Friederike Groschupp,Mark Kuhne,Moritz Schneider,Ivan Puddu,Shweta Shinde,Srdjan Capkun

2023-06-29

Abstract:Modern smartphones are complex systems in which control over phone resources is exercised by phone manufacturers, OS vendors, and users. These stakeholders have diverse and often competing interests. Barring some exceptions, users entrust their security and privacy to OS vendors (Android and iOS) and need to accept their constraints. Manufacturers protect their firmware and peripherals from the OS by executing in the highest privilege and leveraging dedicated CPUs and TEEs. OS vendors need to trust the highest privileged code deployed by manufacturers. This division of control over the phone is not ideal for OS vendors and is even more disadvantageous for the users. Users are generally limited in what applications they can install on their devices, in the privacy model and trust assumptions of the existing applications, and in the functionalities that applications can have. We propose TEEtime, a new smartphone architecture based on trusted execution allowing to balance the control different stakeholders exert over phones. More leveled control over the phone means that no stakeholder is more privileged than the others. In particular, TEEtime makes users sovereign over their phones: It enables them to install sensitive applications in isolated domains with protected access to selected peripherals alongside an OS. TEEtime achieves this while maintaining compatibility with the existing smartphone ecosystem and without relying on virtualization; it only assumes trust in a phone's firmware. TEEtime is the first TEE architecture that allows isolated execution domains to gain protected and direct access to peripherals. TEEtime is based on Armv8-A and achieves peripheral isolation using a novel mechanism based on memory and interrupt controller protection. We demonstrate the feasibility of our design by implementing a prototype of TEEtime, and by running exemplary sensitive applications.

Cryptography and Security

Zelalem Birhanu Aweke,Todd Austin

DOI: https://doi.org/10.48550/arXiv.1703.07706

2017-03-11

Abstract:Time variation during program execution can leak sensitive information. Time variations due to program control flow and hardware resource contention have been used to steal encryption keys in cipher implementations such as AES and RSA. A number of approaches to mitigate timing-based side-channel attacks have been proposed including cache partitioning, control-flow obfuscation and injecting timing noise into the outputs of code. While these techniques make timing-based side-channel attacks more difficult, they do not eliminate the risks. Prior techniques are either too specific or too expensive, and all leave remnants of the original timing side channel for later attackers to attempt to exploit. In this work, we show that the state-of-the-art techniques in timing side-channel protection, which limit timing leakage but do not eliminate it, still have significant vulnerabilities to timing-based side-channel attacks. To provide a means for total protection from timing-based side-channel attacks, we develop Ozone, the first zero timing leakage execution resource for a modern microarchitecture. Code in Ozone execute under a special hardware thread that gains exclusive access to a single core's resources for a fixed (and limited) number of cycles during which it cannot be interrupted. Memory access under Ozone thread execution is limited to a fixed size uncached scratchpad memory, and all Ozone threads begin execution with a known fixed microarchitectural state. We evaluate Ozone using a number of security sensitive kernels that have previously been targets of timing side-channel attacks, and show that Ozone eliminates timing leakage with minimal performance overhead.

Cryptography and Security,Hardware Architecture

Jiliang Zhang,Congcong Chen,Jinhua Cui,Keqin Li

DOI: https://doi.org/10.1145/3645109

IF: 16.6

2024-02-07

ACM Computing Surveys

Abstract:Microarchitectural vulnerabilities, such as Meltdown and Spectre, exploit subtle microarchitecture state to steal the user’s secret data and even compromise the operating systems (OSes). In recent years, considerable discussion lies in understanding the attack-defense mechanisms and exploitability of such vulnerabilities. Unfortunately, there have been few investigations into a systematic elaboration of threat models, attack scenarios and requirements, and defense targets of the resulting attacks. In this article, we fill this gap and make the following contributions. We first propose two sets of taxonomies for classifying microarchitectural timing side-channel attacks (MTSCAs) and their countermeasures according to various attack conditions. Based on the taxonomies proposed, we then review published attacks and existing defenses and systematically analyze their internals. In particular, we also provide a comprehensive analysis of the similarities and differences among those attacks, uncovering the corresponding practicality and severity by identifying the attack targets/platforms and the security boundaries that can be bypassed to reveal information. We further examine the scalability of those defenses through specifying expected defense goals and costs. We also discuss corresponding detection methods based on different classifications. Finally, we propose several key challenges of existing countermeasures and the attack trends, and discuss directions for future research.

