147 research outputs found
Mitigating Branch-Shadowing Attacks on Intel SGX using Control Flow Randomization
Intel Software Guard Extensions (SGX) is a promising hardware-based
technology for protecting sensitive computations from potentially compromised
system software. However, recent research has shown that SGX is vulnerable to
branch-shadowing -- a side channel attack that leaks the fine-grained (branch
granularity) control flow of an enclave (SGX protected code), potentially
revealing sensitive data to the attacker. The previously-proposed defense
mechanism, called Zigzagger, attempted to hide the control flow, but has been
shown to be ineffective if the attacker can single-step through the enclave
using the recent SGX-Step framework.
Taking into account these stronger attacker capabilities, we propose a new
defense against branch-shadowing, based on control flow randomization. Our
scheme is inspired by Zigzagger, but provides quantifiable security guarantees
with respect to a tunable security parameter. Specifically, we eliminate
conditional branches and hide the targets of unconditional branches using a
combination of compile-time modifications and run-time code randomization.
We evaluated the performance of our approach by measuring the run-time
overhead of ten benchmark programs of SGX-Nbench in SGX environment
Time-sensitive Information Flow Control in Timed Event-B
Protecting confidential data in todayâs computing\ud
environments is an important problem. Information flow\ud
control can help to avoid information leakage and violations\ud
introduced by executing the software applications. In software\ud
development cycle, it is important to handle security related\ud
issues from the beginning specifications at the level of abstract.\ud
Mu [1] investigated the problem of preserving information flow\ud
security in the Event-B specification models. A typed Event-\ud
B model was presented to enforce information flow security\ud
and to prevent direct flows introduced by the system. However,\ud
in practice, timing behaviours of programs can also introduce\ud
a covert flow. The problem of run-time flow monitoring and\ud
controlling must also be addressed. This paper investigates\ud
information flow control in the Event-B specification language\ud
with timing constructs. We present a timed Event-B system\ud
by introducing timers and relevant time constraints into the\ud
system events. We suggest a time-sensitive flow security condition\ud
for the timed Event-B systems, and present a type system\ud
to close the covert channels of timing flows for the system by\ud
ensuring the security condition. We then investigate how to\ud
refine timed events during the stepwise refinement modelling\ud
to satisfy the security condition
SMoTherSpectre: exploiting speculative execution through port contention
Spectre, Meltdown, and related attacks have demonstrated that kernels,
hypervisors, trusted execution environments, and browsers are prone to
information disclosure through micro-architectural weaknesses. However, it
remains unclear as to what extent other applications, in particular those that
do not load attacker-provided code, may be impacted. It also remains unclear as
to what extent these attacks are reliant on cache-based side channels.
We introduce SMoTherSpectre, a speculative code-reuse attack that leverages
port-contention in simultaneously multi-threaded processors (SMoTher) as a side
channel to leak information from a victim process. SMoTher is a fine-grained
side channel that detects contention based on a single victim instruction. To
discover real-world gadgets, we describe a methodology and build a tool that
locates SMoTher-gadgets in popular libraries. In an evaluation on glibc, we
found hundreds of gadgets that can be used to leak information. Finally, we
demonstrate proof-of-concept attacks against the OpenSSH server, creating
oracles for determining four host key bits, and against an application
performing encryption using the OpenSSL library, creating an oracle which can
differentiate a bit of the plaintext through gadgets in libcrypto and glibc
Clockwork: Tracking Remote Timing Attacks
International audienc
Hardware-Assisted Dependable Systems
Unpredictable hardware faults and software bugs lead to application crashes, incorrect computations, unavailability of internet services, data losses, malfunctioning components, and consequently financial losses or even death of people. In particular, faults in microprocessors (CPUs) and memory corruption bugs are among the major unresolved issues of today. CPU faults may result in benign crashes and, more problematically, in silent data corruptions that can lead to catastrophic consequences, silently propagating from component to component and finally shutting down the whole system. Similarly, memory corruption bugs (memory-safety vulnerabilities) may result in a benign application crash but may also be exploited by a malicious hacker to gain control over the system or leak confidential data.
Both these classes of errors are notoriously hard to detect and tolerate. Usual mitigation strategy is to apply ad-hoc local patches: checksums to protect specific computations against hardware faults and bug fixes to protect programs against known vulnerabilities. This strategy is unsatisfactory since it is prone to errors, requires significant manual effort, and protects only against anticipated faults. On the other extreme, Byzantine Fault Tolerance solutions defend against all kinds of hardware and software errors, but are inadequately expensive in terms of resources and performance overhead.
In this thesis, we examine and propose five techniques to protect against hardware CPU faults and software memory-corruption bugs. All these techniques are hardware-assisted: they use recent advancements in CPU designs and modern CPU extensions. Three of these techniques target hardware CPU faults and rely on specific CPU features: â-encoding efficiently utilizes instruction-level parallelism of modern CPUs, Elzar re-purposes Intel AVX extensions, and HAFT builds on Intel TSX instructions. The rest two target software bugs: SGXBounds detects vulnerabilities inside Intel SGX enclaves, and âMPX Explainedâ analyzes the recent Intel MPX extension to protect against buffer overflow bugs.
Our techniques achieve three goals: transparency, practicality, and efficiency. All our systems are implemented as compiler passes which transparently harden unmodified applications against hardware faults and software bugs. They are practical since they rely on commodity CPUs and require no specialized hardware or operating system support. Finally, they are efficient because they use hardware assistance in the form of CPU extensions to lower performance overhead
- âŠ