410 research outputs found
PerfWeb: How to Violate Web Privacy with Hardware Performance Events
The browser history reveals highly sensitive information about users, such as
financial status, health conditions, or political views. Private browsing modes
and anonymity networks are consequently important tools to preserve the privacy
not only of regular users but in particular of whistleblowers and dissidents.
Yet, in this work we show how a malicious application can infer opened websites
from Google Chrome in Incognito mode and from Tor Browser by exploiting
hardware performance events (HPEs). In particular, we analyze the browsers'
microarchitectural footprint with the help of advanced Machine Learning
techniques: k-th Nearest Neighbors, Decision Trees, Support Vector Machines,
and in contrast to previous literature also Convolutional Neural Networks. We
profile 40 different websites, 30 of the top Alexa sites and 10 whistleblowing
portals, on two machines featuring an Intel and an ARM processor. By monitoring
retired instructions, cache accesses, and bus cycles for at most 5 seconds, we
manage to classify the selected websites with a success rate of up to 86.3%.
The results show that hardware performance events can clearly undermine the
privacy of web users. We therefore propose mitigation strategies that impede
our attacks and still allow legitimate use of HPEs
Cache-based Timing Side-channels in Partitioning Hypervisors
Dissertação de mestrado em Engenharia Eletrónica Industrial e ComputadoresIn recent years, the automotive industry has seen a technology complexity increase to comply with
computing innovations such as autonomous driving, connectivity and mobility. As such, the need to reduce
this complexity without compromising the intended metrics is imperative.
The advent of hypervisors in the automotive domain presents a solution to reduce the complexity of
the systems by enabling software portability and isolation between virtual machines (VMs).
Although virtualization creates the illusion of strict isolation and exclusive resource access, the
convergence of critical and non-critical systems into shared chips presents a security problem. This shared
hardware has microarchitectural features that can be exploited through their temporal behavior, creating
sensitive data leakage channels between co-located VMs. In mixed-criticality systems, the exploitation of
these channels can lead to safety issues on systems with real-time constraints compromising the whole
system.
The implemented side-channel attacks demonstrated well-defined channels, across two real-time
partitioning hypervisors in mixed-criticality systems, that enable the inference of a co-located VM’s
cache activity. Furthermore, these channels have proven to be mitigated using cache coloring as a
countermeasure, thus increasing the determinism of the system in detriment of average performance.
From a safety perspective, this dissertation emphasizes the need to weigh the tradeoffs of the trending
architectural features that target performance over predictability and determinism.Nos últimos anos, a indústria automotiva tem sido objeto de um crescendo na sua complexidade
tecnológica de maneira a manter-se a par das mais recentes inovações de computação. Sendo assim, a
necessidade de reduzir a complexidade sem comprometer as métricas pretendidas é imperativa.
O advento dos hipervisores na indústria automotiva apresenta uma solução para a redução da
complexidade dos sistemas, possiblitando a portabilidade do software e o isolamento entrevirtual vachines
(VMs).
Embora a virtualização crie a ilusão de isolamento e acesso exclusivo a recursos, a convergência
de sistemas críticos e não-críticos em chips partilhados representa um problema de segurança. O
hardware partilhado tem características microarquiteturais que podem ser exploradas através do seu
comportamento temporal, criando canais de fuga de informação crítica entre VMs adjacentes. Em
sistemas de criticalidade mista, a exploração destes canais pode comprometer sistemas com limitações
de tempo real.
Os ataques side-channel implementados revelam canais bem definidos que possibilitam a inferência
da atividade de cache de VMs situadas no mesmo processador. Além disso, esses canais provaram serem
passíveis de ser mitigados usando cache coloring como estratégia de mitigação, aumentando assim o
determinismo do sistema em detrimento da sua performance.