computer science, theory & methods

Caihua Li,Seung-seob Lee,Min Hong Yun,Lin Zhong

DOI: https://doi.org/10.48550/arXiv.2212.12671

2022-12-24

Operating Systems

Abstract:Modern operating systems (OSes) have unfettered access to application data, assuming that applications trust them. This assumption, however, is problematic under many scenarios where either the OS provider is not trustworthy or the OS can be compromised due to its large attack surface. Our investigation began with the hypothesis that unfettered access to memory is not fundamentally necessary for the OS to perform its own job, including managing the memory. The result is a system called MProtect that leverages a small piece of software running at a higher privilege level than the OS. MProtect protects the entire user space of a process, requires only a small modification to the OS, and supports major architectures such as ARM, x86 and RISC-V. Unlike prior works that resorted to nested virtualization, which is often undesirable in mobile and embedded systems, MProtect mediates how the OS accesses the memory and handles exceptions. We report an implementation of MProtect called MGuard with ARMv8/Linux and evaluate its performance with both macro and microbenchmarks. We show MGuard has a runtime TCB 2~3 times smaller than related systems and enjoys competitive performance while supporting legitimate OS access to the user space.

Nils Wistoff,Moritz Schneider,Frank K. Gürkaynak,Luca Benini,Gernot Heiser

DOI: https://doi.org/10.48550/arXiv.2005.02193

2020-05-01

Abstract:Covert channels enable information leakage across security boundaries of the operating system. Microarchitectural covert channels exploit changes in execution timing resulting from competing access to limited hardware resources. We use the recent experimental support for time protection, aimed at preventing covert channels, in the seL4 microkernel and evaluate the efficacy of the mechanisms against five known channels on Ariane, an open-source 64-bit application-class RISC-V core. We confirm that without hardware support, these defences are expensive and incomplete. We show that the addition of a single-instruction extension to the RISC-V ISA, that flushes microarchitectural state, can enable the OS to close all five evaluated covert channels with low increase in context switch costs and negligible hardware overhead. We conclude that such a mechanism is essential for security.

Cryptography and Security,Hardware Architecture

Jiyang Chen,Tomasz Kloda,Ayoosh Bansal,Rohan Tabish,Chien-Ying Chen,Bo Liu,Sibin Mohan,Marco Caccamo,Lui Sha

DOI: https://doi.org/10.48550/arXiv.2104.04528

2021-04-09

Abstract:Real-time systems have recently been shown to be vulnerable to timing inference attacks, mainly due to their predictable behavioral patterns. Existing solutions such as schedule randomization lack the ability to protect against such attacks, often limited by the system's real-time nature. This paper presents SchedGuard: a temporal protection framework for Linux-based hard real-time systems that protects against posterior scheduler side-channel attacks by preventing untrusted tasks from executing during specific time segments. SchedGuard is integrated into the Linux kernel using cgroups, making it amenable to use with container frameworks. We demonstrate the effectiveness of our system using a realistic radio-controlled rover platform and synthetically generated workloads. Not only is SchedGuard able to protect against the attacks mentioned above, but it also ensures that the real-time tasks/containers meet their temporal requirements.

