Xun Gong,Negar Kiyavash

DOI: https://doi.org/10.48550/arXiv.1403.1276

2014-05-16

Abstract:When multiple job processes are served by a single scheduler, the queueing delays of one process are often affected by the others, resulting in a timing side channel that leaks the arrival pattern of one process to the others. In this work, we study such a timing side channel between a regular user and a malicious attacker. Utilizing Shannon's mutual information as a measure of information leakage between the user and attacker, we analyze privacy-preserving behaviors of common work-conserving schedulers. We find that the attacker can always learn perfectly the user's arrival process in a longest-queue-first (LQF) scheduler. When the user's job arrival rate is very low (near zero), first-come-first-serve (FCFS) and round robin schedulers both completely reveal the user's arrival pattern. The near-complete information leakage in the low-rate traffic region is proven to be reduced by half in a work-conserving version of TDMA (WC-TDMA) scheduler, which turns out to be privacy-optimal in the class of deterministic-working-conserving (det-WC) schedulers, according to a universal lower bound on information leakage we derive for all det-WC schedulers.

Information Theory

Chien-Ying Chen,Sibin Mohan,Rodolfo Pellizzoni,Rakesh B. Bobba,Negar Kiyavash

DOI: https://doi.org/10.1109/RTAS.2019.00016

2019-05-10

Abstract:We demonstrate the presence of a novel scheduler side-channel in preemptive, fixed-priority real-time systems (RTS); examples of such systems can be found in automotive systems, avionic systems, power plants and industrial control systems among others. This side-channel can leak important timing information such as the future arrival times of real-time <a class="link-external link-http" href="http://tasks.This" rel="external noopener nofollow">this http URL</a> information can then be used to launch devastating attacks, two of which are demonstrated here (on real hardware platforms). Note that it is not easy to capture this timing information due to runtime variations in the schedules, the presence of multiple other tasks in the system and the typical constraints (e.g., deadlines) in the design of RTS. Our ScheduLeak algorithms demonstrate how to effectively exploit this side-channel. A complete implementation is presented on real operating systems (in Real-time Linux and FreeRTOS). Timing information leaked by ScheduLeak can significantly aid other, more advanced, attacks in better accomplishing their goals.

Cryptography and Security

Bin Lin,Ananth I. Sundararaj,Peter A. Dinda

DOI: https://doi.org/10.1007/s10586-008-0055-x

2008-01-01

Cluster Computing

Abstract:Most parallel machines, such as clusters, are space-shared in order to isolate batch parallel applications from each other and optimize their performance. However, this leads to low utilization or potentially long waiting times. We propose a self-adaptive approach to time-sharing such machines that provides isolation and allows the execution rate of an application to be tightly controlled by the administrator. Our approach combines a periodic real-time scheduler on each node with a global feedback-based control system that governs the local schedulers. We have developed an online system that implements our approach. The system takes as input a target execution rate for each application, and automatically and continuously adjusts the applications’ real-time schedules to achieve those rates with proportional CPU utilization. Target rates can be dynamically adjusted. Applications are performance-isolated from each other and from other work that is not using our system. We present an extensive evaluation that shows that the system remains stable with low response times, and that our focus on CPU isolation and control does not come at the significant expense of network I/O, disk I/O, or memory isolation.

Pandurang Kamat,Wenyuan Xu,Wade Trappe,Yanyong Zhang

DOI: https://doi.org/10.1109/icdcs.2007.146

2009-01-01

ACM Transactions on Sensor Networks

Abstract:Although the content of sensor messages describing "events of interest" may be encrypted to provide confidentiality, the context surrounding these events may also be sensitive and therefore should be protected from eavesdroppers. An adversary armed with knowledge of the network deployment, routing algorithms, and the base-station (data sink) location can infer the temporal patterns of interesting events by merely monitoring the arrival of packets at the sink, thereby allowing the adversary to remotely track the spatio-temporal evolution of a sensed event. In this paper we introduce the problem of temporal privacy for delay-tolerant sensor networks, and propose adaptive buffering at intermediate nodes on the source-sink routing path to obfuscate temporal information from the adversary. We first present the effect of buffering on temporal privacy using an information-theoretic formulation, and then examine the effect that delaying packets has on buffer occupancy. We observe that temporal privacy and efficient buffer utilization are contrary objectives, and then present an adaptive buffering strategy that effectively manages these tradeoffs. Finally, we evaluate our privacy enhancement strategies using simulations, where privacy is quantified in terms of the adversary's mean square error.

