Qian Ge
Gernot Heiser
ABSTRACT
The recent Spectre exploits demonstrated that covert timing channels are a mainstream security threat. Their prevention requires that operating systems provide time protection, in addition to the established memory protection. We propose OS mechanisms and designs which provide time protection, and define requirements on the hardware to enable them. We demonstrate that present mainstream processors do not meet these requirements, making them inherently insecure. We argue the need for a new security-oriented hardware-software contract, which we call the aISA as it augments the ISA, in order to enable time protection.
- Onur Acıiçmez. 2007. Yet another microarchitectural attack: exploiting I-cache. In ACM Computer Security Architecture Workshop (CSAW). Fairfax, VA, US. Google Scholar
Digital Library
- Onur Acıiçmez, Billy Bob Brumley, and Philipp Grabher. 2010. New Results on Instruction Cache Attacks. In Workshop on Cryptographic Hardware and Embedded Systems. Santa Barbara, CA, US. Google ScholarDigital Library
- Amittai Aviram, Sen Hu, Bryan Ford, and Ramakrishna Gummadi. 2010a. Determinating timing channels in compute clouds. In ACM Workshop on Cloud Computing Security. Chicago, IL, US, 103--108. Google ScholarDigital Library
- Amittai Aviram, Shu-Chun Weng, Sen Hu, and Bryan Ford. 2010b. Efficient system-enforced deterministic parallelism. In Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation. Vancouver, BC, 1--16. Google ScholarDigital Library
- Ernie Brickell, Gary Graunke, Michael Neve, and Jean-Pierre Seifert. 2006. Software mitigations to hedge AES against cache-based software side channel vulnerabilities. IACR Cryptology ePrint Archive 2006 (2006), 52.Google Scholar
- David Cock, Qian Ge, Toby Murray, and Gernot Heiser. 2014. The Last Mile: An Empirical Study of Some Timing Channels on seL4. In ACM Conference on Computer and Communications Security. Scottsdale, AZ, USA, 570--581. Google ScholarDigital Library
- Patrick J. Colp, Jiawen Zhang, James Gleeson, Sahil Suneja, Eyal de Lara, Himanshu Raj, Stefan Saroiu, and Alec Wolman. 2015. Protecting Data on Smartphones and Tablets from Memory Attacks. In International Conference on Architectural Support for Programming Languages and Operating Systems. Istambul, TK. Google ScholarDigital Library
- Data61, CSIRO. 2018. Timing Channel Mitigations. https://ts.data61.csiro.au/projects/TS/timingchannels/arch-mitigation.pml.Google Scholar
- Leonid Domnister, Aamer Jaleel, Jason Loew, Nael Abu-Ghazaleh, and Dmitry Ponomarev. 2012. Non-Monopolizable Caches: Low-Complexity Mitigation of Cache Side Channel Attacks. ACM Transactions on Architecture and Code Optimization 8, 4 (Jan. 2012). Google ScholarDigital Library
- Stephen A. Edwards and Edward A. Lee. 2007. The Case for the Precision Timed (PRET) Machine. In Design Automation Conference (DAC). Google ScholarDigital Library
- Dmitry Evtyushkin and Dmitry Ponomarev. 2016. Covert Channels through Random Number Generator: Mechanisms, Capacity Estimation and Mitigations. In Proceedings of the 23rd ACM Conference on Computer and Communications Security. Vienna, AT, 843--857. Google ScholarDigital Library
- Dmitry Evtyushkin, Dmitry Ponomarev, and Nael Abu-Ghazaleh. 2016. Understanding and Mitigating Covert Channels Through Branch Predictors. ACM Transactions on Architecture and Code Optimization 13, 1 (April 2016), 10. Google ScholarDigital Library
- Qian Ge, Yuval Yarom, David Cock, and Gernot Heiser. 2018. A Survey of Microarchitectural Timing Attacks and Countermeasures on Contemporary Hardware. Journal of Cryptographic Engineering 8 (April 2018), 1--27.Google ScholarCross Ref
- Matt Godbolt. 2016. The BTB in contemporary Intel chips. http://xania.org/201602/bpu-part-threeGoogle Scholar
- Michael Godfrey and Mohammad Zulkernine. 2013. A Server-Side Solution to Cache-Based Side-Channel Attacks in the Cloud. In Proceedings of the 6th IEEEInternational Conference on Cloud Computing. Santa Clara, CA, US. Google ScholarDigital Library
- Daniel Gruss, Clémentine Maurice, Klaus Wagner, and Stefan Mangard. 2016. Flush+Flush: A Fast and Stealthy Cache Attack. In Proceedings of the 13th Conference on Detection of Intrusions and Malware & Vulnerability Assessment. San Sebastián, Spain. Google ScholarDigital Library