Cryptography and Security,Operating Systems

Abhinav Srivastava,Jonathon Giffin

DOI: https://doi.org/10.1145/2420950.2421012

2012-01-01

Abstract:Commodity operating system kernels isolate applications via separate memory address spaces provided by virtual memory management hardware. However, kernel memory is unified and mixes core kernel code with driver components of different provenance. Kernel-level malicious software exploits this lack of isolation between the kernel and its modules by illicitly modifying security-critical kernel data structures. In this paper, we design an access control policy and enforcement system that prevents kernel components with low trust from altering security-critical data used by the kernel to manage its own execution. Our policies are at the granularity of kernel variables and structure elements, and they can protect data structures dynamically allocated at runtime. Our hypervisor-based design uses memory page protection bits as part of its policy enforcement. The granularity difference between page-level protection and variable-level policies challenges the system's ability to remain performant. We develop kernel data-layout partitioning and reorganization techniques to maintain kernel performance in the presence of our protections. We show that our system can prevent malicious modifications to security-critical kernel data with small overhead. By offering protection for critical kernel data structures, we can detect unknown kernel-level malware and guarantee that security utilities relying on the integrity of kernel-level state remain accurate.

Liang DENG,Qing-Kai ZENG

DOI: https://doi.org/10.13328/j.cnki.jos.005017

2016-01-01

Abstract:In commodity OS, the OS kernel runs in the highest privilege layer to manage hardware resources and provides system services. Thus, security-sensitive applications are vulnerable to compromises the underlying untrusted kernel. In this paper, an approach named AppFort is proposed to protect applications from an untrusted OS kernel. To address the high overheads of existing solutions, AppFort makes use of the unique combination of an x86 hardware feature (operand address size), kernel code integrity protection and kernel control flow integrity protection, to intercept and verify both hardware and software operations of the untrusted kernel. As a result, AppFort efficiently protects application's memory, control flows and file I/O, even if the kernel is fully compromised. Experimental results demonstrate that AppFort only incurs very small overhead, which is much better than previous work.

Robert Dumitru,Thorben Moos,Andrew Wabnitz,Yuval Yarom

2024-12-06

Abstract:In recent years a new class of side-channel attacks has emerged. Instead of targeting device emissions during dynamic computation, adversaries now frequently exploit the leakage or response behaviour of integrated circuits in a static state. Members of this class include Static Power Side-Channel Analysis (SCA), Laser Logic State Imaging (LLSI) and Impedance Analysis (IA). Despite relying on different physical phenomena, they all enable the extraction of sensitive information from circuits in a static state with high accuracy and low noise -- a trait that poses a significant threat to many established side-channel countermeasures. In this work, we point out the shortcomings of existing solutions and derive a simple yet effective countermeasure. We observe that in order to realise their full potential, static side-channel attacks require the targeted data to remain unchanged for a certain amount of time. For some cryptographic secrets this happens naturally, for others it requires stopping the target circuit's clock. Our proposal, called Borrowed Time, hinders an attacker's ability to leverage such idle conditions, even if full control over the global clock signal is obtained. For that, by design, key-dependent data may only be present in unprotected temporary storage when strictly needed. Borrowed Time then continuously monitors the target circuit and upon detecting an idle state, securely wipes sensitive contents. We demonstrate the need for our countermeasure and its effectiveness by mounting practical static power SCA attacks against cryptographic systems on FPGAs, with and without Borrowed Time. In one case we attack a masked implementation and show that it is only protected with our countermeasure in place. Furthermore we demonstrate that secure on-demand wiping of sensitive data works as intended, affirming the theory that the technique also effectively hinders LLSI and IA.

Cryptography and Security

Amittai Aviram,Sen Hu,Bryan Ford,Ramakrishna Gummadi

DOI: https://doi.org/10.48550/arXiv.1003.5303

2010-03-27

Operating Systems

Abstract:Timing side-channels represent an insidious security challenge for cloud computing, because: (a) massive parallelism in the cloud makes timing channels pervasive and hard to control; (b) timing channels enable one customer to steal information from another without leaving a trail or raising alarms; (c) only the cloud provider can feasibly detect and report such attacks, but the provider's incentives are not to; and (d) resource partitioning schemes for timing channel control undermine statistical sharing efficiency, and, with it, the cloud computing business model. We propose a new approach to timing channel control, using provider-enforced deterministic execution instead of resource partitioning to eliminate timing channels within a shared cloud domain. Provider-enforced determinism prevents execution timing from affecting the results of a compute task, however large or parallel, ensuring that a task's outputs leak no timing information apart from explicit timing inputs and total compute duration. Experiments with a prototype OS for deterministic cloud computing suggest that such an approach may be practical and efficient. The OS supports deterministic versions of familiar APIs such as processes, threads, shared memory, and file systems, and runs coarse-grained parallel tasks as efficiently and scalably as current timing channel-ridden systems.