Martijn M. H. P. van den Heuvel,Reinder J. Bril,Xiaodi Zhang,Syed Md Jakaria Abdullah,Damir Isovic

DOI: https://doi.org/10.1109/etfa.2013.6648046

2013-01-01

Abstract:Many embedded systems have complex timing constraints and, at the same time, have flexibility requirements which prohibit offline planning of the entire system. To support a mixture of time-triggered and event-triggered tasks, some industrial systems deploy a table-driven dispatcher for time-triggered tasks complemented with a preemptive scheduler to allocate the free time slots to event-driven tasks. Contrary to fully preemptive scheduling, limiting the preemptions of tasks to fixed preemptions points may reduce memory requirements and it alleviates the preemption costs in the system. We revisit slotshifting, which at run time mixes time-triggered and event-triggered tasks in a preemptive EDF schedule. In this paper, we extend slotshifting with limited-preemptive execution of event-triggered tasks. We present a synchronization protocol to arbitrate the executions of non-preemptive regions, so that time-triggered tasks keep meeting their timing constraints implicitly. Furthermore, we investigate how to disable preemptions of event-triggered tasks during the execution of the offline-scheduled time-triggered tasks, while keeping the feature of slotshifting to reallocate their slots of execution dynamically at run time.

Lei Lei,Chuang Lin

DOI: https://doi.org/10.1109/ICC.2008.551

2008-01-01

Abstract:This paper studies the flow-level performance of a special family of weight-based opportunistic scheduler using discriminatory processor sharing (DPS) model. It is known that this family of schedulers can achieve any feasible long- term throughput vectors by the variation of its weights. The optimal weight setting problem under DPS model is studied by decomposing it into two subproblems. In each subproblem, a guideline as to how the weight should be chosen is derived. The usage of these two guidelines in analyzing the original problem is discussed via theoretical and simulation results.

Divya Ojha,Sandhya Dwarkadas

DOI: https://doi.org/10.1109/ISCA52012.2021.00037

2021-12-17

Abstract:Timing side channels have been used to extract cryptographic keys and sensitive documents, even from trusted enclaves. In this paper, we focus on cache side channels created by access to shared code or data in the memory hierarchy. This vulnerability is exploited by several known attacks, e.g, evict+reload for recovering an RSA key and Spectre variants for data leaked due to speculative accesses. The key insight in this paper is the importance of the first access to the shared data after a victim brings the data into the cache. To eliminate the timing side channel, we ensure that the first access by a process to any cache line loaded by another process results in a miss. We accomplish this goal by using a combination of timestamps and a novel hardware design to allow efficient parallel comparisons of the timestamps. The solution works at all the cache levels and defends against an attacker process running on another core, same core, or another hyperthread. Our design retains the benefits of a shared cache: allowing processes to utilize the entire cache for their execution and retaining a single copy of shared code and data (data deduplication). Our implementation in the GEM5 simulator demonstrates that the system is able to defend against RSA key extraction. We evaluate performance using SPECCPU2006 and observe overhead due to first access delay to be 2.17%. The overhead due to the security context bookkeeping is of the order of 0.3%.

Cryptography and Security

Amittai Aviram,Sen Hu,Bryan Ford,Ramakrishna Gummadi

DOI: https://doi.org/10.48550/arXiv.1003.5303

2010-03-27

Operating Systems

Abstract:Timing side-channels represent an insidious security challenge for cloud computing, because: (a) massive parallelism in the cloud makes timing channels pervasive and hard to control; (b) timing channels enable one customer to steal information from another without leaving a trail or raising alarms; (c) only the cloud provider can feasibly detect and report such attacks, but the provider's incentives are not to; and (d) resource partitioning schemes for timing channel control undermine statistical sharing efficiency, and, with it, the cloud computing business model. We propose a new approach to timing channel control, using provider-enforced deterministic execution instead of resource partitioning to eliminate timing channels within a shared cloud domain. Provider-enforced determinism prevents execution timing from affecting the results of a compute task, however large or parallel, ensuring that a task's outputs leak no timing information apart from explicit timing inputs and total compute duration. Experiments with a prototype OS for deterministic cloud computing suggest that such an approach may be practical and efficient. The OS supports deterministic versions of familiar APIs such as processes, threads, shared memory, and file systems, and runs coarse-grained parallel tasks as efficiently and scalably as current timing channel-ridden systems.

