The Blavatnik School of Computer Science 4 The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

  5. Secu Security definition Non-interference with respect to transiently read data = Arbitrary speculative execution can only leak retired register file state (not arbitrary program memory) Blocks The Universal Read Gadget == many Spectre variants (1, 3, 4, ..), MDS attacks, Meltdown, etc. The Blavatnik School of Computer Science 5 The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

  6. STT, Informally ST Performance: Walk through (not around) rock == Forward data aggressively Security: Do not fall off rock == Leak zero bits over uarch side/covert channels The Blavatnik School of Computer Science 6 The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

  7. Open Enclave Workshop Speculative Taint Tracking: A Comprehensive Protection for Transiently Accessed Secrets Re Rest of talk Start speculative Access instruction Covert channel execution if (addr < N) { 1.) What can form a covert channel? secret = A[addr]; d = transmit( secret ); } ??? 2.) How to protect secrets from covert channels The Blavatnik School of Computer Science 7 The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

  8. Open Enclave Workshop Speculative Taint Tracking: A Comprehensive Protection for Transiently Accessed Secrets 1. 1.) ) What can an for orm a a covert chan annel? à New abstraction for covert channels on spec. machines Find new (classes of) covert channels in the process The Blavatnik School of Computer Science 8 The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

  9. Open Enclave Workshop Speculative Taint Tracking: A Comprehensive Protection for Transiently Accessed Secrets Co Cover ert t Ch Channel els are e Ex Explicit or or Im Implicit Explicit channel: Secret passed to instruction w/ input-dependent resource contention Examples: loads, floating point arithmetic Implicit channel: Secret influences the sequence of instructions executed/indirectly influences how those instructions execute Examples: branches, memory dependence speculation The Blavatnik School of Computer Science 9 The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

  10. Open Enclave Workshop Speculative Taint Tracking: A Comprehensive Protection for Transiently Accessed Secrets Implici Imp cit Ch Channel els can lea eak k at Pr Prediction an and Re Resolution ti time Prediction time: When predictor state becomes a function of secret Resolution time: When predictor is not a function of secret Example: secret != prediction à squash if (secret) { y++ } à load executes twice! z = *( non-secret ) The Blavatnik School of Computer Science 10 The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

  11. Open Enclave Workshop Speculative Taint Tracking: A Comprehensive Protection for Transiently Accessed Secrets Imp Implici cit Ch Channel els ma may y fea eature e Ex Explicit or or Im Implicit br branc nche hes Explicit Branch: control flow instruction (branch, jump, etc.). Implicit Branch: HW branch, “which direction” is observable The implicit branch Example: store-to-load forwarding Re-write load as: * secret = foo; if (secret==non-secret) { bar = *( non-secret ); forward from LSQ } Whether load goes to cache else cache_read( non-secret ) depends on secret ! The Blavatnik School of Computer Science The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

  12. Open Enclave Workshop Speculative Taint Tracking: A Comprehensive Protection for Transiently Accessed Secrets Putting it all to Pu together The Blavatnik School of Computer Science 12 The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

  13. Open Enclave Workshop Speculative Taint Tracking: A Comprehensive Protection for Transiently Accessed Secrets 2. 2.) Ho ) How t to pr protec ect sec secrets fr s from c m cover ert c cha hannel nnels à Novel HW dynamic taint tracking scheme w/ “Fast Untaint” The Blavatnik School of Computer Science 13 The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

  14. Open Enclave Workshop Speculative Taint Tracking: A Comprehensive Protection for Transiently Accessed Secrets Mi Microarchi hitectur ture spe pecifies… 1.) Access instructions … access secrets 2.) Transmit instructions … form explicit channels E.g., access instructions = transmit instructions = loads 3.) Implicit channel branch predicates E.g., store à load forwarding “if load addr == addr of older in-flight store” 4.) Visibility Point (VP): point, after which, speculation is ‘unsafe’ E.g., oldest unresolved branch The Blavatnik School of Computer Science 14 The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

  15. Open Enclave Workshop Speculative Taint Tracking: A Comprehensive Protection for Transiently Accessed Secrets Taint propagation in hardware Ta ○ Hardware taints instruction output registers of 1.) Access instructions before Visibility Point (VP) 2.) Instructions with tainted inputs ■ Taint not propagated to memory on stores ■ Tainted values are protected “Visibility Point” (VP) if (addr < N) { Taint shown secret = A[addr]; // access instruction in red secret’ = secret - 1; d = transmit( secret’ ); } The Blavatnik School of Computer Science The Raymond and Beverly Sackler Faculty of Exact Sciences 15 Tel Aviv University

