speculative taint tracking stt tt
play

Speculative Taint Tracking (STT TT): A Comprehensive Protection for - PowerPoint PPT Presentation

Jul 08, 2023 •365 likes •1.22k views

Speculative Taint Tracking (STT TT): A Comprehensive Protection for Speculatively Accessed Data JIYONG YU, , MENGJIA YAN, ARTEM KHYZHA*, ADAM MORRISON*, JOSEP TORRELLAS, CHRISTOPHER W. FLETCHER UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN

  1. Speculative Taint Tracking (STT TT): A Comprehensive Protection for Speculatively Accessed Data JIYONG YU, , MENGJIA YAN, ARTEM KHYZHA*, ADAM MORRISON*, JOSEP TORRELLAS, CHRISTOPHER W. FLETCHER UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN ∗ TEL AVIV UNIVERSITY 1

  2. Introduction Speculative Taint Tracking Evaluation Conclusion Processors are Insecure 2

  3. Introduction Speculative Taint Tracking Evaluation Conclusion Processors are Insecure 2

  4. Introduction Speculative Taint Tracking Evaluation Conclusion Speculative Execution Attacks Speculation starts // Spectre Variant 1 if (addr < N) { // speculation // access instruction spec_val = load [addr]; // covert channel load [spec_val]; } 3

  5. Introduction Speculative Taint Tracking Evaluation Conclusion Speculative Execution Attacks Speculation starts // Spectre Variant 1 if (addr < N) { // speculation Speculative access instruction* accesses secret // access instruction spec_val = load [addr]; // covert channel load [spec_val]; } *: Kiriansky, Vladimir, et al. "DAWG: A defense against cache timing attacks in speculative execution processors." MICRO-51 , 2018. 3

  6. Introduction Speculative Taint Tracking Evaluation Conclusion Speculative Execution Attacks Speculation starts // Spectre Variant 1 if (addr < N) { // speculation Speculative access instruction* accesses secret // access instruction spec_val = load [addr]; Creates a covert channel // covert channel to leak secret load [spec_val]; } *: Kiriansky, Vladimir, et al. "DAWG: A defense against cache timing attacks in speculative execution processors." MICRO-51 , 2018. 3

  7. Introduction Speculative Taint Tracking Evaluation Conclusion Speculative Execution Attacks Speculation starts // Spectre Variant 1 if (addr < N) { // speculation Speculative access instruction* addr = accesses secret // access instruction N+1 spec_val = load [addr]; Creates a covert channel // covert channel to leak secret load [spec_val]; } Speculation ends - misspeculation! *: Kiriansky, Vladimir, et al. "DAWG: A defense against cache timing attacks in speculative execution processors." MICRO-51 , 2018. 3

  8. Introduction Speculative Taint Tracking Evaluation Conclusion Speculative Execution Attacks Speculation starts // Spectre Variant 1 if (addr < N) { // speculation Speculative access instruction* accesses secret // access instruction spec_val = load [addr]; Creates a covert channel // covert channel to leak secret load [spec_val]; } Speculation ends - misspeculation! *: Kiriansky, Vladimir, et al. "DAWG: A defense against cache timing attacks in speculative execution processors." MICRO-51 , 2018. 3

  9. Introduction Speculative Taint Tracking Evaluation Conclusion Main Insight of STT 4

  10. Introduction Speculative Taint Tracking Evaluation Conclusion Main Insight of STT “Sufficient for security: prevent secrets from reaching covert channels” 4

  11. Introduction Speculative Taint Tracking Evaluation Conclusion Main Insight of STT “Sufficient for security: prevent secrets from reaching covert channels” Creates a Input Requires covert operand is if (addr < N) { protection? channel? a secret? // access instruction spec_val = load [addr]; // simple arithmetic spec_val = spec_val + 4; // cache/mem covert channel load [spec_val]; } …… 4

  12. Introduction Speculative Taint Tracking Evaluation Conclusion Main Insight of STT “Sufficient for security: prevent secrets from reaching covert channels” Creates a Input Requires covert operand is prediction if (addr < N) { protection? channel? a secret? Speculation // access instruction starts spec_val = load [addr]; // simple arithmetic spec_val = spec_val + 4; // cache/mem covert channel load [spec_val]; } …… 4