- Roberto Guanciale, Hamed Nemati, Christoph Baumann, and Mads Dam. 2016. Cache Storage Channels: Alias-Driven Attacks and Verified Countermeasures. San Jose, CA, US, 38--55.Google Scholar
- Gernot Heiser. 2018. For Safety's Sake: We Need a New Hardware-Software Contract! IEEE Design and Test 35 (March 2018), 27--30.Google Scholar
- Wei-Ming Hu. 1991. Reducing timing channels with fuzzy time. In Proceedings of the 1991 IEEE Computer Society Symposium on Research in Security and Privacy. IEEE Computer Society, Oakland, CA, US, 8--20.Google ScholarCross Ref
- Intel. 2018a. Intel Responds to Security Research Findings. https://newsroom.intel.com/news/intel-responds-to-security-research-findings/Google Scholar
- Intel. 2018b. Microcode Revision Guidance. https://www.intel.com/content/dam/www/public/us/en/documents/sa00115-microcode-update-guidance.pdfGoogle Scholar
- Intel. 2018c. Root Cause of Reboot Issue Identified; Updated Guidance for Customers and Partners. https://newsroom.intel.com/news/root-cause-of-reboot-issue-identified-updated-guidance-for-customers-and-partners/Google Scholar
- Intel. 2018d. Speculative Execution Side Channel Mitigations. https://software.intel.com/sites/default/files/managed/c5/63/336996-Speculative-Execution-Side-Channel-Mitigations.pdfGoogle Scholar
- Intel Corporation 2016. Intel 64 and IA-32 Architecture Software Developer's Manual Volume 2: Instruction Set Reference, AZ. Intel Corporation. http://www.intel.com.au/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-instruction-set-reference-manual-325383.pdf.Google Scholar
- R. E. Kessler and Mark D. Hill. 1992. Page placement algorithms for large real-indexed caches. ACM Transactions on Computer Systems 10 (1992), 338--359. Google ScholarDigital Library
- Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Haburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwartz, and Yuval Yarom. 2019. Spectre Attacks: Exploiting Speculative Execution. In IEEE Symposium on Security and Privacy. IEEE, San Francisco, 19--37.Google Scholar
- Butler W. Lampson. 1973. A Note on the Confinement Problem. Commun. ACM 16 (1973), 613--615. Google ScholarDigital Library
- Peng Li, Debin Gao, and Michael K Reiter. 2013. Mitigating access-driven timing channels in clouds using StopWatch. In Proceedings of the 43rd International Conference on Dependable Systems and Networks (DSN). Budapest, HU, 1--12. Google ScholarDigital Library
- Jochen Liedtke, Hermann Härtig, and Michael Hohmuth. 1997. OS-controlled cache predictability for real-time systems. In IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS). IEEE, Montreal, CA, 213--223. Google ScholarDigital Library
- Moritz Lipp, Michael Schwartz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, and Mike Hamburg. 2018. Meltdown: Reading Kernel Memory from User Space. In USENIX Security Symposium. USENIX, Baltimore, MD, USA, --. Google ScholarDigital Library
- Fangfei Liu, Qian Ge, Yuval Yarom, Frank Mckeen, Carlos Rozas, Gernot Heiser, and Ruby B Lee. 2016. CATalyst: Defeating Last-Level Cache Side Channel Attacks in Cloud Computing. In IEEE Symposium on High-Performance Computer Architecture. Barcelona, Spain, 406--418.Google Scholar
- Fangfei Liu and Ruby B Lee. 2014. Random fill cache architecture. In Proceedings of the 47th ACM/IEE International Symposium on Microarchitecture. Cambridge, UK. Google ScholarDigital Library
- Fangfei Liu, Yuval Yarom, Qian Ge, Gernot Heiser, and Ruby B Lee. 2015. Last-Level Cache Side-Channel Attacks are Practical. In IEEE Symposium on Security and Privacy. San Jose, CA, US, 605--622. Google ScholarDigital Library
- William L. Lynch, Brian K. Bray, and M. J. Flynn. 1992. The effect of page allocation on caches. In ACM/IEE International Symposium on Microarchitecture. 222--225. Google ScholarDigital Library
- Clémentine Maurice, Manuel Weber, Michael Schwartz, Lukas Giner, Daniel Gruss, Carlo Alberto Boano, Kay Römer, and Stefan Mangard. 2017. Hello from the Other Side: SSH over Robust Cache Covert Channels in the Cloud. In Network and Distributed System Security Symposium (NDSS). San Diego, CA, US.Google ScholarCross Ref