  16. Open Enclave Workshop Speculative Taint Tracking: A Comprehensive Protection for Transiently Accessed Secrets Ne New “ “UnT UnTain aint” ” pr propa pagati tion n in n ha hardw dware ○ Hardware untaints instruction output registers of 1.) Access instructions reached VP 2.) Instructions with all inputs untainted ■ Protection disabled when instr operands become untainted Taint is dynamic over instruction lifetime if (addr < N) { if (addr < N) { Branch resolves secret = A[addr]; secret = A[addr]; secret -= 1; secret -= 1; d = transmit( secret ); d = transmit( secret ); } } Non-trivial! The Blavatnik School of Computer Science The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University 16

  17. Open Enclave Workshop Speculative Taint Tracking: A Comprehensive Protection for Transiently Accessed Secrets Who is Wh s aware of taint Only processor core (e.g., rename table) tracks taint Processor memory system does not track taint ● Taint is transparent to SW/Users ● The Blavatnik School of Computer Science 17 The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

  18. Open Enclave Workshop Speculative Taint Tracking: A Comprehensive Protection for Transiently Accessed Secrets Recall: Us Using taint to block co covert channels Block Explicit Channels: Delay execution of transmit instructions until operands untainted Block Prediction-time Implicit Channels: Delay predictor updates for explicit/implicit branches until untainted Block Resolution-time Implicit Channels: Delay explicit/implicit branch resolution until predicate (operands) untainted The Blavatnik School of Computer Science 18 The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

04. 04. Web Track cking tech chnologies: Br Browser

04. 04. Web Track cking tech chnologies: Br Browser

04. 04. Web Track cking tech chnologies: Br Browser fingerprinting Nataliia Bielova @nataliabielova September 18 th , 2018 Web Privacy course University of Trento

666 views • 44 slides
ITS W Webi binar o on n Track cking ng &amp; &amp; Traci cing App Apps ITS Cor Corporate

ITS W Webi binar o on n Track cking ng &amp; &amp; Traci cing App Apps ITS Cor Corporate

ITS W Webi binar o on n Track cking ng &amp; &amp; Traci cing App Apps ITS Cor Corporate e Mem embers Spea eaker er Prof ofiles es Masahiro Sogabe , Professor of Constitutional Law at Kyoto University Bronwyn E. Howell,

742 views • 4 slides
The Taint Leakage Model Ron Rivest Crypto in the

The Taint Leakage Model Ron Rivest Crypto in the

The Taint Leakage Model Ron Rivest Crypto in the Clouds Workshop, MIT Rump Session Talk August 4, 2009 Taint Common term in soDware

238 views • 9 slides
Scalable and Precise Taint Analysis for Android Wei Huang 12 , Yao Dong 1 , Ana Milanova 1 ,

Scalable and Precise Taint Analysis for Android Wei Huang 12 , Yao Dong 1 , Ana Milanova 1 ,

Scalable and Precise Taint Analysis for Android Wei Huang 12 , Yao Dong 1 , Ana Milanova 1 , Julian Dolby 3 1 Rensselaer Polytechnic Institute 2 Google 3 IBM Research 1 Taint Analysis for Android Tracks flow of private data Controlled at

629 views • 35 slides
Dynamic Taint Propagation Finding Vulnerabilities Without Attacking Brian Chess / Jacob West

Dynamic Taint Propagation Finding Vulnerabilities Without Attacking Brian Chess / Jacob West

Dynamic Taint Propagation Finding Vulnerabilities Without Attacking Brian Chess / Jacob West Fortify Software 2.21.08 Overview Motivation Dynamic taint propagation Sources of inaccuracy Integrating with QA Related work

740 views • 70 slides
Boar taint challenges and opportunities Prof. Olena Doran University of the West of England

Boar taint challenges and opportunities Prof. Olena Doran University of the West of England

Boar taint challenges and opportunities Prof. Olena Doran University of the West of England Olena.doran@uwe.ac.uk BPEX Workshop, Peterborough, 20 March 2013 Boar Taint An offensive odour in the meat of 5-10% of uncastrated male pigs Is

707 views • 22 slides
Know n &amp; Observ ed Hea lth Im p a ct of Fra cking On In -Utero Dev elop m ent Autism Sy nd rom