  13. Introduction Speculative Taint Tracking Evaluation Conclusion Main Insight of STT “Sufficient for security: prevent secrets from reaching covert channels” Creates a Input Requires covert operand is if (addr < N) { protection? channel? a secret? Speculation // access instruction starts spec_val = load [addr]; Yes No No // simple arithmetic spec_val = spec_val + 4; // cache/mem covert channel load [spec_val]; } …… 4

  14. Introduction Speculative Taint Tracking Evaluation Conclusion Main Insight of STT “Sufficient for security: prevent secrets from reaching covert channels” Creates a Input Requires covert operand is if (addr < N) { protection? channel? a secret? Speculation // access instruction starts spec_val = load [addr]; Yes No No // simple arithmetic No Yes No spec_val = spec_val + 4; // cache/mem covert channel load [spec_val]; } …… 4

  15. Introduction Speculative Taint Tracking Evaluation Conclusion Main Insight of STT “Sufficient for security: prevent secrets from reaching covert channels” Creates a Input Requires covert operand is if (addr < N) { protection? channel? a secret? Speculation // access instruction starts spec_val = load [addr]; Yes No No // simple arithmetic No Yes No spec_val = spec_val + 4; // cache/mem covert channel Yes Yes Yes load [spec_val]; } …… 4

  16. Introduction Speculative Taint Tracking Evaluation Conclusion Main Insight of STT “Sufficient for security: prevent secrets from reaching covert channels” Creates a Input Requires Correct covert operand is if (addr < N) { protection? Prediction! channel? a secret? // access instruction spec_val = load [addr]; Yes No No // simple arithmetic No No No Non-speculative spec_val = spec_val + 4; // cache/mem covert channel Yes No No load [spec_val]; } Speculation …… starts 4

  17. Introduction Speculative Taint Tracking Evaluation Conclusion Main Insight of STT “Sufficient for security: prevent secrets from reaching covert channels” Creates a Input Requires Correct covert operand is if (addr < N) { protection? Prediction! channel? a secret? // access instruction spec_val = load [addr]; Yes No No // simple arithmetic No No No Non-speculative spec_val = spec_val + 4; // cache/mem covert channel Yes No No load [spec_val]; } Speculation …… starts 4

  18. Introduction Speculative Taint Tracking Evaluation Conclusion Main Insight of STT “Sufficient for security: prevent secrets from reaching covert channels” Creates a Input Requires Incorrect covert operand is if (addr < N) { protection? Prediction! channel? a secret? // access instruction spec_val = load [addr]; Yes No No // simple arithmetic No Yes No Squashed! spec_val = spec_val + 4; // cache/mem covert channel Yes Yes Yes load [spec_val]; } Speculation …… starts 4

  19. Introduction Speculative Taint Tracking Evaluation Conclusion Speculative Taint Tracking Secret Covert channels (speculatively accessed data) 5

  20. Introduction Speculative Taint Tracking Evaluation Conclusion Speculative Taint Tracking Secret Covert channels (speculatively accessed data) 5

  21. Introduction Speculative Taint Tracking Evaluation Conclusion Speculative Taint Tracking Secret Covert channels (speculatively accessed data) What are the covert channels? 5

  22. Introduction Speculative Taint Tracking Evaluation Conclusion Speculative Taint Tracking Secret Covert channels (speculatively accessed data) A new classification to understand What are the covert channels? covert channels in speculative machines 5

  23. Introduction Speculative Taint Tracking Evaluation Conclusion Speculative Taint Tracking Secret Covert channels (speculatively accessed data) A new classification to understand What are the covert channels? covert channels in speculative machines How to identify all the secrets? 5

  24. Introduction Speculative Taint Tracking Evaluation Conclusion Speculative Taint Tracking Secret Covert channels (speculatively accessed data) A new classification to understand What are the covert channels? covert channels in speculative machines A new taint/untaint mechanism to How to identify all the secrets? track secrets in hardware 5

