Results 1 - 10
of
16
Language-based control and mitigation of timing channels
- IN PLDI
, 2012
"... We propose a new language-based approach to mitigating timing channels. In this language, well-typed programs provably leak only a bounded amount of information over time through external timing channels. By incorporating mechanisms for predictive mitigation of timing channels, this approach also pe ..."
Abstract
-
Cited by 21 (2 self)
- Add to MetaCart
(Show Context)
We propose a new language-based approach to mitigating timing channels. In this language, well-typed programs provably leak only a bounded amount of information over time through external timing channels. By incorporating mechanisms for predictive mitigation of timing channels, this approach also permits a more expressive programming model. Timing channels arising from interaction with underlying hardware features such as instruction caches are controlled. Assumptions about the underlying hardware are explicitly formalized, supporting the design of hardware that efficiently controls timing channels. One such hardware design is modeled and used to show that timing channels can be controlled in some simple programs of real-world significance.
Leveraging Gate-Level Properties to Identify Hardware Timing Channels
"... Abstract—Modern embedded computing systems such as med-ical devices, airplanes, and automobiles continue to dominate some of the most critical aspects of our lives. In such systems, the movement of information throughout a device must be tightly controlled to prevent violations of privacy or integri ..."
Abstract
-
Cited by 4 (2 self)
- Add to MetaCart
(Show Context)
Abstract—Modern embedded computing systems such as med-ical devices, airplanes, and automobiles continue to dominate some of the most critical aspects of our lives. In such systems, the movement of information throughout a device must be tightly controlled to prevent violations of privacy or integrity. Unfortunately, bounding the flow of information can often present a significant challenge, as information can flow through channels that are difficult to detect, such as timing channels. As has been demonstrated by recent research in hardware security, information flow tracking techniques deployed at the hardware or gate level show promise at identifying these “timing flows ” but provide no formal statements about this claim nor mechanisms for separating out timing information from other types of flows. In this paper, we first prove that gate-level information flow tracking can in fact detect timing flows. In addition, we work to identify these timing flows separately from other flows by presenting a framework for identifying a different type of flow that we call functional flows. By using this framework to either confirm or rule out the existence of such flows, we leverage the previous work in hardware information flow tracking to effectively isolate timing flows. To show the effectiveness of this model, we demonstrate its usage on three practical examples: a shared bus (I2C), a cache in a MIPS-based processor, and an RSA encryption core, all of which were written in Verilog/VHDL and then simulated in a variety of scenarios. In each scenario, we demonstrate how our framework can be used to identify timing and functional flows and also analyze our model’s overhead.
Timing channel protection for a shared memory controller
- In International Symposium on High Performance Computer Architecture (2014), IEEE
"... Abstract This paper proposes a new memory controller design that enables secure sharing of main memory among mutually mistrusting parties by eliminating memory timing channels. This study demonstrates that shared memory controllers are vulnerable to both side channel and covert channel attacks that ..."
Abstract
-
Cited by 3 (0 self)
- Add to MetaCart
(Show Context)
Abstract This paper proposes a new memory controller design that enables secure sharing of main memory among mutually mistrusting parties by eliminating memory timing channels. This study demonstrates that shared memory controllers are vulnerable to both side channel and covert channel attacks that exploit memory interference as timing channels. To address this vulnerability, we identify the sources of interference in a conventional memory controller design, and propose a protection scheme to eliminate the interference across security domains through two main changes: (i) a per security domain based queueing structure, and (ii) static allocation of time slots in the scheduling algorithm. Multi-programmed workloads comprised of SPEC2006 benchmarks were used to evaluate the protection scheme. The results show that the proposed scheme completely eliminates the timing channels in the shared memory with small hardware and performance overheads.
A Practical Testing Framework for Isolating Hardware Timing Channels
"... Abstract—This work identifies a new formal basis for hardware information flow security by providing a method to separate timing flows from other flows of information. By developing a framework for identifying these different classes of information flow at the gate-level, one can either confirm or r ..."
Abstract
-
Cited by 2 (2 self)
- Add to MetaCart
(Show Context)
Abstract—This work identifies a new formal basis for hardware information flow security by providing a method to separate timing flows from other flows of information. By developing a framework for identifying these different classes of information flow at the gate-level, one can either confirm or rule out the existence of such flows in a provable manner. To demonstrate the effectiveness of our presented model, we discuss its usage on a practical example: a CPU cache in a MIPS processor written in Verilog HDL and simulated in a scenario which accurately models previous cache-timing attacks. We demonstrate how our framework can be used to isolate the timing channel used in these attacks. I.
Enforcing Information Flow Guarantees in Reconfigurable Systems with Mix-trusted IP
, 2011
"... Trusted systems fundamentally rely on the ability to tightly control the flow of information both in-to and out-of the device. Due to their inherent programmability, reconfigurable systems are riddled with security holes (timing channels, undefined behaviors, storage channels, backdoors) which can ..."
Abstract
-
Cited by 2 (2 self)
- Add to MetaCart
(Show Context)
Trusted systems fundamentally rely on the ability to tightly control the flow of information both in-to and out-of the device. Due to their inherent programmability, reconfigurable systems are riddled with security holes (timing channels, undefined behaviors, storage channels, backdoors) which can be used as a foothold for attackers to strike. System designers are constantly forced to respond to these attacks, often only after significant damage has been inflicted. We propose to use the reconfigurable nature of the system to our advantage by taking a bottom-up, hardware based approach to security. Using an information flow secure hardware foundation, which can precisely verify all information flows from Boolean gates, security can be verified all the way up the system stack. This can be used to ensure private keys are never leaked (for secrecy), and that untrusted information will not be used in the making of critical decisions (for safety and fault tolerance).