Sharjeel Khan,Girish Mururu,Santosh Pande

DOI: https://doi.org/10.48550/arXiv.2003.03850

2020-03-08

Cryptography and Security

Abstract:Side channel attacks steal secret keys by cleverly leveraging information leakages and can, therefore, break encryption. Thus, detection and mitigation of side channel attacks is a very important problem, but the solutions proposed in the literature have limitations in that they do not work in a real-world multi-tenancy setting on servers, have high false positives, or have high overheads. In this work, we demonstrate a compiler guided scheduler, Biscuit, that detects cache-based side channel attacks for processes scheduled on multi-tenancy server farms. A key element of this solution involves the use of a cache-miss model which is inserted by the compiler at the entrances of loop nests to predict the cache misses of the corresponding loop. Such inserted library calls, or beacons, convey the cache miss information to the scheduler at run time, which uses it to co-schedule processes such that their combined cache footprint does not exceed the maximum capacity of the last level cache. The scheduled processes are then monitored for actual vs predicted cache misses, and when an anomaly is detected, the scheduler performs a search to isolate the attacker. We show that Biscuit is able to detect and mitigate Prime+Probe, Flush+Reload, and Flush+Flush attacks on OpenSSL cryptography algorithms with an F-score of 1, and also to detect and mitigate degradation of service on a vision application suite with an F-score of 0.9375. Under a no-attack scenario, the scheme poses low overheads (up to a maximum of 6 percent). In the case of an attack, the scheme ends up with less than 11 percent overhead and is able to reduce the degradation of service in some cases by 40 percent. With these many desirable features such as an ability to deal with multi-tenancy, its ability to detect attacks early, its ability to mitigate those attacks, and low runtime overheads, Biscuit is a practical solution.

Rui Chen,Jia Shi,Long Yang,Chao Wang,Zan Li,Pei Xiao,Gaojie Chen

DOI: https://doi.org/10.1109/pimrc48278.2020.9217377

2020-08-01

Abstract:Covert communication provides high-level security for protecting users’ privacy information. In this paper, we analyze the joint impact of an external jammer and channel uncertainty on covert communication in multi-user cognitive radio networks. Meanwhile, to fairly schedule the covert communication over multi-user cognitive radio networks, we propose a fairness secondary user (SU) scheduling scheme, which enables each SU to have the same probability for sending information covertly with the aid of an external jammer. Then, the closed-form expression for the covert rate of the scheduled SU can be obtained. Our results show that the minimal detection error probability and covert rate of the scheduled SU can be significantly improved by exploiting the channel uncertainty and random variation of interference power. Moreover, the impact of interference power on the probability of detection error and the covert rate is noticeable when channel uncertainty is large.

Jiyang Chen,Tomasz Kloda,Ayoosh Bansal,Rohan Tabish,Chien-Ying Chen,Bo Liu,Sibin Mohan,Marco Caccamo,Lui Sha

DOI: https://doi.org/10.48550/arXiv.2104.04528

2021-04-09

Abstract:Real-time systems have recently been shown to be vulnerable to timing inference attacks, mainly due to their predictable behavioral patterns. Existing solutions such as schedule randomization lack the ability to protect against such attacks, often limited by the system's real-time nature. This paper presents SchedGuard: a temporal protection framework for Linux-based hard real-time systems that protects against posterior scheduler side-channel attacks by preventing untrusted tasks from executing during specific time segments. SchedGuard is integrated into the Linux kernel using cgroups, making it amenable to use with container frameworks. We demonstrate the effectiveness of our system using a realistic radio-controlled rover platform and synthetically generated workloads. Not only is SchedGuard able to protect against the attacks mentioned above, but it also ensures that the real-time tasks/containers meet their temporal requirements.