  25. Introduction Speculative Taint Tracking Evaluation Conclusion A Classification of Covert Channels in HW 6

  26. Introduction Speculative Taint Tracking Evaluation Conclusion Classification of Covert Channels Covert channels Implicit channels Explicit channels Explicit branches Implicit branches Leak on Leak on Leak on Leak on prediction resolution prediction resolution 7

  27. Introduction Speculative Taint Tracking Evaluation Conclusion Classification of Covert Channels Covert channels Implicit channels Explicit channels New! Explicit branches Implicit branches Leak on Leak on Leak on Leak on prediction resolution prediction resolution 7

  28. Introduction Speculative Taint Tracking Evaluation Conclusion Classification of Covert Channels Covert channels Explicit channels: Secret inputs are directly leaked by operand-dependent hardware resource usage load [secret]; 8

  29. Introduction Speculative Taint Tracking Evaluation Conclusion Classification of Covert Channels Covert channels Explicit channels: Secret inputs are directly leaked by operand-dependent hardware resource usage Examples: memory loads data-dependent arithmetic 8

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Speculative Taint Tracking Lindsey McAllister 6.888 Fall 2020 Whats the Point? A system that

Speculative Taint Tracking Lindsey McAllister 6.888 Fall 2020 Whats the Point? A system that

Speculative Taint Tracking Lindsey McAllister 6.888 Fall 2020 Whats the Point? A system that efficiently protects against transient side-channel attacks by executing and selectively forwarding an instruction if it cannot forward a covert

411 views • 21 slides
A posteriori taint-tracking for demonstrating non-interference in expressive low-level languages

A posteriori taint-tracking for demonstrating non-interference in expressive low-level languages

A posteriori taint-tracking for demonstrating non-interference in expressive low-level languages Peter Aldous and Matthew Might University of Utah This title is a little much, so Faster automated proofs that information doesnt leak in

1.66k views • 115 slides
Bochspwn Reloaded Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking

Bochspwn Reloaded Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking

Bochspwn Reloaded Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking Mateusz j00ru Jurczyk Black Hat USA 2017, Las Vegas Agenda User kernel communication pitfalls in modern operating systems Introduction

1.21k views • 120 slides
Using Partial Taint Tracking To Protect Against Injection Attacks Ioannis Papagiannis , Matteo

Using Partial Taint Tracking To Protect Against Injection Attacks Ioannis Papagiannis , Matteo

PHP Aspis: Using Partial Taint Tracking To Protect Against Injection Attacks Ioannis Papagiannis , Matteo Migliavacca, Peter Pietzuch Department of Computing, Imperial College London USENIX WebApps 2011 Portland, OR, USA Injection

763 views • 47 slides
Taint Tracking Oct 29, 2018 Prof. Raluca Ada Popa Slides adapted from Univ of Michigan 583 Fall

Taint Tracking Oct 29, 2018 Prof. Raluca Ada Popa Slides adapted from Univ of Michigan 583 Fall

CS 261: Systems Security Taint Tracking Oct 29, 2018 Prof. Raluca Ada Popa Slides adapted from Univ of Michigan 583 Fall 12 Announcements Exam next Wednesday Open book All lectures except for this one Presenter: Pasin No writer, but

533 views • 19 slides
Bochspwn Reloaded Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking

Bochspwn Reloaded Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking

Bochspwn Reloaded Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking Mateusz j00ru Jurczyk REcon 2017, Montreal Alternative title (cheers Alex Ionescu!) Memory Disclosure Alternative title KERNELBLEED Agenda

1.7k views • 140 slides
The Taint Leakage Model Ron Rivest Crypto in the

The Taint Leakage Model Ron Rivest Crypto in the

The Taint Leakage Model Ron Rivest Crypto in the Clouds Workshop, MIT Rump Session Talk August 4, 2009 Taint Common term in soDware

238 views • 9 slides
Speculative Defragmentation Speculative Defragmentation A Technique to Improve the

Speculative Defragmentation Speculative Defragmentation A Technique to Improve the

