Presentation is loading. Please wait.

Presentation is loading. Please wait.

Preventing Page Faults from Telling Your Secrets Shweta Shinde Zheng Leong Chua Vishwesh Narayanan Prateek Saxena National University of Singapore.

Published byBennett Gallagher Modified over 8 years ago

Similar presentations

Presentation on theme: "Preventing Page Faults from Telling Your Secrets Shweta Shinde Zheng Leong Chua Vishwesh Narayanan Prateek Saxena National University of Singapore."— Presentation transcript:

1 Preventing Page Faults from Telling Your Secrets Shweta Shinde Zheng Leong Chua Vishwesh Narayanan Prateek Saxena National University of Singapore

2 Should user application trust the OS? 2 Operating Systems Hypervisor CVEs in Linux [CVE-DB]CVE-DB CVEs in Xen [CVE-DB]CVE-DB 150 KLOC 10 MLOC Large TCB Increases the risk of rootkits and malware

3 Hardware Isolated Enclaves  OS cannot access application’s memory  Long line of work: Overshadow, Inktag, AppShield, PodArch, Intel SGX, …. 3 CPU Untrusted OS From October 2015, Intel has started shipping SGX support in commodity Skylake Processors Intel SGX Enclaves

4 Problem in the Design of Enclaves  OS manages enclave resources  Opens attack surface via side channels: system calls, file I/O  Recent attack channel: Page Fault* 4 Memory management Intel SGX CPU *[Xu et al. – IEEE S&P’15]

5 Are security critical cache-hardened applications vulnerable?

6 A Real Example: AES Encryption 6 Enclave Intel SGX CPU Table 1 [1c], …, Table1[ff] Enclave’s pages Application page table Page faults: Virtual Memory mov Table1[idx], rax Table 1 [0], …, Table 1 [1b] P0 P1 P2 P1 P2 3E1A 09 46 idx: Leaks 25 bits of encryption key in first round! “Pigeonholes” Page Accesses Physical Memory Table 1 [0], …, Table 1 [1b] Table 1 [1c], …, Table1[ff]

7 Contributions Attacks on real crypto routine implementations Technique to eliminate page fault side-channel Hardware changes for lowering the overheads 7 10 / 24 are vulnerable 10 / 24 are vulnerable Leak 27 bits on average Leak 27 bits on average Compiler support for annotations Compiler support for annotations Performance Optimization Performance Optimization

8 Pigeonhole Attack Example: Data Access mov Table1[idx], rax idx < 1c idx >= 1c P1 P2 Table 1 Input dependent data page access leaks 25 bits of information

9 9 ec_mul P1: 0xA7310 add_points P2: 0xA6CB0 test_bit P3: 0x9EB30 ec_mul(r, G) { res = O nbits = |r| for (i = nbits-1; i>=0; i--): res = dup_point(res) if (test_bit(r[i])): res = add_points(res, G) return res } r[i]==1 r[i]==0 Input dependent code page access reveals all the bits of ECDSA keys! Pigeonhole Attack Example: Code Access ECDSA Signing Routine

10 Impact of Pigeonhole Attacks  Analyzed Libgcrypt v1.6.3, OpenSSL v1.0.2  Compiled with gcc v4.8.3 and LLVM v3.4  Leakage via input dependent data page access  AES, CAST5, SEED, Stribog, Tiger, Whirlpool  Leakage via input dependent code page access  EdDSA, powm (used by RSA, DSA, ElGamal) 10

11 Impact of Pigeonhole Attacks OS can infer significant number of bits

12 Defenses against Pigeonhole Attacks

13 A Software-only Defense: Determinising Page Accesses Observation:  OS cannot differentiate accesses in a page Key Insight:  Confine all input-dependent memory accesses to a staging page  Program will exhibit same page-access profile independent of the input 13 Make the program execution Page-fault Oblivious

14 Solution Overview 14 Program Source Code Program Source Code Developer Annotations Developer Annotations Rewrite Program Instructions Identify Sensitive Code & Data PF-Oblivious Program Input Enforce Deterministic Page Accesses Output Determinise Page Layout

15 Determinising Page Layout 15 Enclave’s Staging Page

16 Multiplexed Execution  Fetch all the input-dependent code / data to a staging page  Execute the dependent-logic within the staging page via a multiplexer  Save the updated values from data page

