When Oblivious is Not: Attacks against OPAM WOOT20@USENIX-SECURITY - - PowerPoint PPT Presentation

When Oblivious is Not: Attacks against OPAM

1

WOOT’20@USENIX-SECURITY

Nirjhar Roy (Indian Institute of Technology - Kanpur) Nikhil Bansal (Indian Institute of Technology - Kanpur) Gourav Takhar (Indian Institute of Technology - Kanpur) Nikhil Mittal (Fortanix Inc) Pramod Subramanyan (Indian Institute of Technology - Kanpur)

• Introduction
• Attacks on InvisiPage/OPAM
• Covert Channels using Reuse Distances and its evaluation
• Conclusion

Presentation Roadmap

2

Enclaves Demystified

Enclaves: hardware-supported environment for isolated execution with strong application-level security guarantees despite the presence of malicious/compromised privileged software

3

Introducing ORAMs

• Interface between a client and and

an untrusted server

• Shuffles the data from time to time
• Hides access patterns and access

frequencies

• Examples: Square root ORAM,

Tree-based ORAMs including Path ORAM, Ring ORAM, etc.

4

[i]

D[[i]]

Read D[i]

Client

ORAM Interface

i

Access Oblivious Client Untrusted Server

ORAM Meets Demand Paging and Enclaves

Threat Model

• The Host OS/apps are considered malicious

trying to find out access pattern/access frequency/memory content of the pages being read or written

• The OS observes only a random set of

pages ( encrypted) getting read/written after in step 3.

• The attacker can choose to tamper the

pages but that will detected after step 6 in Runtime

• Attackers having physical access to the

memory will also see cipher text

5

Enclave app Runtime ORAM Interface OS 1 2 3 4 5 6 7

Trusted world inside the enclave (ORAM Client) Untrusted world outside of enclave (ORAM Server)

Untrusted Memory

Our Contributions

• Discovering vulnerability in InvisiPage
• Implementation of a demand paging system inside Keystone
• Exploiting it to design new attacks:-

○ The reuse distance attacks ○ The level tracking attack

• Designing a covert channel using Reuse Distances

6

Attacks on InvisiPage

7

Shaizeen Aga and Satish Narayanasamy. 2019. InvisiPage: oblivious demand paging for secure enclaves. In Proceedings of the 46th International Symposium on Computer Architecture (ISCA ’19).

Introduction to Invisipage/OPAM

8

100 692 250 468 D 88 605 Leaf = 0 Leaf = 1 Leaf = 2 Leaf = 3 468 → 0, … 88→ 2, 250→ 2, 100 → 2 Position map Updated Position map

ORAM Path Read

Metadata Tree Data Tree

100 692 250 468 D 88 605 Leaf = 0 Leaf = 1 Leaf = 2 Leaf = 3 All dec+ auth and checked 468 → 0, … 88→ 0, 250→ 2, 100 → 2 Dec + auth Access (88, Fetch)

Introduction to Invisipage/OPAM

9

D 692 100 468 D 250 605 Leaf = 0 Leaf = 1 Leaf = 2 Leaf = 3 Updated Position map

ORAM Path Write/Shuffle

Metadata Tree Data Tree

D 692 100 468 D 250 605 Leaf = 0 Leaf = 1 Leaf = 2 Leaf = 3 All ecn + auth and sent 468 → 0, … 88→ 0, 250→ 2, 100 → 2 Access (88, Fetch)

Vulnerability in OPAM (Invisipage)

• On every page fault or ORAM access exactly one page gets transferred.
• The adversary is able to observe which page got exchanged
• Transferred page is the page of interest and is definitely NOT a dummy page.
• Adversary can calculate number of intervening ORAM accesses
• This in fact leaks information and makes OPAM access not oblivious.

10

• Reuse Distance:- # of faults between the time a page gets evicted and when

the page is brought back to the enclave (i.e, reused).

• This sequence of reuse distances will be different for different types of

memory accesses/applications.