Rui Chang,Liehui Jiang,Wenzhi Chen,Yaobin Xie,Zhongyong Lu

DOI: https://doi.org/10.23919/tst.2017.8030534

2017-01-01

Tsinghua Science & Technology

Abstract:The run-time security guarantee is a hotspot in current cyberspace security research, especially on embedded terminals, such as smart hardware as well as wearable and mobile devices. Typically, these devices use universal hardware and software to connect with public networks via the Internet, and are probably open to security threats from Trojan viruses and other malware. As a result, the security of sensitive personal data is threatened and economic interests in the industry are compromised. To address the run-time security problems efficiently, first, a TrustEnclave-based secure architecture is proposed, and the trusted execution environment is constructed by hardware isolation technology. Then the prototype system is implemented on real TrustZone-enabled hardware devices. Finally, both analytical and experimental evaluations are provided. The experimental results demonstrate the effectiveness and feasibility of the proposed security scheme.

Rui Chang,Liehui Jiang,Wenzhi Chen,Yaobin Xie,Zhongyong Lu

2016-01-01

Abstract:The run-time security guarantee is a hotspot in current cyberspace security research, especially on embedded terminals, e.g., smart hardware, wearable devices, mobile devices. Typically, these devices use universal hardware and software to connect with public network by internet, and are probably open to security threats from Trojan, virus and other malware. As a result, not only personal sensitive data is threatened, economic interests in industry are also compromised. To address the run-time security problems efficiently, first a TrustEnclave-based secure architecture is proposed, and the trusted execution environment is constructed by hardware isolation technology. Then the prototype system is implemented on real TrustZone-enabled hardware devices. Last, both analytical and experimental evaluations are given in the end. The experimental results demonstrate that the proposed security scheme is effective and feasible.

Johannes Müller,Anna Lena Duque Antón,Lucas Deutschmann,Dino Mehmedagić,Cristiano Rodrigues,Daniel Oliveira,Keerthikumara Devarajegowda,Mohammad Rahmani Fadiheh,Sandro Pinto,Dominik Stoffel,Wolfgang Kunz

DOI: https://doi.org/10.1145/3649329.3656541

2024-07-18

Abstract:Microarchitectural timing side channels have been thoroughly investigated as a security threat in hardware designs featuring shared buffers (e.g., caches) or parallelism between attacker and victim task execution. However, contradicting common intuitions, recent activities demonstrate that this threat is real even in microcontroller SoCs without such features. In this paper, we describe SoC-wide timing side channels previously neglected by security analysis and present a new formal method to close this gap. In a case study on the RISC-V Pulpissimo SoC, our method detected a vulnerability to a previously unknown attack variant that allows an attacker to obtain information about a victim's memory access behavior. After implementing a conservative fix, we were able to verify that the SoC is now secure w.r.t. the considered class of timing side channels.

Cryptography and Security

Thore Tiemann,Zane Weissman,Thomas Eisenbarth,Berk Sunar

DOI: https://doi.org/10.1145/3579856.3582838

2023-03-10

Abstract:Hardware peripherals such as GPUs and FPGAs are commonly available in server-grade computing to accelerate specific compute tasks, from database queries to machine learning. CSPs have integrated these accelerators into their infrastructure and let tenants combine and configure these components flexibly, based on their needs. Securing I/O interfaces is critical to ensure proper isolation between tenants in these highly complex, heterogeneous, yet shared server systems, especially in the cloud, where some peripherals may be under control of a malicious tenant. In this work, we investigate the interfaces that connect peripheral hardware components to each other and the rest of the <a class="link-external link-http" href="http://system.We" rel="external noopener nofollow">this http URL</a> show that the I/O memory management units (IOMMUs) - intended to ensure proper isolation of peripherals - are the source of a new attack surface: the I/O translation look-aside buffer (IOTLB). We show that by using an FPGA accelerator card one can gain precise information over IOTLB activity. That information can be used for covert communication between peripherals without bothering CPU or to directly extract leakage from neighboring accelerated compute jobs such as GPU-accelerated databases. We present the first qualitative and quantitative analysis of this newly uncovered attack surface before fine-grained channels become widely viable with the introduction of CXL and PCIe 5.0. In addition, we propose possible countermeasures that software developers, hardware designers, and system administrators can use to suppress the observed side-channel leakages and analyze their implicit costs.