Cryptography and Security,Operating Systems

Till Schlüter,Nils Ole Tippenhauer

2024-10-01

Abstract:Modern computer processors use microarchitectural optimization mechanisms to improve performance. As a downside, such optimizations are prone to introducing side-channel vulnerabilities. Speculative loading of memory, called prefetching, is common in real-world CPUs and may cause such side-channel vulnerabilities: Prior work has shown that it can be exploited to bypass process isolation and leak secrets, such as keys used in RSA, AES, and ECDH implementations. However, to this date, no effective and efficient countermeasure has been presented that secures software on systems with affected prefetchers. In this work, we answer the question: How can a process defend against prefetch-based side channels? We first systematize prefetching-based side-channel vulnerabilities presented in academic literature so far. Next, we design and implement PreFence, a scheduling-aware defense against these side channels that allows processes to disable the prefetcher temporarily during security-critical operations. We implement our countermeasure for an x86_64 and an ARM processor; it can be adapted to any platform that allows to disable the prefetcher. We evaluate our defense and find that our solution reliably stops prefetch leakage. Our countermeasure causes negligible performance impact while no security-relevant code is executed, and its worst case performance is comparable to completely turning off the prefetcher. The expected average performance impact depends on the security-relevant code in the application and can be negligible as we demonstrate with a simple web server application. We expect our countermeasure could widely be integrated in commodity OS, and even be extended to signal generally security-relevant code to the kernel to allow coordinated application of countermeasures.

Cryptography and Security

Yan Cui,Yingxin Wang,Yu Chen,Yuanchun Shi

DOI: https://doi.org/10.1093/comjnl/bxt056

2013-01-01

The Computer Journal

Abstract:This paper addresses the resource contention issue caused by the sharing of the last level caches by introducing a novel contention-aware scheduler. To accurately determine a task's resource requirements, i.e. the unique input of our scheduler, we develop a methodology to select the best heuristic metric from five candidates to represent a task's resource requirements. Based on the heuristic of each task acquired by exploiting the performance monitor unit, our scheduler co-schedules tasks with complementary resource requirements by combining scheduling order adjustments with task-to-core reassignments. The proposed scheduler has been implemented in the completely fair scheduler, rotating staircase deadline scheduler and O(1) schedulers. Using eight workloads constructed from nine NASA advanced supercomputing serial benchmarks on an Intel dual-core platform, the execution time of an individual task is reduced by up to 21%, system scalability and performance of a workload are improved by up to 13%, and the full potential of the contention-aware scheduling can be achieved if the time slice length and the period of executing each task once are short enough. In addition, our proposal exhibits benefits in the reduction of the execution time fluctuation of individual tasks due to an enforcement of reasonable usage of shared resources. Finally, we demonstrate an expected performance improvement on an Intel eight-core platform in order to suggest the broad applicability of our protocol.

Linke Song,Zixuan Pang,Wenhao Wang,Zihao Wang,XiaoFeng Wang,Hongbo Chen,Wei Song,Yier Jin,Dan Meng,Rui Hou

2024-09-30

Abstract:The wide deployment of Large Language Models (LLMs) has given rise to strong demands for optimizing their inference performance. Today's techniques serving this purpose primarily focus on reducing latency and improving throughput through algorithmic and hardware enhancements, while largely overlooking their privacy side effects, particularly in a multi-user environment. In our research, for the first time, we discovered a set of new timing side channels in LLM systems, arising from shared caches and GPU memory allocations, which can be exploited to infer both confidential system prompts and those issued by other users. These vulnerabilities echo security challenges observed in traditional computing systems, highlighting an urgent need to address potential information leakage in LLM serving infrastructures. In this paper, we report novel attack strategies designed to exploit such timing side channels inherent in LLM deployments, specifically targeting the Key-Value (KV) cache and semantic cache widely used to enhance LLM inference performance. Our approach leverages timing measurements and classification models to detect cache hits, allowing an adversary to infer private prompts with high accuracy. We also propose a token-by-token search algorithm to efficiently recover shared prompt prefixes in the caches, showing the feasibility of stealing system prompts and those produced by peer users. Our experimental studies on black-box testing of popular online LLM services demonstrate that such privacy risks are completely realistic, with significant consequences. Our findings underscore the need for robust mitigation to protect LLM systems against such emerging threats.

