Presentation is loading. Please wait.

Presentation is loading. Please wait.

Yuanzhong Xu, Weidong Cui, Marcus Peinado

Published byAlbert Newman Modified over 9 years ago

Similar presentations

Presentation on theme: "Yuanzhong Xu, Weidong Cui, Marcus Peinado"— Presentation transcript:

1 Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems
Yuanzhong Xu, Weidong Cui, Marcus Peinado The University of Texas at Austin, Microsoft Research San Jose, CA May 19, 2015

2 Applications run on top of OS

3 Reasons to distrust the OS
rootkit Large code bases, security bugs

4 Reasons to distrust the OS
Hosted on untrusted cloud OS

5 “Shielding systems:” remove OS from trusted computing base (TCB)
Use hypervisor or secure hardware to confine OS Hypervisor-based Overshadow [ASPLOS '08] InkTag [ASPLOS '13] Intel SGX-based Haven [OSDI '14] OS Hypervisor or SGX CPU

6 “Shielding systems:” remove OS from trusted computing base (TCB)
Hypervisor or SGX protects application memory pages from OS Secrecy Integrity Protected app memory pages OS Hypervisor or SGX CPU

7 “Shielding systems:” backward-compatibility & functionality
Run legacy applications, on a legacy OS (with small or no modifications) OS is still needed Memory management Storage Network OS Efficient memory management Hypervisor or SGX CPU

8 “Shielding systems:” backward-compatibility & functionality
Run legacy applications, on a legacy OS (with small or no modifications) OS is still needed Memory management Storage Network Protected app memory pages Application page table OS Integrity Hypervisor or SGX CPU

9

10 Breaking the shield (1/3)
JPEG decoding (libjpeg) OS Hypervisor (InkTag) or SGX CPU (Haven)

11 Breaking the shield (2/3)
Font rendering (FreeType) The treasure is buried ten feet north of the third palm tree 100% accuracy English letters Common punctuation marks The treasure is buried ten feet north of the third palm tree OS Hypervisor (InkTag) or SGX CPU (Haven)

12 Breaking the shield (3/3)
Spell checking (Hunspell) Folklore, legends, myths and fairy tales… 96% accuracy All words in novel “The Wizard of OZ” folklore *legend* myths and fairy *tale*… OS Hypervisor (InkTag) or SGX CPU (Haven)

13 How? “Controlled-channel attacks” – Side channel attacks from the OS
Powerful due to the OS’ control over the applications

14 Side-channel attacks Traditional side channels:
cache access, power consumption, network traffic… Victim 1 secret

15 Side-channel attacks Traditional side channels:
cache access, power consumption, network traffic… System noise: context switches, TLB flushes, exceptions, page faults Victim secret

16 Side channels for the OS
Under attacker’s control System noise: context switches, TLB flushes, exceptions, page faults Victim secret Noise-free channel OS

17 “Controlled-channel attacks”
Page faults as a side channel Deterministic: OS controls page tables Set traps by making pages inaccessible Do not need timing Protected app memory pages Application page table Page faults OS Challenge: page-level granularity Hypervisor or SGX CPU

18 Input-dependent memory access
Page X Page Y Page Z Page fault sequence X, Y Page fault sequence X, Z if (input) func1() func2()

19 Input-dependent memory access
input = n Page X read array[n] N >= 4 Page fault sequence: X, Z N <= 3 Page fault sequence: X, Y Page Y Page Z array 1 2 3 4 5 6 7

20 Hunspell Open-source spell checker, used in

21 Hunspell – hash table Separate chaining
Pointer array: index is hash code Assumption: Dictionary is known Load Page-level knowledge about layout PG 1 PG 2 PG 3 PG 4 PG 5 PG 6 PG 7 a side Page faults change attack channel size Linked lists Out of textbook. Standard data structure can leak data. Many other apps may also

22 Hunspell – hash table lookup
PG 1 PG 2 PG 3 PG 4 Input: side channel attack while (word) { n = hash(word); listnode = table[n]; while (listnode) { if (equal(listnode, word)) break; listnode = listnode->next; } if (listnode) success(); else failure(); word = get_next(); a side change attack channel size PG 5 PG 6 PG 7

23 Hunspell – hash table lookup
PG 1 PG 2 PG 3 PG 4 Input: side channel attack while (word) { n = hash(word); listnode = table[n]; while (listnode) { if (equal(listnode, word)) break; listnode = listnode->next; } if (listnode) success(); else failure(); word = get_next(); a side change attack channel size PG 5 PG 6 PG 7 Page faults: 4

24 Hunspell – hash table lookup
PG 1 PG 2 PG 3 PG 4 Input: side channel attack while (word) { n = hash(word); listnode = table[n]; while (listnode) { if (equal(listnode, word)) break; listnode = listnode->next; } if (listnode) success(); else failure(); word = get_next(); a side change attack channel size PG 5 PG 6 PG 7 Page faults: 4 7

25 Hunspell – hash table lookup
PG 1 PG 2 PG 3 PG 4 Input: side channel attack while (word) { n = hash(word); listnode = table[n]; while (listnode) { if (equal(listnode, word)) break; listnode = listnode->next; } if (listnode) success(); else failure(); word = get_next(); a side change attack channel size PG 5 PG 6 PG 7 Page faults:

26 Hunspell – hash table lookup
PG 1 PG 2 PG 3 PG 4 Input: side channel attack while (word) { n = hash(word); listnode = table[n]; while (listnode) { if (equal(listnode, word)) break; listnode = listnode->next; } if (listnode) success(); else failure(); word = get_next(); a side change attack channel size PG 5 PG 6 PG 7 Page faults:

