783 research outputs found
Undermining User Privacy on Mobile Devices Using AI
Over the past years, literature has shown that attacks exploiting the
microarchitecture of modern processors pose a serious threat to the privacy of
mobile phone users. This is because applications leave distinct footprints in
the processor, which can be used by malware to infer user activities. In this
work, we show that these inference attacks are considerably more practical when
combined with advanced AI techniques. In particular, we focus on profiling the
activity in the last-level cache (LLC) of ARM processors. We employ a simple
Prime+Probe based monitoring technique to obtain cache traces, which we
classify with Deep Learning methods including Convolutional Neural Networks. We
demonstrate our approach on an off-the-shelf Android phone by launching a
successful attack from an unprivileged, zeropermission App in well under a
minute. The App thereby detects running applications with an accuracy of 98%
and reveals opened websites and streaming videos by monitoring the LLC for at
most 6 seconds. This is possible, since Deep Learning compensates measurement
disturbances stemming from the inherently noisy LLC monitoring and unfavorable
cache characteristics such as random line replacement policies. In summary, our
results show that thanks to advanced AI techniques, inference attacks are
becoming alarmingly easy to implement and execute in practice. This once more
calls for countermeasures that confine microarchitectural leakage and protect
mobile phone applications, especially those valuing the privacy of their users
SoK: Design Tools for Side-Channel-Aware Implementations
Side-channel attacks that leak sensitive information through a computing
device's interaction with its physical environment have proven to be a severe
threat to devices' security, particularly when adversaries have unfettered
physical access to the device. Traditional approaches for leakage detection
measure the physical properties of the device. Hence, they cannot be used
during the design process and fail to provide root cause analysis. An
alternative approach that is gaining traction is to automate leakage detection
by modeling the device. The demand to understand the scope, benefits, and
limitations of the proposed tools intensifies with the increase in the number
of proposals.
In this SoK, we classify approaches to automated leakage detection based on
the model's source of truth. We classify the existing tools on two main
parameters: whether the model includes measurements from a concrete device and
the abstraction level of the device specification used for constructing the
model. We survey the proposed tools to determine the current knowledge level
across the domain and identify open problems. In particular, we highlight the
absence of evaluation methodologies and metrics that would compare proposals'
effectiveness from across the domain. We believe that our results help
practitioners who want to use automated leakage detection and researchers
interested in advancing the knowledge and improving automated leakage
detection
MicroWalk: A Framework for Finding Side Channels in Binaries
Microarchitectural side channels expose unprotected software to information
leakage attacks where a software adversary is able to track runtime behavior of
a benign process and steal secrets such as cryptographic keys. As suggested by
incremental software patches for the RSA algorithm against variants of
side-channel attacks within different versions of cryptographic libraries,
protecting security-critical algorithms against side channels is an intricate
task. Software protections avoid leakages by operating in constant time with a
uniform resource usage pattern independent of the processed secret. In this
respect, automated testing and verification of software binaries for
leakage-free behavior is of importance, particularly when the source code is
not available. In this work, we propose a novel technique based on Dynamic
Binary Instrumentation and Mutual Information Analysis to efficiently locate
and quantify memory based and control-flow based microarchitectural leakages.
We develop a software framework named \tool~for side-channel analysis of
binaries which can be extended to support new classes of leakage. For the first
time, by utilizing \tool, we perform rigorous leakage analysis of two
widely-used closed-source cryptographic libraries: \emph{Intel IPP} and
\emph{Microsoft CNG}. We analyze different cryptographic implementations
consisting of million instructions in about minutes of CPU time. By
locating previously unknown leakages in hardened implementations, our results
suggest that \tool~can efficiently find microarchitectural leakages in software
binaries
Cross-core Microarchitectural Attacks and Countermeasures
In the last decade, multi-threaded systems and resource sharing have brought a number of technologies that facilitate our daily tasks in a way we never imagined. Among others, cloud computing has emerged to offer us powerful computational resources without having to physically acquire and install them, while smartphones have almost acquired the same importance desktop computers had a decade ago. This has only been possible thanks to the ever evolving performance optimization improvements made to modern microarchitectures that efficiently manage concurrent usage of hardware resources. One of the aforementioned optimizations is the usage of shared Last Level Caches (LLCs) to balance different CPU core loads and to maintain coherency between shared memory blocks utilized by different cores. The latter for instance has enabled concurrent execution of several processes in low RAM devices such as smartphones. Although efficient hardware resource sharing has become the de-facto model for several modern technologies, it also poses a major concern with respect to security. Some of the concurrently executed co-resident processes might in fact be malicious and try to take advantage of hardware proximity. New technologies usually claim to be secure by implementing sandboxing techniques and executing processes in isolated software environments, called Virtual Machines (VMs). However, the design of these isolated environments aims at preventing pure software- based attacks and usually does not consider hardware leakages. In fact, the malicious utilization of hardware resources as covert channels might have severe consequences to the privacy of the customers. Our work demonstrates that malicious customers of such technologies can utilize the LLC as the covert channel to obtain sensitive information from a co-resident victim. We show that the LLC is an attractive resource to be targeted by attackers, as it offers high resolution and, unlike previous microarchitectural attacks, does not require core-colocation. Particularly concerning are the cases in which cryptography is compromised, as it is the main component of every security solution. In this sense, the presented work does not only introduce three attack variants that can be applicable in different scenarios, but also demonstrates the ability to recover cryptographic keys (e.g. AES and RSA) and TLS session messages across VMs, bypassing sandboxing techniques. Finally, two countermeasures to prevent microarchitectural attacks in general and LLC attacks in particular from retrieving fine- grain information are presented. Unlike previously proposed countermeasures, ours do not add permanent overheads in the system but can be utilized as preemptive defenses. The first identifies leakages in cryptographic software that can potentially lead to key extraction, and thus, can be utilized by cryptographic code designers to ensure the sanity of their libraries before deployment. The second detects microarchitectural attacks embedded into innocent-looking binaries, preventing them from being posted in official application repositories that usually have the full trust of the customer
Systematic Classification of Side-Channel Attacks: A Case Study for Mobile Devices
Contains fulltext :
187230.pdf (preprint version ) (Open Access
When a Patch is Not Enough - HardFails: Software-Exploitable Hardware Bugs
In this paper, we take a deep dive into microarchitectural security from a
hardware designer's perspective by reviewing the existing approaches to detect
hardware vulnerabilities during the design phase. We show that a protection gap
currently exists in practice that leaves chip designs vulnerable to
software-based attacks. In particular, existing verification approaches fail to
detect specific classes of vulnerabilities, which we call HardFails: these bugs
evade detection by current verification techniques while being exploitable from
software. We demonstrate such vulnerabilities in real-world SoCs using RISC-V
to showcase and analyze concrete instantiations of HardFails. Patching these
hardware bugs may not always be possible and can potentially result in a
product recall. We base our findings on two extensive case studies: the recent
Hack@DAC 2018 hardware security competition, where 54 independent teams of
researchers competed world-wide over a period of 12 weeks to catch inserted
security bugs in SoC RTL designs, and an in-depth systematic evaluation of
state-of-the-art verification approaches. Our findings indicate that even
combinations of techniques will miss high-impact bugs due to the large number
of modules with complex interdependencies and fundamental limitations of
current detection approaches. We also craft a real-world software attack that
exploits one of the RTL bugs from Hack@DAC that evaded detection and discuss
novel approaches to mitigate the growing problem of cross-layer bugs at design
time
- …