17 Example: Determinising Data Accesses P1 P2 Table 1 mov Table1[idx],rax P0 P0: Code Staging Page mov Table1[idx],rax P0 P1 P0 P2 Page-fault Profile: Table 1 P1: Data Staging Page P0 P1 P0 P1 Page-fault Profile:

18 Example: Determinising Code Accesses P0: Code Staging Page P1 P2 P1 P3 P1 Page-fault Profile r =1 P1: Data Staging Page P0 P1 P0 Page-fault Profile: ec_mul P1: 0xA7310 add_points P2: 0xA6CB0 test_bit P3: 0x9EB30 ec_mul add_points test_bit r[i]==1 or 0 P1 P2 P1 P3 P1 P1 P2 Page-fault Profile r =0

19 More Complex Example: powm powm mul_mod karatsuba_release set_cond karatsuba_case mpih_divrem mpih_mu l mul_N, mul_N_basecase Arithmetic Operations (addition, subtraction, shift) Enclave’s Staging Page

20 Performance Evaluation *All measurements were conducted on PodArch [NUS-TR]

21 Evaluation: Unoptimized Overhead 21 Fetch-Save Operations Dominate the Costs Directly enforcing deterministic multiplexing is costly

22 Incurs huge overhead for real programs (> 4000X for powm) Incurs huge overhead for real programs (> 4000X for powm)

23 Optimizations: Exploiting Data Locality O1: Eliminating copy operations Skip the save operation for read-only data O2: Page Realignment Merge small data blocks into a single page Reduces fetch operations 23

24 Optimizations: Exploiting Code Locality O3: Level Merging mul_mod karatsuba_case mpih_divrem mpih_mu l mul_N, mul_N_basecase Arithmetic Operations (addition, subtraction, shift) Enclave’s Staging Page

25 Optimizations: Exploiting Code Locality O4: MUX Elimination, no staging area mul_mod karatsuba_case mpih_divrem mpih_mu l mul_N, mul_N_basecase Arithmetic Operations (addition, subtraction, shift) Code Page 1 Code Page 2

26 Optimizations: Exploiting Code Locality O5: Control-to-Data Dependency Transformation (if-conversion) if (c) { result = result*2; } if (c) { result = result*2; } staging_area[0] = result; staging_area[1] = result*2; result = staging_area[c]; staging_area[0] = result; staging_area[1] = result*2; result = staging_area[c]; Input-dependent code access Input-dependent data access

27 End-to-end Solution 27 Program Source Code Program Source Code Developer Annotations Developer Annotations Rewrite Program Instructions Identify Sensitive Code & Data PF-Oblivious Program Input Output Determinise Page Layout Developer Optimization Implemented as Clang-LLVM Compiler Pass

28 Evaluation: Effectiveness of Optimizations 28 Case-Specific Optimizations Are Orders of Magnitude Better!

29 Hardware-based Solution

30 Hardware Approach: Contractual Execution 30 Sensitive Computation Enclave Page Contract: {P1, P2, P3} Enclave Fault Handler: get TIME wait (TIME- k) terminate () OS CPU Page Fault Abort Enclave Request Register

31 Potential Hardware Changes  Inform enclave about the page-fault ◦Support available in SGX v2  Establishing and enforcing contracts ◦Requires additional hardware support Implemented as amendments to PodArch 31

32 Evaluation: Hardware-based Solution Overhead 32 A Simpler Defense with 7% overheads is possible with a hardware modification!

33 Related Work 33 Oblivious RAM Self-paging Cache Hardening Time Bucketing

34 Conclusion Attacks on OpenSSL and Libgrcypt implementations Software defense by determinzing page faults Hardware approach reduces overhead to 6.77% 34 10 / 24 are vulnerable 10 / 24 are vulnerable 27-100 % leakage 27-100 % leakage Compiler support for annotations Compiler support for annotations Max. 29.22% opt. overhead