On Subnormal Floating Point and Abnormal Timing
- In IEEE Symposium on Security and Privacy
, 2015
"... Abstract-We identify a timing channel in the floating point instructions of modern x86 processors: the running time of floating point addition and multiplication instructions can vary by two orders of magnitude depending on their operands. We develop a benchmark measuring the timing variability of ..."
Abstract
-
Cited by 2 (1 self)
- Add to MetaCart
(Show Context)
Abstract-We identify a timing channel in the floating point instructions of modern x86 processors: the running time of floating point addition and multiplication instructions can vary by two orders of magnitude depending on their operands. We develop a benchmark measuring the timing variability of floating point operations and report on its results. We use floating point data timing variability to demonstrate practical attacks on the security of the Firefox browser (versions 23 through 27) and the Fuzz differentially private database. Finally, we initiate the study of mitigations to floating point data timing channels with libfixedtimefixedpoint, a new fixed-point, constant-time math library. Modern floating point standards and implementations are sophisticated, complex, and subtle, a fact that has not been sufficiently recognized by the security community. More work is needed to assess the implications of the use of floating point instructions in security-relevant software.
Language mechanisms for controlling and mitigating timing channels
, 2012
"... We propose a new language-based approach to mitigating timing channels. In this lan-guage, well-typed programs provably leak only a bounded amount of information over time through external timing channels. By incorporating mechanisms for predictive mitigation of timing channels, this approach also p ..."
Abstract
-
Cited by 1 (1 self)
- Add to MetaCart
(Show Context)
We propose a new language-based approach to mitigating timing channels. In this lan-guage, well-typed programs provably leak only a bounded amount of information over time through external timing channels. By incorporating mechanisms for predictive mitigation of timing channels, this approach also permits a more expressive programming model. Timing channels arising from interaction with underlying hardware features such as instruction caches are controlled. Assumptions about the underlying hardware are explicitly formalized, support-ing the design of hardware that efficiently controls timing channels. One such hardware design is modeled and used to show that timing channels can be controlled in some simple programs of real-world significance. 1
A Hardware Design Language for Efficient Control of Timing Channels
, 2014
"... Timing channels pose a real security risk, but methods are lacking for building systems without timing leaks. One reason is that low-level hardware features create timing channels; for example, caches enable probing attacks. We introduce a new hardware design language, SecVerilog, that in conjunctio ..."
Abstract
-
Cited by 1 (1 self)
- Add to MetaCart
(Show Context)
Timing channels pose a real security risk, but methods are lacking for building systems without timing leaks. One reason is that low-level hardware features create timing channels; for example, caches enable probing attacks. We introduce a new hardware design language, SecVerilog, that in conjunction with software-level enforcement makes it possible to build sys-tems in which timing channels and other leakage are verifiably controlled. SecVerilog extends Verilog with annotations that support comprehensive, precise reasoning about information flows at the hardware level. Compared to previous methods for designing secure hardware, SecVer-ilog offers a better tradeoff between expressiveness and run-time overhead. We demonstrate that it is expressive enough to build complex hardware designs, including a MIPS processor, with low overhead in time, space, and programmer effort. Information flow checking is mostly static, permitting hardware designs that are largely unaffected by security enforcement mechanisms. SecVerilog also tracks information at fine granularity, allowing interleaving of instructions and data at different security levels throughout the processor. SecVerilog also comes with stronger formal assurance than previous hardware design methods: we prove that it enforces noninter-ference, ensuring secure information flow. 1
Position Paper: Sapper — A Language for Provable Hardware Policy Enforcement
"... We describe Sapper, a language for creating critical hardware components that have provably secure information flow. Most systems that enforce information flow policies place the hardware microarchitecture within the trusted computing base, and also assume that the observable behavior of that microa ..."
Abstract
- Add to MetaCart
(Show Context)
We describe Sapper, a language for creating critical hardware components that have provably secure information flow. Most systems that enforce information flow policies place the hardware microarchitecture within the trusted computing base, and also assume that the observable behavior of that microarchitecture is fully and correctly documented. However, the reality is that this behavior is incompletely (and sometimes incorrectly) specified, and that the microarchitecture itself often contains implementation bugs. This fact means that all such systems are vulnerable to attack by exploiting undocumented or buggy hardware features. Sapper addresses this problem by enabling flexible and efficient hardware design that is provably secure with respect to a given information flow policy. Sapper uses a hybrid approach that leverages unique language features and static analysis to determine a set of dynamic checks that are automatically inserted into the hardware design. These checks are provably sufficient to guarantee that the resulting hardware prevents all explicit, implicit, and timing channels even if the hardware is otherwise buggy or poorly documented. B.5.2 [Design Aids]: Hard-
WHISK: An Uncore Architecture for Dynamic Information Flow Tracking in Heterogeneous Embedded SoCs ⇤
"... In this paper, we describe for the first time, how Dynamic Information Flow Tracking (DIFT) can be implemented for heterogeneous designs that contain one or more on-chip accelerators attached to a network-on-chip. We observe that implementing DIFT for such systems requires holistic platform level vi ..."
Abstract
- Add to MetaCart
(Show Context)
In this paper, we describe for the first time, how Dynamic Information Flow Tracking (DIFT) can be implemented for heterogeneous designs that contain one or more on-chip accelerators attached to a network-on-chip. We observe that implementing DIFT for such systems requires holistic platform level view, i.e., designing individual components in the heterogeneous system to be capable of supporting DIFT is necessary but not su cient to correctly implement fullsystem DIFT. Based on this observation we present a new system architecture for implementing DIFT, and also describe wrappers that provide DIFT functionality for thirdparty IP components. Results show that our implementation minimally impacts performance of programs that do not utilize DIFT, and the price of security is constant for modest amounts of tagging and then sub-linearly increases with the amount of tagging.