- Milena Milenkovic, Aleksandar Milenkovic, and Jeffrey Kulick. 2004. Microbenchmarks for Determining Branch Predictor Organization. Software: Practice and Experience 34, 5 (April 2004), 465--487. Google ScholarDigital Library
- Dag Arne Osvik, Adi Shamir, and Eran Tromer. 2006. Cache Attacks and Countermeasures: The Case of AES. In Proceedings of the 2006 Crytographers' track at the RSA Conference on Topics in Cryptology. Google ScholarDigital Library
- Rodolfo Pellizzoni, Emiliano Betti, Stanley Bak, Gang Yao, John Criswell, Marco Caccamo, and Russell Kegley. 2011. A Predictble Execution Model for COTS-based Embedded Systems. In IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS). 269--279. Google ScholarDigital Library
- Colin Percival. 2005. Cache Missing for Fun and Profit. In BSDCon 2005. Ottawa, CA.Google Scholar
- Daniel Sanchez and Christos Kozyrakis. 2011. Vantage: Scalable and Efficient Fine-Grain Cache Partitioning. In International Symposium on Computer Architecture. 57--68. Google ScholarDigital Library
- Jicheng Shi, Xiang Song, Haibo Chen, and Binyu Zang. 2011. Limiting cache-based side-channel in multi-tenant cloud using dynamic page coloring. In International Conference on Dependable Systems and Networks Workshops (DSN-W). HK, 194--199. Google ScholarDigital Library
- Mohit Tiwari, Xun Li, Hassan M. G. Wassel, Frederic T. Chong, and Timothy Sherwood. 2009. Execution Leases: A Hardware-supported Mechanism for Enforcing Strong Non-interference. In Proceedings of the 42nd ACM/IEE International Symposium on Microarchitecture. New York, NY, US. Google ScholarDigital Library
- Mohit Tiwari, Jason K Oberg, Xun Li, Jonathan Valamehr, Timothy Levin, Ben Hardekopf, Ryan Kastner, Frederic T Chong, and Timothy Sherwood. 2011. Crafting a usable microkernel, processor, and I/O system with strict and provable information flow security. In Proceedings of the 38th International Symposium on Computer Architecture. San Jose, CA, US. Google ScholarDigital Library
- Vish Viswanathan. 2014. Disclosure of H/W Prefetcher Control on some Intel Processors. https://software.intel.com/en-us/articles/disclosure-of-hw-prefetcher-control-on-some-intel-processorsGoogle Scholar
- Zhenghong Wang and Ruby B. Lee. 2007. New Cache Designs for Thwarting Software Cache-based Side Channel Attacks. In Proceedings of the 34th International Symposium on Computer Architecture. San Diego, CA, US. Google ScholarDigital Library
- Yuval Yarom. 2016. Mastik: A Micro-Architectural Side-Channel Toolkit. http://cs.adelaide.edu.au/~yval/Mastik/Mastik.pdfGoogle Scholar
- Yuval Yarom, Qian Ge, Fangfei Liu, Ruby B. Lee, and Gernot Heiser. 2015. Mapping the Intel Last-Level Cache. http://eprint.iacr.org/.Google Scholar
- Danfeng Zhang, Aslan Askarov, and Andrew C. Myers. 2012. Language-based control and mitigation of timing channels. In Proceedings of the 2012 ACM SIGPLAN Conference on Programming Language Design and Implementation. Beijing, CN, 99--110. Google ScholarDigital Library
- Yinqian Zhang and Michael K. Reiter. 2013. Düppel: Retrofitting Commodity Operating Systems to Mitigate Cache Side Channels in the Cloud. In Proceedings of the 20th ACM Conference on Computer and Communications Security. Berlin, DE, 827--838. Google ScholarDigital Library
- No Security Without Time Protection: We Need a New Hardware-Software Contract
Recommendations
Extended Protection against Stack Smashing Attacks without Performance Loss
ACSAC '06: Proceedings of the 22nd Annual Computer Security Applications ConferenceIn this paper we present an efficient countermeasure against stack smashing attacks. Our countermeasure does not rely on secret values (such as canaries) and protects against attacks that are not addressed by state-of-the-art countermeasures. Our ...
Using attack and protection trees to analyze threats and defenses to homeland security
MILCOM'06: Proceedings of the 2006 IEEE conference on Military communicationsAttacks against computer networks are a serious threat and occur quite often. Currently there are methods using attack trees that can be used to model how these attacks may occur. We have extended this concept to a new tree structure called a protection ...
Comments