35 Intel’s Note for Enclave Programmers 35

36 Contact Shweta Shinde shweta24@comp.nus.edu.sg 36 Thank You !

37 References [CCS’15] Y. Xu, W. Cui, and M. Peinado, Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems [OSDI’14] A. Baumann, M. Peinado, G. Hunt, Shielding Applications from an Untrusted Cloud with Haven. [HASP’13] F. McKeen, I. Alexandrovich, A. Berenzon, C. V. Rozas, H. Shafi, V. Shanbhogue, U. R. Savagaonkar, Innovative Instructions and Software Model for Isolated Execution [S&P’15] Shweta Shinde, Shruti Tople, Deepak Kathayat, Prateek Saxena, Poster: PodArch: Protecting Legacy Applications with a Purely Hardware TCB [ JACM ‘96] O. Goldreich and R. Ostrovsky, Software Protection and Simulation on Oblivious RAMs Software Guard Extensions Programming Reference Rev. 2 software.intel.com/sites/default/files/329298-002.pdf software.intel.com/sites/default/files/329298-002.pdf Intel® Software Guard Extensions Enclave Writer’s Guide https://software.intel.com/sites/default/files/managed/ae/48/Software-Guard- Extensions-Enclave-Writers-Guide.pdf https://software.intel.com/sites/default/files/managed/ae/48/Software-Guard- Extensions-Enclave-Writers-Guide.pdf 37

38 Backup Slides

39 If staging area doesn’t fit in page? Compacted Multiplexing with Smart Copy: While fetching, keep over-writing the fake blocks Copy real block in non-overlapping location in the page OS cannot see that the copy within a page is overwriting the content 39

40 AES: Information Leakage Calculations AES first round uses the first 128 bits of the key Initial uncertainty = 2 128 OS knows for half the bits ◦if the index is less than 0x1c (28 8-bit values) Final uncertainty = 2 64 × 28 8 Information leakage (in bits) log 2 (2 128 − (2 64 × 28 8 )) = 25.54 bits 40

41 Timing Channel Crypto implementations have balanced execution trees If the adversary can distinguish executions in the PF-oblivious execution, then he can learn that information even in absence of PF- channel

Download ppt "Preventing Page Faults from Telling Your Secrets Shweta Shinde Zheng Leong Chua Vishwesh Narayanan Prateek Saxena National University of Singapore."

Similar presentations

CPU Structure and Function

CPU Structure and Function
Using Instruction Block Signatures to Counter Code Injection Attacks Milena Milenković, Aleksandar Milenković, Emil Jovanov The University of Alabama in.

Using Instruction Block Signatures to Counter Code Injection Attacks Milena Milenković, Aleksandar Milenković, Emil Jovanov The University of Alabama in.
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Implementing an Untrusted Operating System on Trusted Hardware.

Implementing an Untrusted Operating System on Trusted Hardware.
Shielding Applications from an Untrusted Cloud Andrew Baumann, Marcus Peinado, and Galen Hunt. OSDI 2014. Fall 2014 Presenter: Kun Sun, Ph.D. Most slides.

Shielding Applications from an Untrusted Cloud Andrew Baumann, Marcus Peinado, and Galen Hunt. OSDI Fall 2014 Presenter: Kun Sun, Ph.D. Most slides.
Chapter 1 Computer System Overview Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,

Chapter 1 Computer System Overview Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
Yuanzhong Xu, Weidong Cui, Marcus Peinado

Yuanzhong Xu, Weidong Cui, Marcus Peinado
CS 104 Introduction to Computer Science and Graphics Problems

CS 104 Introduction to Computer Science and Graphics Problems
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
Computer System Overview

Computer System Overview
Advanced OS Chapter 3p2 Sections 3.4 / 3.5. Interrupts These enable software to respond to signals from hardware. The set of instructions to be executed.

Advanced OS Chapter 3p2 Sections 3.4 / 3.5. Interrupts These enable software to respond to signals from hardware. The set of instructions to be executed.
Midterm Tuesday October 23 Covers Chapters 3 through 6 - Buses, Clocks, Timing, Edge Triggering, Level Triggering - Cache Memory Systems - Internal Memory.

Midterm Tuesday October 23 Covers Chapters 3 through 6 - Buses, Clocks, Timing, Edge Triggering, Level Triggering - Cache Memory Systems - Internal Memory.
Towards Application Security On Untrusted OS

Towards Application Security On Untrusted OS
Basics of Operating Systems March 4, 2001 Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard.

Basics of Operating Systems March 4, 2001 Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard.
Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.

Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.
Jakub Szefer, Eric Keller, Ruby B. Lee Jennifer Rexford Princeton University CCS October, 2011 報告人:張逸文.

Jakub Szefer, Eric Keller, Ruby B. Lee Jennifer Rexford Princeton University CCS October, 2011 報告人:張逸文.
Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.

Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.
G53SEC 1 Reference Monitors Enforcement of Access Control.

G53SEC 1 Reference Monitors Enforcement of Access Control.
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.

Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.

Similar presentations

Ads by Google