Cryptography and Security,Hardware Architecture

Tianning Zhang,Miao Cai,Diming Zhang,Hao Huang

DOI: https://doi.org/10.1109/TrustCom50675.2020.00045

2020-01-01

Abstract:Recently, many effective defensive methods (e.g., ASLR, execute-only-memory) have been proposed to defeat the code reuse attack in the software system. These approaches provide strong system protection through address randomization or memory access restriction. However, this paper identifies a new weak point in these approaches, i.e., missing time protection. We propose a new attack method called timing function attack, which can initiate a code reuse attack even against the state-of-the-art defense techniques. Previous solutions utilize various techniques to hide the spatial information. However, we still can obtain critical security information through the time channel. Specifically, we leverage the function execution time to conduct a side-channel attack. Further, we de-randomize the code segment layout with the timing-channel attack result. Finally, we perform a code-reuse attack with gadgets gathered in previous steps, compromising the whole system. To validate our timing function attack in the real world, we conduct two attacks on two JavaScript engines, i.e., ChakraCore and Chrome v8. Evaluation results show that our attack can successfully bypass the existing defense techniques, such as function-granularity ASLR and XOM, and escalate the privilege. Besides, we also discuss some solutions to prevent and defend our proposed timing function attack.

Xiaoshan Sun,Liang Cheng,Yang Zhang

DOI: https://doi.org/10.1109/icc.2011.5962718

2011-01-01

Abstract:A covert channel is a communication channel that bypasses the access controls of the system, and it is a threat to the system's security. In this paper, we propose a new covert timing channel which exploits the algorithmic complexity vulnerabilities in the name lookup algorithm of the kernel. This covert channel has a high capacity and it is practically exploitable. In our experiments, the data rate reaches 2256 bps under a very low error rate. This data rate is high enough for practical use. So our covert channel is dangerous. To our knowledge, no previous works propose this covert channel nor implement it. We describe our design and implementation of the covert channel on a SELinux system, discuss the subtle issues that arose in the design, present performance data of the covert channel and analyse its capacity.

Laszlo Szekeres,Mathias Payer,Tao Wei,Dawn Song

DOI: https://doi.org/10.1109/sp.2013.13

2013-01-01

Abstract:Memory corruption bugs in software written in low-level languages like C or C++ are one of the oldest problems in computer security. The lack of safety in these languages allows attackers to alter the program's behavior or take full control over it by hijacking its control flow. This problem has existed for more than 30 years and a vast number of potential solutions have been proposed, yet memory corruption attacks continue to pose a serious threat. Real world exploits show that all currently deployed protections can be defeated. This paper sheds light on the primary reasons for this by describing attacks that succeed on today's systems. We systematize the current knowledge about various protection techniques by setting up a general model for memory corruption attacks. Using this model we show what policies can stop which attacks. The model identifies weaknesses of currently deployed techniques, as well as other proposed protections enforcing stricter policies. We analyze the reasons why protection mechanisms implementing stricter polices are not deployed. To achieve wide adoption, protection mechanisms must support a multitude of features and must satisfy a host of requirements. Especially important is performance, as experience shows that only solutions whose overhead is in reasonable bounds get deployed. A comparison of different enforceable policies helps designers of new protection mechanisms in finding the balance between effectiveness (security) and efficiency. We identify some open research problems, and provide suggestions on improving the adoption of newer techniques.