Ninth IEEE International Symposium on High Performance Distributed Computing, Pittsburgh, Pennsylvania, August 1-4, 2000 Speculative Defragmentation Speculative Defragmentation A Technique to Improve the Communication A Technique to

237 views • 22 slides
Harmonizing Speculative and Non-Speculative Execution in Architectures for Ordered Parallelism

Harmonizing Speculative and Non-Speculative Execution in Architectures for Ordered Parallelism

Harmonizing Speculative and Non-Speculative Execution in Architectures for Ordered Parallelism MA MARK C. JEFFR FFREY , VICTOR A. YING, SUVINAY SUBRAMANIAN, HYUN RYONG LEE, JOEL EMER, DANIEL SANCHEZ MI MICRO 2018 There is a (false)

1.48k views • 130 slides
Scalable and Precise Taint Analysis for Android Wei Huang 12 , Yao Dong 1 , Ana Milanova 1 ,

Scalable and Precise Taint Analysis for Android Wei Huang 12 , Yao Dong 1 , Ana Milanova 1 ,

Scalable and Precise Taint Analysis for Android Wei Huang 12 , Yao Dong 1 , Ana Milanova 1 , Julian Dolby 3 1 Rensselaer Polytechnic Institute 2 Google 3 IBM Research 1 Taint Analysis for Android Tracks flow of private data Controlled at

629 views • 35 slides
Dynamic Taint Propagation Finding Vulnerabilities Without Attacking Brian Chess / Jacob West

Dynamic Taint Propagation Finding Vulnerabilities Without Attacking Brian Chess / Jacob West

Dynamic Taint Propagation Finding Vulnerabilities Without Attacking Brian Chess / Jacob West Fortify Software 2.21.08 Overview Motivation Dynamic taint propagation Sources of inaccuracy Integrating with QA Related work

740 views • 70 slides
Boar taint challenges and opportunities Prof. Olena Doran University of the West of England

Boar taint challenges and opportunities Prof. Olena Doran University of the West of England

Boar taint challenges and opportunities Prof. Olena Doran University of the West of England Olena.doran@uwe.ac.uk BPEX Workshop, Peterborough, 20 March 2013 Boar Taint An offensive odour in the meat of 5-10% of uncastrated male pigs Is

707 views • 22 slides
SAM: Optimizing Multithreaded Cores for Speculative Parallelism MALEEN ABEYDEERA, SUVINAY

SAM: Optimizing Multithreaded Cores for Speculative Parallelism MALEEN ABEYDEERA, SUVINAY

SAM: Optimizing Multithreaded Cores for Speculative Parallelism MALEEN ABEYDEERA, SUVINAY SUBRAMANIAN, MARK JEFFREY, JOEL EMER, DANIEL SANCHEZ PACT 2017 Executive Summary Analyzes the interplay between hardware multithreading and speculative

370 views • 21 slides
Risk 13: Impact of an increase in unplanned and speculative local developments to address the

Risk 13: Impact of an increase in unplanned and speculative local developments to address the

Risk 13: Impact of an increase in unplanned and speculative local developments to address the shortfall in the 5 year housing supply Joanne Eynon Environment and Transport What are the issues? Increased pressure from speculative

218 views • 8 slides
SpeechMiner: A Framework for Investigating and Measuring Speculative Execution Vulnerabilities

SpeechMiner: A Framework for Investigating and Measuring Speculative Execution Vulnerabilities

SpeechMiner: A Framework for Investigating and Measuring Speculative Execution Vulnerabilities Yuan Xiao, Yinqian Zhang, Radu Teodorescu The Ohio State University SPEculative Execution side Channel Hardware (SPEECH) Vulnerabilities Leverage

512 views • 24 slides
FRACTAL AN EXECUTION MODEL FOR FINE-GRAIN NESTED SPECULATIVE PARALLELISM SU SUVINAY Y SU

FRACTAL AN EXECUTION MODEL FOR FINE-GRAIN NESTED SPECULATIVE PARALLELISM SU SUVINAY Y SU

FRACTAL AN EXECUTION MODEL FOR FINE-GRAIN NESTED SPECULATIVE PARALLELISM SU SUVINAY Y SU SUBRAMANIAN , MARK C. JEFFREY, MALEEN ABEYDEERA, HYUN RYONG LEE, VICTOR A. YING, JOEL EMER, DANIEL SANCHEZ IS ISCA 2017 Current speculative systems