De uma perspetiva da segurança, esta dissertação enfatiza a necessidade de pesar os tradeoffs das
tendências arquiteturais que priorizam a performance e secundarizam o determinismo e previsibilidade
do sistema
Detecting time-fragmented cache attacks against AES using Performance Monitoring Counters
Cache timing attacks use shared caches in multi-core processors as side
channels to extract information from victim processes. These attacks are
particularly dangerous in cloud infrastructures, in which the deployed
countermeasures cause collateral effects in terms of performance loss and
increase in energy consumption. We propose to monitor the victim process using
an independent monitoring (detector) process, that continuously measures
selected Performance Monitoring Counters (PMC) to detect the presence of an
attack. Ad-hoc countermeasures can be applied only when such a risky situation
arises. In our case, the victim process is the AES encryption algorithm and the
attack is performed by means of random encryption requests. We demonstrate that
PMCs are a feasible tool to detect the attack and that sampling PMCs at high
frequencies is worse than sampling at lower frequencies in terms of detection
capabilities, particularly when the attack is fragmented in time to try to be
hidden from detection
Bankrupt Covert Channel: Turning Network Predictability into Vulnerability
Recent years have seen a surge in the number of data leaks despite aggressive
information-containment measures deployed by cloud providers. When attackers
acquire sensitive data in a secure cloud environment, covert communication
channels are a key tool to exfiltrate the data to the outside world. While the
bulk of prior work focused on covert channels within a single CPU, they require
the spy (transmitter) and the receiver to share the CPU, which might be
difficult to achieve in a cloud environment with hundreds or thousands of
machines.
This work presents Bankrupt, a high-rate highly clandestine channel that
enables covert communication between the spy and the receiver running on
different nodes in an RDMA network. In Bankrupt, the spy communicates with the
receiver by issuing RDMA network packets to a private memory region allocated
to it on a different machine (an intermediary). The receiver similarly
allocates a separate memory region on the same intermediary, also accessed via
RDMA. By steering RDMA packets to a specific set of remote memory addresses,
the spy causes deep queuing at one memory bank, which is the finest addressable
internal unit of main memory. This exposes a timing channel that the receiver
can listen on by issuing probe packets to addresses mapped to the same bank but
in its own private memory region. Bankrupt channel delivers 74Kb/s throughput
in CloudLab's public cloud while remaining undetectable to the existing
monitoring capabilities, such as CPU and NIC performance counters.Comment: Published in WOOT 2020 co-located with USENIX Security 202
Performance Counters to Rescue: A Machine Learning based safeguard against Micro-architectural Side-Channel-Attacks
Micro-architectural side-channel-attacks are presently daunting threats to most mathematically elegant encryption algorithms. Even though there exist various defense mechanisms, most of them come with the extra overhead of implementation. Recent studies have prevented some particular categories of these attacks but fail to address the detection of other classes. This paper presents a generic machine learning based multi-layer detection approach targeting these micro-architectural side-channel-attacks, without concentrating on a single category. The proposed approach work by proling low-level hardware events using Linux perf event API and then by analyzing these data with some appropriate machine learning techniques. This paper also presents a novel approach, using time-series data, to correlate the execution trace of the adversary with the secret key of encryption for dealing with false-positives and unknown attacks. The experimental results and performance of the proposed approach suggest its superiority with high detection accuracy and low performance overhead
Real time detection of cache-based side-channel attacks using hardware performance counters
Cache-based side-channel attacks are increasingly exposing the weaknesses of many cryptographic libraries and tools by showing that, even though the algorithms might be considered strong, their implementations often lead to unexpected behaviors that can be exploited to obtain sensitive data, usually encryption keys. In this study we analyze three methods to detect cache-based side-channel attacks in real time, preventing or limiting the amount of leaked information. We focus our efforts on detecting three attacks on the well-known OpenSSL library: one that targets AES, one that targets RSA and one that targets ECDSA. The first method is based on monitoring the involved processes and assumes the victim process is known. By collecting and correlating the monitored data we find out whether there exists an attacker and pinpoint it. The second method uses anomaly detection techniques and assumes the benign processes and their behavior are known. By treating the attacker as a potential anomaly we understand whether an attack is in progress and which process is performing it. The last method is based on employing a neural network, a machine learning technique, to profile the attacker and to be able to recognize when a process that behaves suspiciously like the attacker is running. All the three of them can successfully detect an attack in about one fifth of the time required to complete it. We could not experience the presence of false positives in our test environment and the overhead caused by the detection systems is negligible. We also analyze how the detection systems behave with a modified version of one ofthe spy processes. With some optimization we are confident these systems can be used in real world scenarios
- …