Cryptography and Security

Aastha Mehta,Mohamed Alzayat,Roberta de Viti,Björn B. Brandenburg,Peter Druschel,Deepak Garg

DOI: https://doi.org/10.48550/arXiv.1908.11568

2022-02-18

Abstract:Network side channels (NSCs) leak secrets through packet timing and packet sizes. They are of particular concern in public IaaS Clouds, where any tenant may be able to colocate and indirectly observe a victim's traffic shape. We present Pacer, the first system that eliminates NSC leaks in public IaaS Clouds end-to-end. It builds on the principled technique of shaping guest traffic outside the guest to make the traffic shape independent of secrets by design. However, Pacer also addresses important concerns that have not been considered in prior work -- it prevents internal side-channel leaks from affecting reshaped traffic, and it respects network flow control, congestion control and loss recovery signals. Pacer is implemented as a paravirtualizing extension to the host hypervisor, requiring modest changes to the hypervisor and the guest kernel, and only optional, minimal changes to applications. We present Pacer's key abstraction of a cloaked tunnel, describe its design and implementation, prove the security of important design aspects through a formal model, and show through an experimental evaluation that Pacer imposes moderate overheads on bandwidth, client latency, and server throughput, while thwarting attacks based on state-of-the-art CNN classifiers.

Cryptography and Security

Chih-ping Li,Michael J. Neely

DOI: https://doi.org/10.48550/arXiv.1003.2675

2010-04-22

Abstract:We study the fundamental network capacity of a multi-user wireless downlink under two assumptions: (1) Channels are not explicitly measured and thus instantaneous states are unknown, (2) Channels are modeled as ON/OFF Markov chains. This is an important network model to explore because channel probing may be costly or infeasible in some contexts. In this case, we can use channel memory with ACK/NACK feedback from previous transmissions to improve network throughput. Computing in closed form the capacity region of this network is difficult because it involves solving a high dimension partially observed Markov decision problem. Instead, in this paper we construct an inner and outer bound on the capacity region, showing that the bound is tight when the number of users is large and the traffic is symmetric. For the case of heterogeneous traffic and any number of users, we propose a simple queue-dependent policy that can stabilize the network with any data rates strictly within the inner capacity bound. The stability analysis uses a novel frame-based Lyapunov drift argument. The outer-bound analysis uses stochastic coupling and state aggregation to bound the performance of a restless bandit problem using a related multi-armed bandit system. Our results are useful in cognitive radio networks, opportunistic scheduling with delayed/uncertain channel state information, and restless bandit problems.

Information Theory,Networking and Internet Architecture,Dynamical Systems,Optimization and Control

Vignesh Sivaraman,Biplab Sikdar

DOI: https://doi.org/10.1109/tnet.2021.3097536

2021-12-01

IEEE/ACM Transactions on Networking

Abstract:While in-network caching is an essential feature of Information Centric Networks (ICN) for improved content dissemination and reducing the bandwidth consumption at the core of the network, it is prone to many privacy threats. For example, an adversary can passively breach the privacy of a consumer by simply analyzing the different retrieval times for the same content. This paper aims to address this problem of timing analysis attacks by developing privacy-enhancing caching strategies. The proposed caching strategies use two privacy metrics, namely mutual information from information theory and differential privacy, and formulates a privacy enhancing distributed optimization problem with the objective of optimizing the network cost incurred. We efficiently solve the optimization problem by considering it as a <span class="mjpage"><svg xmlns:xlink="http://www.w3.org/1999/xlink" width="1.395ex" height="1.676ex" style="vertical-align: -0.338ex;" viewBox="0 -576.1 600.5 721.6" role="img" focusable="false" xmlns="http://www.w3.org/2000/svg"><g stroke="currentColor" fill="currentColor" stroke-width="0" transform="matrix(1 0 0 -1 0 0)"> <use xlink:href="#MJMATHI-6E" x="0" y="0"></use></g></svg></span> -player, non-cooperative game. We show that Nash equilibrium exists for this game and compute it using an iterative best response algorithm. We compare and validate the performance of our approach on realistic network topologies by comparing it with the existing approaches in literature and the global optimal solutions.<svg xmlns="http://www.w3.org/2000/svg" style="display: none;"><defs id="MathJax_SVG_glyphs"><path stroke-width="1" id="MJMATHI-6E" d="M21 287Q22 293 24 303T36 341T56 388T89 425T135 442Q171 442 195 424T225 390T231 369Q231 367 232 367L243 378Q304 442 382 442Q436 442 469 415T503 336T465 179T427 52Q427 26 444 26Q450 26 453 27Q482 32 505 65T540 145Q542 153 560 153Q580 153 580 145Q580 144 576 130Q568 101 554 73T508 17T439 -10Q392 -10 371 17T350 73Q350 92 386 193T423 345Q423 404 379 404H374Q288 404 229 303L222 291L189 157Q156 26 151 16Q138 -11 108 -11Q95 -11 87 -5T76 7T74 17Q74 30 112 180T152 343Q153 348 153 366Q153 405 129 405Q91 405 66 305Q60 285 60 284Q58 278 41 278H27Q21 284 21 287Z"></path></defs></svg>