Lianying Zhao,Mohammad Mannan

DOI: https://doi.org/10.14722/ndss.2019.23197

2019-05-26

Abstract:Unauthorized data alteration has been a longstanding threat since the emergence of malware. System and application software can be reinstalled and hardware can be replaced, but user data is priceless in many cases. Especially in recent years, ransomware has become high-impact due to its direct monetization model. State-of-the-art defenses are mostly based on known signature or behavior analysis, and more importantly, require an uncompromised OS kernel. However, malware with the highest software privileges has shown its obvious existence. We propose to move from current detection/recovery based mechanisms to data loss prevention, where the focus is on armoring data instead of counteracting malware. Our solution, Inuksuk, relies on today's Trusted Execution Environments (TEEs), as available both on the CPU and storage device, to achieve programmable write protection. We back up a copy of user-selected files as write-protected at all times, and subsequent updates are written as new versions securely through TEE. We implement Inuksuk on Windows 7 and 10, and Linux (Ubuntu); our core design is OS and application agnostic, and incurs no run-time performance penalty for applications. File transfer disruption can be eliminated or alleviated through access modes and customizable update policies (e.g., interval, granularity). For Inuksuk's adoptability in modern OSes, we have also ported Flicker (EuroSys 2008), a defacto standard tool for in-OS privileged TEE management, to the latest 64-bit Windows.

Cryptography and Security

Zhiyuan Lv,Youjian Zhao,Chao Zhang

DOI: https://doi.org/10.1109/icc40277.2020.9149177

2020-01-01

Abstract:Microarchitectural timing channels, e.g., timing-based side channels or covert channels, endanger victims' data confidentiality by accurately measuring the time difference of accessing shared microarchitectural resources (e.g., cache and DRAM). Lowering the accuracy of such timers is a feasible and widely discussed direction for mitigating such channels. However, few solutions have paid attentions to the special dedicated thread timer, which measures the time by utilizing a dedicated thread to increment a time counter in an endless loop. In this paper, we present a novel approach, DegradeTimer, to degrade the dedicated thread timer. It first eliminates local cache sharing between the attacker thread and the timer thread in case the CPU's hyper-threading feature is enabled, by modifying Linux kernel's thread scheduling policy to enforce that any two threads sharing writable memory are dispatched to different physical cores. Then, it applies two novel cache coherence protocols, M-MESI and M-MOSEI, to randomly delay responses to remote cache requests. In this way, the attacker thread and the timer thread are dispatched to different cores and provided with fuzzy cache time transmission. We have implemented a prototype of DegradeTimer for both x86 and ARM architecture using the Linux kernel and the gem5 full system simulator. The evaluation results show that DegradeTimer provides a strong security guarantee against microarchitectural timing channels. Furthermore, the performance overhead introduced by DegradeTimer is less than 6%.

haibo chen,fengzhe zhang,cheng chen,ziye yang,rong chen,binyu zang,penchung yew,wenbo mao

2007-01-01

Abstract:Software applications today face constant threat of tampering because of the vulnerability in operating systems and their permissive interface. Unfortunately, existing tamper-resistance approaches often require non-trivial amount of changes to core CPU architectures, operating systems and/or applications. In this paper, we propose an approach that requires only minimal changes to existing commodity oper- ating systems running on commodity hardware without compromising their functionality and compatibility. The key idea is to use a trustworthy virtual machine monitor (VMM) to monitor and regulate the behavior of other untrustworthy processes including the underlying operating system that might have been compro- mised. We use the trusted VMM to compartmentalize a process that demands tamper resistant protection from OS kernels and other processes, by interposing security-sensitive operations (e.g. system calls) and isolating (and sealing) security-sensitive information (e.g. registers and memory). We have implemented a working prototype, CHAOS 1, that supports tamper-resistant applications run- ning on Linux and Xen VMM. Our prototype shows that it only requires minor changes (about 230 LOCs) to Linux and a small amount of code expansion to Xen (about 4200 LOCs). Performance measurements also show that CHAOS incurs a little performance degradation to the application software: about 3% for SPECINT-2000 and less than 15% for apache httpd and vsftpd.