984 views • 47 slides
Efficient fine-grain parallelism in shared memory for real-time avionics P. Baufreton Safran

Efficient fine-grain parallelism in shared memory for real-time avionics P. Baufreton Safran

Efficient fine-grain parallelism in shared memory for real-time avionics P. Baufreton Safran V. Bregeon , J. Souyris Airbus K. Didier, D. Potop-Butucaru , G. Iooss Inria Critical real-time on multi-/many-cores All the single-core

459 views • 17 slides
Memory-enhancing techniques for Investigative Interviewing: The Cognitive Interview National

Memory-enhancing techniques for Investigative Interviewing: The Cognitive Interview National

Memory-enhancing techniques for Investigative Interviewing: The Cognitive Interview National Defender Investigator Association September 4, 2008 Austin, TX Dr. Ronald Fisher Department of Psychology Florida International University Miami,

3.31k views • 52 slides
A systems approach to teaching computer systems Jerry Saltzer and Frans Kaashoek {Saltzer,

A systems approach to teaching computer systems Jerry Saltzer and Frans Kaashoek {Saltzer,

A systems approach to teaching computer systems Jerry Saltzer and Frans Kaashoek {Saltzer, kaashoek}@mit.edu Massachusetts Institute of Technology Who are the professors customer? Students? Industry? Universities? Parents?

748 views • 41 slides
Slurm: New NREL Capabilities HPC Operations March 2019 Presentation by: Dan Harris NREL |

Slurm: New NREL Capabilities HPC Operations March 2019 Presentation by: Dan Harris NREL |

Slurm: New NREL Capabilities HPC Operations March 2019 Presentation by: Dan Harris NREL | 1 Sections 1 Slurm Functionality Overview 2 Eagle Partitions by Feature 3 Job Dependencies and Job Arrays 4 Job Steps 5 Job Monitoring

921 views • 41 slides
Utilization and Accuracy Matthew Norman Oak Ridge Leadership Computing Facility

Utilization and Accuracy Matthew Norman Oak Ridge Leadership Computing Facility

Algorithmic Choices that Improve Hardware Utilization and Accuracy Matthew Norman Oak Ridge Leadership Computing Facility https://mrnorman.github.io The Challenge of Accelerated Computing Must reduce power consumption Less cache

542 views • 28 slides
11/26/2015 Big Marijuana Kevin A. Sabet, Ph.D. Director, Drug Policy Institute, University of

11/26/2015 Big Marijuana Kevin A. Sabet, Ph.D. Director, Drug Policy Institute, University of

11/26/2015 Big Marijuana Kevin A. Sabet, Ph.D. Director, Drug Policy Institute, University of Florida Co-Founder, Project SAM (Smart Approaches to Marijuana) www.learnaboutsam.org www.kevinsabet.com What is SAM? A 501(c)(3) non-profit,

497 views • 29 slides
Prepared by Centre for Policy Dialogue (CPD) In partnership with Institute of Architect,

Prepared by Centre for Policy Dialogue (CPD) In partnership with Institute of Architect,

Prepared by Centre for Policy Dialogue (CPD) In partnership with Institute of Architect, Bangladesh (IAB), Aio O Salish Kendra (ASK), Ahsania Mission, ActionAid Bangladesh, Gono ShakkhorotaAbhijan, Transparency International Bangladesh (TIB),

852 views • 52 slides
Not Just a Black Box: Interpretable Deep Learning for Genomics Presented by: AvanA Shrikumar 1

Not Just a Black Box: Interpretable Deep Learning for Genomics Presented by: AvanA Shrikumar 1

Not Just a Black Box: Interpretable Deep Learning for Genomics Presented by: AvanA Shrikumar 1 With great power comes really poor interpretability Deep Power Learning Traditional machine learning Classical statistics 2

984 views • 82 slides

More recommend