Jiankang Ren,Chunxiao Liu,Chi Lin,Wei Jiang,Pengfei Wang,Xiangwei Qi,Simeng Li,Shengyu Li

DOI: https://doi.org/10.1109/tcad.2024.3445260

IF: 2.9

2024-11-09

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

Abstract:Embedded real-time systems generally execute in a predictable and deterministic manner to deliver critical functionality within stringent timing constraints. However, the predictable execution behavior leaves the system vulnerable to schedule-based attacks. In this article, we present a multimode security-aware real-time scheduling scheme to counteract schedule-based attacks on multiprocessor real-time systems. To mitigate the vulnerability to the schedule-based attack, we propose a multimode scheduling method to reduce the accumulative attack effective window (AEW) of multiple victim tasks and prevent the untrusted tasks from executing during the AEW by distinctively scheduling mixed-trust tasks according to the system mode. To avoid the protection degradation due to the excessive blocking of untrusted tasks, we introduce a protection window for multiple victims on multiprocessors by analyzing the system protection capability limit under the system schedulability constraint. Furthermore, to maximize the protection capability of the multimode security-aware scheduling strategy on a multiprocessor platform, we also propose a security-aware packing algorithm to balance the workloads of mixed-trust tasks on different processors using a mixed-trust worst-fit decreasing heuristic strategy. The experimental results demonstrate that our proposed approach significantly outperforms the state-of-the-art method. Specifically, the AEW ratio and the AEW untrusted execution time ratio are reduced by 18.8% and 62.8%, respectively, while the defense success rate against ScheduLeak attack is improved by 16.3%.

engineering, electrical & electronic,computer science, interdisciplinary applications, hardware & architecture

Chao Li,Balaji Palanisamy

DOI: https://doi.org/10.48550/arXiv.1902.05613

2019-02-15

Abstract:In the age of Big Data, enabling task scheduling while protecting users' privacy is critical for various decentralized applications in blockchain-based smart contract platforms. Such a privacy-preserving task scheduler requires the task input data to be secretly maintained until a prescribed task execution time and be automatically recorded into the blockchain to enabling the execution of the task at the execution time, even if the user goes offline. While straight-forward centralized approaches provide a basic solution to the problem, unfortunately they are limited to a single point of trust and involve a single point of control. This paper presents decentralized techniques for supporting privacy-preserving task scheduling using smart contracts in Ethereum blockchain networks. We design a privacy-preserving task scheduling protocol that is managed by a manager smart contract. The protocol requires a user to schedule a task by deploying a proxy smart contract maintaining the non-sensitive information of the task while creating decentralized secret trust and selecting trustees from the network to maintain the sensitive information of the task. With security techniques including secret sharing and layered encryption as well as security deposit paid by trustees as economic deterrence, the protocol can protect the sensitive information against possible attacks including some trustees destroying the sensitive information (drop attack) or secretly releasing the sensitive information before the execution time (release-ahead attack). We demonstrate the attack-resilience of the proposed protocol through rigorous <a class="link-external link-http" href="http://analysis.Our" rel="external noopener nofollow">this http URL</a> implementation and experimental evaluation on the Ethereum official test network demonstrate the low monetary cost and the low time overhead associated with the proposed approach.

Cryptography and Security