Know n &amp; Observ ed Hea lth Im p a ct of Fra cking On In -Utero Dev elop m ent Autism Sy nd rom

Know n &amp; Observ ed Hea lth Im p a ct of Fra cking On In -Utero Dev elop m ent Autism Sy nd rom e Disord er P E N E L O P E A L L D E R D I C E P h D , M D iv . Professor Em erita Mem orial University of Newfoundland TO : T H E N L H F R P O C

278 views • 11 slides
Tra racking Hyper Bo cking Hyper Boosted sted Top Q p Qua uarks @ 100 T rks @ 100 TeV eV

Tra racking Hyper Bo cking Hyper Boosted sted Top Q p Qua uarks @ 100 T rks @ 100 TeV eV

Tra racking Hyper Bo cking Hyper Boosted sted Top Q p Qua uarks @ 100 T rks @ 100 TeV eV Michel Mi chele Sel e Selva vaggi ggi (CP3) (CP3) An Andr drew w Lar Larko koski ski (MIT), Fabi abio Mal altoni (CP CP3) Flavo vor

623 views • 31 slides
Bi Biol ology ogy and Con and Contro trol of L l of Leaf eaf- Suck Su cking ing, , St

Bi Biol ology ogy and Con and Contro trol of L l of Leaf eaf- Suck Su cking ing, , St

Bi Biol ology ogy and Con and Contro trol of L l of Leaf eaf- Suck Su cking ing, , St Stem em-Inf Infest esting ing, and , and Ro Root ot-Fe Feedi eding Inse ng Insect ct and and Mit Mites es Pes Pests ts of of P Pec

584 views • 57 slides
All You Ever Wanted to Know About Dynamic Taint Analysis &amp; Forward Symbolic Execution (but

All You Ever Wanted to Know About Dynamic Taint Analysis &amp; Forward Symbolic Execution (but

All You Ever Wanted to Know About Dynamic Taint Analysis &amp; Forward Symbolic Execution (but might have been afraid to ask) (Yes, we were trying to overflow the title length field on the submission server) Edward J. Schwartz, Thanassis

738 views • 25 slides
APPLIC LICATION ION OF OF GIS IN IN TRACKING CKING ENVIR VIRONMEN NMENTAL AL DEGRAD

APPLIC LICATION ION OF OF GIS IN IN TRACKING CKING ENVIR VIRONMEN NMENTAL AL DEGRAD

APPLIC LICATION ION OF OF GIS IN IN TRACKING CKING ENVIR VIRONMEN NMENTAL AL DEGRAD RADATION ION IN IN SOUTHE OUTHERN RN VIHIGA HILLS LS: IMPLIC PLICATIONS IONS FOR OR ENVIR IRONMEN MENTAL AL CON ONSER SERVATION ION IN IN

458 views • 15 slides
Speculative Taint Tracking (STT TT): A Comprehensive Protection for Speculatively Accessed Data

Speculative Taint Tracking (STT TT): A Comprehensive Protection for Speculatively Accessed Data

Speculative Taint Tracking (STT TT): A Comprehensive Protection for Speculatively Accessed Data JIYONG YU, , MENGJIA YAN, ARTEM KHYZHA*, ADAM MORRISON*, JOSEP TORRELLAS, CHRISTOPHER W. FLETCHER UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN

1.22k views • 85 slides
A posteriori taint-tracking for demonstrating non-interference in expressive low-level languages

A posteriori taint-tracking for demonstrating non-interference in expressive low-level languages

A posteriori taint-tracking for demonstrating non-interference in expressive low-level languages Peter Aldous and Matthew Might University of Utah This title is a little much, so Faster automated proofs that information doesnt leak in

1.66k views • 115 slides
Ki Kicking goals wi cking goals with W th Wat atson; son; for student or students s Lucy

Ki Kicking goals wi cking goals with W th Wat atson; son; for student or students s Lucy

Ki Kicking goals wi cking goals with W th Wat atson; son; for student or students s Lucy Schulz, ATEM Student Service Centres conference 29 th May 2015 Today: Our vision and strategy at

559 views • 31 slides
MassBrowser Unblock cking the Censored Web fo for the Masses, by the Masses Milad Nasr, Hadi

MassBrowser Unblock cking the Censored Web fo for the Masses, by the Masses Milad Nasr, Hadi

MassBrowser Unblock cking the Censored Web fo for the Masses, by the Masses Milad Nasr, Hadi Zolfaghari, Amir Houmansadr, Amirhossein Ghafari University of Massachusetts, Amherst 1 Internet Censorship 2 Censorship Circumvention Tools 3

