Cache-Base Application Detection in the Cloud Using Machine Learning

Cross-VM attacks have emerged as a major threat on commercial clouds. These attacks commonly exploit hardware level leakages on shared physical servers. A co-located machine can readily feel the presence of a co-located instance with a heavy computational load through performance degradation due to contention on shared resources. Shared cache architectures such as the last level cache (LLC) have become a popular leakage source to mount cross-VM attack. By exploiting LLC leakages, researchers have already shown that it is possible to recover fine grain information such as cryptographic keys from popular software libraries. This makes it essential to verify implementations that handle sensitive data across the many versions and numerous target platforms, a task too complicated, error prone and costly to be handled by human beings. Here we propose a machine learning based technique to classify applications according to their cache access profiles. We show that with minimal and simple manual processing steps feature vectors can be used to train models using support vector machines to classify the applications with a high degree of success. The profiling and training steps are completely automated and do not require any inspection or study of the code to be classified. In native execution, we achieve a successful classification rate as high as 98\% (L1 cache) and 78\% (LLC) over 40 benchmark applications in the Phoronix suite with mild training. In the cross-VM setting on the noisy Amazon EC2 the success rate drops to 60\% for a suite of 25 applications. With this initial study we demonstrate that it is possible to train meaningful models to successfully predict applications running in co-located instances

Co-location detection on the Cloud

In this work we focus on the problem of co-location as a first step of conducting Cross-VM attacks such as Prime and Probe or Flush+Reload in commercial clouds. We demonstrate and compare three co-location detection methods namely, cooperative Last-Level Cache (LLC) covert channel, software profiling on the LLC and memory bus locking. We conduct our experiments on three commercial clouds, Amazon EC2, Google Compute Engine and Microsoft Azure. Finally, we show that both cooperative and non-cooperative co-location to specific targets on cloud is still possible on major cloud services

Seriously, get off my cloud! Cross-VM RSA Key Recovery in a Public Cloud

It has been six years since Ristenpart et al. demonstrated the viability of co-location and provided the first concrete evidence for sensitive information leakage on a commercial cloud. We show that co-location can be achieved and detected by monitoring the last level cache in public clouds. More significantly, we present a full-fledged attack that exploits subtle leakages to recover RSA decryption keys from a co-located instance. We target a recently patched Libgcrypt RSA implementation by mounting Cross-VM Prime and Probe cache attacks in combination with other tests to detect co-location in Amazon EC2. In a preparatory step, we reverse engineer the unpublished nonlinear slice selection function for the 10 core Intel Xeon processor which significantly accelerates our attack (this chipset is used in Amazon EC2). After co-location is detected and verified, we perform the Prime and Probe attack to recover noisy keys from a carefully monitored Amazon EC2 VM running the aforementioned vulnerable libgcrypt library. We subsequently process the noisy data and obtain the complete 2048-bit RSA key used during encryption. This work reaffirms the privacy concerns and underlines the need for deploying stronger isolation techniques in public clouds

Cache Attacks Enable Bulk Key Recovery on the Cloud

Cloud services keep gaining popularity despite the security concerns. While non-sensitive data is easily trusted to cloud, security critical data and applications are not. The main concern with the cloud is the shared resources like the CPU, memory and even the network adapter that provide subtle side-channels to malicious parties. We argue that these side-channels indeed leak fine grained, sensitive information and enable key recovery attacks on the cloud. Even further, as a quick scan in one of the Amazon EC2 regions shows, high percentage -55\%- of users run outdated, leakage prone libraries leaving them vulnerable to mass surveillance. The most commonly exploited leakage in the shared resource systems stem from the cache and the memory. High resolution and the stability of these channels allow the attacker to extract fine grained information. In this work, we employ the \PnP\ attack to retrieve an RSA secret key from a co-located instance. To speed up the attack, we reverse engineer the cache slice selection algorithm for the Intel Xeon E5-2670 v2 that is used in our cloud instances. Finally we employ noise reduction to deduce the RSA private key from the monitored traces. By processing the noisy data we obtain the complete 2048-bit RSA key used during the decryption

MicroWalk: A Framework for Finding Side Channels in Binaries

Microarchitectural side channels expose unprotected software to information leakage attacks where a software adversary is able to track runtime behavior of a benign process and steal secrets such as cryptographic keys. As suggested by incremental software patches for the RSA algorithm against variants of side-channel attacks within different versions of cryptographic libraries, protecting security-critical algorithms against side channels is an intricate task. Software protections avoid leakages by operating in constant time with a uniform resource usage pattern independent of the processed secret. In this respect, automated testing and verification of software binaries for leakage-free behavior is of importance, particularly when the source code is not available. In this work, we propose a novel technique based on Dynamic Binary Instrumentation and Mutual Information Analysis to efficiently locate and quantify memory based and control-flow based microarchitectural leakages. We develop a software framework named \tool~for side-channel analysis of binaries which can be extended to support new classes of leakage. For the first time, by utilizing \tool, we perform rigorous leakage analysis of two widely-used closed-source cryptographic libraries: \emph{Intel IPP} and \emph{Microsoft CNG}. We analyze $15$ different cryptographic implementations consisting of $112$ million instructions in about $105$ minutes of CPU time. By locating previously unknown leakages in hardened implementations, our results suggest that \tool~can efficiently find microarchitectural leakages in software binaries

Towards Automated Analysis of Microarchitectural Attacks using Machine Learning

Cloud computing has gained tremendous popularity among small and mid-size businesses, providing many companies to access cloud services without the need for investing in computer software and hardware. In order to o↵er the highest performance to clients, multi-core servers are mostly preferred by the cloud providers, which yields to sharing the same hardware resources among clients. Although it is expected that hardware virtualization is a sufficient protection against potential attackers from co-located users, microarchitectural attacks still pose a significant threat in the cloud due to the shared hardware resources. Moreover, similar attack techniques are applicable in both personal computers and mobile phones when a benign-looking malicious application is installed in the system. Today, microarchitectural attacks are more important threat than ever, since the capabilities of the attacks have been extended tremendously. In order to recover confidential information from a third-party by implementing a microarchitectural attack, thousands or millions of side-channel measurements are collected. Since the side-channel analysis requires engineering expertise to extract the information such as handling mis-alignment and extracting the secret bits one by one, it takes huge amount of time to process millions of side-channel data samples. Thanks to recent advances in Machine Learning, the complex tasks can be handled efficiently with the high computation power of GPUs. The linear and non-linear problem solving capabilities of Machine Learning algorithms are integrated with giant matrix multiplications, the success rate improves drastically. However, the appropriate application of Machine Learning techniques on side-channel measurements is still an ongoing research area, which can provide huge time and performance gain in terms of leakage extraction. The goal of this dissertation is to propose Machine Learning based approaches to processing of side-channel measurements in different platforms. First, we introduce a targeted co-location technique by using cryptographic libraries on public clouds. Then, a full RSA key recovery attack based on last-level cache is demonstrated on Amazon EC2 public cloud. Next, we implement a Machine Learning assisted cache attack on a public cloud as well as showing that ping requests can be used to identify the co-located VMs. Furthermore, we show that privacy of personal computer and mobile phone users can be violated by third-party applications through microarchitectural attacks. For this purpose, we detect the visited websites, launched applications and watched trailers, as well as, comparing the performance of several Machine Learning techniques. Finally, we propose a Recurrent Neural Network based unsupervised detection mechanism for microarchitectural attacks. We achieve a low false alarm rate and performance overhead by combining the sequence learning capabilities of RNNs and computation power of GPUs