• We use this fact to distinguish and predict/identify the secret applications

running inside the enclave.

Introducing Reuse Distance Attack

11

Example of Reuse Distance Attack

• Enclave has 2 physical pages available and LRU is used.
• In Figure (a) every page is reused after 2 page faults and
• In Figure (b), the reuse distance of the root is 2 because the root node is

accessed in every iteration and for non-root pages are multiples of 2 because non-root pages may or may not be accessed in successive iterations.

12

1 2 3

2 2 2 2

1 3 7

2k 2k 2k 2k

2 5 12

2k 2k 2k 2k

...

Iteration 1 Iteration 2 Figure (b) Repeated Binary Tree Traversal Figure (a) Linear scan over an array

Attack Methodology

Training

• Collect trace of reuse distances for many

apps on many inputs

• Train CNN sequence classifier on these
• Classes are the different applications

Testing

• Run app on a new input never seen before
• Measure classification accuracy

13

Enclave app Runtime Invisipage Interface OS 1 2 3 (ocalls)

Access (88, Evict)

5 6 7

Trusted world inside the enclave (Invisipage Client) Untrusted world

• utside of enclave

(Invisipage Client)

4 Record (88, evict) ocall

(ocalls)

Access (88,Fetch) Record (88, Read) ocall

. . .

Records other faults

Methodology

• Execute with many (~100-200) inputs and collecte reuse distances traces
• Data divided into training and test in 3:1 ratio and evaluation repeated 10 times
• Reuse distance trace is used as the input feature
• Random splits of the data into training and test datasets

Secret Application Classification Accuracy (OPAM)

14

Covert Channels Using Reuse Distances

15

Basic Idea

• Reuse distance leakage of provides

a covert channel to leak secret information (e.g. an input genome data).

• Engineering the access patterns to

cause a particular sequence of page faults and associated reuse distances

• Interpret the reuse distances to

leak the bits

16

Enclave App (colluding) Host OS (colluding) Untrusted Memory

Message Passing

Page exchanges (paging)

Trace faults to receive bits

Reuse distance Covert Channel Model

Threat Model

• Standard enclave threat model corresponding to a software attacker
• Enclave RT and the hardware platform are trusted and we do not use

microarchitectural side-channels and/or HW access to DRAM

• Enclave app colludes with host OS to leak sensitive input data
• Host OS is aware of the encoding used by the enclave application

17

Example of an Encoding With Reuse Distance

• Application wants to transmit a message 1001, n = 4 and k = 2
• Page replacement policy is FIFO and enclave has P = 4 pages
• To transmit a bit 1, reuse distance in range [8, 16) (Pages 1-8)
• To transmit a bit 0, reuse distance in the range [0, 8)(Pages 9-16)
• Generate reuse distance sequence (12, 5, 5, 14) corresponding to

message 1001

18

A 1 A 2 A 3 A 4 A 5 A 6 A 7 A 8 A 9 A 10 A 11 A 12 A 13 A 14 A 15 A 16 A 1 A 9 A 10 A 2 E 1 E 2 E 3 E 4 E 5 E 6 E 7 E 8 E 9 E 10 E 11 E 12 E 13 E 14 E 15 E 16

RU = 12 RU = 14 RU = 5 RU = 5

Bit Leakage Bandwidth Analysis

• We see a peak bandwidth with arity 4
• As we increase k, more data is transmitted with each page fault, but the

number of page-faults required to setup the algorithm also increases and the

• verheads associated with increased number of initial page faults dominate

and we see a steady decline in transmission bandwidth.

19

Conclusions

• Introduction of a new side channel attack, The Reuse Distance attack, which

is able to infer confidential information about an enclave’s execution

• Introduction of a new covert channel using reuse distances
• Found and systematically exploited a vulnerability in state-of-the-art approach

to secure demand paging enclave (Invisipage/OPAM)

20

21

In Memory of

• Dr. Pramod Subramanyan

8th June 1984 - 8th July 2020

22

Thank you