827 views • 30 slides
COMP 204 Operations on containers: enumerate, zip, comprehension Mathieu Blanchette based on

COMP 204 Operations on containers: enumerate, zip, comprehension Mathieu Blanchette based on

COMP 204 Operations on containers: enumerate, zip, comprehension Mathieu Blanchette based on material from Yue Li, Carlos Oliver Gonzalez and Christopher Cameron 1 / 21 Quiz password 2 / 21 Side-track: a convenient way to format print

584 views • 21 slides
Graph Computation on Computer Cluster? Steep learning curve Cost Overkill for smaller

Graph Computation on Computer Cluster? Steep learning curve Cost Overkill for smaller

MMap Fast Billion-Scale Graph Computation on a PC via Memory Mapping Lead by Zhiyuan (Jerry) Lin Georgia Tech CS Undergrad Now: Stanford 1st year PhD student MMap: Fast Billion-Scale Graph Computation on a PC via Memory Mapping .

130 views • 11 slides
Patterns for Safety-Critical Java Memory Usage Juan Rios 1 Kelvin Nilsen 2 Martin Schoeberl 1 1

Patterns for Safety-Critical Java Memory Usage Juan Rios 1 Kelvin Nilsen 2 Martin Schoeberl 1 1

Motivation Contribution Summary Patterns for Safety-Critical Java Memory Usage Juan Rios 1 Kelvin Nilsen 2 Martin Schoeberl 1 1 Department of Informatics and Mathematical Modelling Technical University of Denmark 2 Atego Systems, Inc. Java

448 views • 33 slides
Twizzler: A Data-Centric OS for Persistent Memory Daniel Bittman Peter Alvaro Pankaj Mehra

Twizzler: A Data-Centric OS for Persistent Memory Daniel Bittman Peter Alvaro Pankaj Mehra

Twizzler: A Data-Centric OS for Persistent Memory Daniel Bittman Peter Alvaro Pankaj Mehra Darrell Long Ethan Miller Center for Research in Storage Systems University of California, Santa Cruz 1 Hardware Trends sys_read ~100-300 ns

196 views • 17 slides
Today Dynamic memory alloca7on Size of data structures

Today Dynamic memory alloca7on Size of data structures

University of Washington Today Dynamic memory alloca7on Size of data structures may only be known at run 6me Need to allocate space on

663 views • 45 slides
Designing a User-Friendly Java NVM Framework Thomas Shull , Jian Huang, Josep Torrellas University

Designing a User-Friendly Java NVM Framework Thomas Shull , Jian Huang, Josep Torrellas University

Designing a User-Friendly Java NVM Framework Thomas Shull , Jian Huang, Josep Torrellas University of Illinois at Urbana-Champaign March 12, 2019 NVMW19 Session 13: Objects II Programming NVM The Good Non-Volatile Memory (NVM) offers

293 views • 27 slides
Blurred Lines: You Got Your Memory in My Storage! Jay Lofstead Scalable System Software Sandia

Blurred Lines: You Got Your Memory in My Storage! Jay Lofstead Scalable System Software Sandia

Blurred Lines: You Got Your Memory in My Storage! Jay Lofstead Scalable System Software Sandia National Laboratories Albuquerque, NM, USA gflofst@sandia.gov ROSS@HPDC 2017 June 27, 2017 SAND2017-2916 PE Sandia National Laboratories is a

446 views • 20 slides
A marriage of rely/guarantee &amp; separation logic Viktor V afeiadis MPI - SWS Coarse - grain

A marriage of rely/guarantee &amp; separation logic Viktor V afeiadis MPI - SWS Coarse - grain

A marriage of rely/guarantee &amp; separation logic Viktor V afeiadis MPI - SWS Coarse - grain locking 2 3 5 7 11 13 Coarse - grain locking 2 3 5 7 11 13 Fine - grain locking Pessimistic: lock - coupling 2 3 5 7 11 13 Fine -

743 views • 57 slides
Dynamic Memory Alloca/on: Basic Concepts 15-213: Introduc0on

Dynamic Memory Alloca/on: Basic Concepts 15-213: Introduc0on

Carnegie Mellon Dynamic Memory Alloca/on: Basic Concepts 15-213: Introduc0on to Computer Systems 17 th Lecture, Oct. 21, 2010 Instructors: Randy Bryant

563 views • 33 slides

More recommend