27 Hunspell – hash table lookup
PG 1 PG 2 PG 3 PG 4 Input: side channel attack while (word) { n = hash(word); listnode = table[n]; while (listnode) { if (equal(listnode, word)) break; listnode = listnode->next; } if (listnode) success(); else failure(); word = get_next(); a side change attack channel size PG 5 PG 6 PG 7 Page faults:

28 Hunspell – hash table lookup
PG 1 PG 2 PG 3 PG 4 Input: side channel attack while (word) { n = hash(word); listnode = table[n]; while (listnode) { if (equal(listnode, word)) break; listnode = listnode->next; } if (listnode) success(); else failure(); word = get_next(); a side change attack channel size PG 5 PG 6 PG 7 Page faults:

29 Hunspell – hash table lookup
PG 1 PG 2 PG 3 PG 4 Input: side channel attack while (word) { n = hash(word); listnode = table[n]; while (listnode) { if (equal(listnode, word)) break; listnode = listnode->next; } if (listnode) success(); else failure(); word = get_next(); a side change attack channel size PG 5 PG 6 PG 7 Page faults:

30 Hunspell – hash table lookup
PG 1 PG 2 PG 3 PG 4 Input: side channel attack while (word) { n = hash(word); listnode = table[n]; while (listnode) { if (equal(listnode, word)) break; listnode = listnode->next; } if (listnode) success(); else failure(); word = get_next(); a side change attack channel size PG 5 PG 6 PG 7 Page faults: h h h side channel attack

31 Hunspell – hash table lookup
PG 1 PG 2 PG 3 PG 4 hash Hash function shuffles the order Low correlation between The address of the head pointer The addresses of the list nodes Low ambiguity a side change attack channel size Output of hash is uncorrelated to anything One page 512 pointers PG 5 PG 6 PG 7 Page faults: h h h side channel attack

32 Attack results Implemented 3 attacks (Hunspell, FreeType, libjpeg) on both Haven and InkTag Hunspell (spell checking) ~96% accuracy for novel “The Wizard of Oz” FreeType (font rendering) 100% accuracy for any English input (letters and punctuation marks)

33 libjpeg results

34 Performance overhead Non-trivial overhead due to expensive page fault handling The attacks are still realistic to execute Hunspell: 2.94s to check the entire novel (39,719 words) FreeType: 0.52s to render 5 KB text Small run time may be hidden in noises

35 Thoughts on potential mitigations
No great off-the-shelf solution Applications: rewrite to hide access patterns Manually (e.g., OpenSSL) or by compiler High cost for complex legacy apps: engineering effort & performance overhead Shielding systems: more restrictions over the OS Restrictions on memory management May affect functionality Rethink the challenges for Overshadow’s vision – protect legacy applications from legacy untrusted operating systems

36 Conclusion An untrusted OS can construct noise-free side channels.
The page-fault side channel leaks large amounts of information about legacy applications. Controlled-channel attacks must be addressed in the design of shielding systems.

Download ppt "Yuanzhong Xu, Weidong Cui, Marcus Peinado"

Similar presentations

Virtualization Technology

Virtualization Technology
Virtualisation From the Bottom Up From storage to application.

Virtualisation From the Bottom Up From storage to application.
Operating Systems Lecture 10 Issues in Paging and Virtual Memory Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard. Zhiqing.

Operating Systems Lecture 10 Issues in Paging and Virtual Memory Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard. Zhiqing.
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
1 Implementing an Untrusted Operating System on Trusted Hardware David Lie Chandramohan A. Thekkath Mark Horowitz University of Toronto, Microsoft Research,

1 Implementing an Untrusted Operating System on Trusted Hardware David Lie Chandramohan A. Thekkath Mark Horowitz University of Toronto, Microsoft Research,
4/14/2017 Discussed Earlier segmentation - the process address space is divided into logical pieces called segments. The following are the example of types.

4/14/2017 Discussed Earlier segmentation - the process address space is divided into logical pieces called segments. The following are the example of types.
Shielding Applications from an Untrusted Cloud Andrew Baumann, Marcus Peinado, and Galen Hunt. OSDI 2014. Fall 2014 Presenter: Kun Sun, Ph.D. Most slides.

Shielding Applications from an Untrusted Cloud Andrew Baumann, Marcus Peinado, and Galen Hunt. OSDI Fall 2014 Presenter: Kun Sun, Ph.D. Most slides.
CS 333 Introduction to Operating Systems Class 12 - Virtual Memory (2) Jonathan Walpole Computer Science Portland State University.

CS 333 Introduction to Operating Systems Class 12 - Virtual Memory (2) Jonathan Walpole Computer Science Portland State University.
CS 333 Introduction to Operating Systems Class 12 - Virtual Memory (2) Jonathan Walpole Computer Science Portland State University.

CS 333 Introduction to Operating Systems Class 12 - Virtual Memory (2) Jonathan Walpole Computer Science Portland State University.
Virtual Memory Virtual Memory Management in Mach Labels and Event Processes in Asbestos Ingar Arntzen.

Virtual Memory Virtual Memory Management in Mach Labels and Event Processes in Asbestos Ingar Arntzen.
Memory Management 1 CS502 Spring 2006 Memory Management CS-502 Spring 2006.

Memory Management 1 CS502 Spring 2006 Memory Management CS-502 Spring 2006.
CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.

CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.
Early OS security Overview by: Greg Morrisett Cornell University, Edited (by permission) for CSUS CSc250 by Bill Mitchell.

Early OS security Overview by: Greg Morrisett Cornell University, Edited (by permission) for CSUS CSc250 by Bill Mitchell.
Towards Application Security On Untrusted OS

Towards Application Security On Untrusted OS
U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts, Amherst Operating Systems CMPSCI 377 Lecture.

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts, Amherst Operating Systems CMPSCI 377 Lecture.
CS 333 Introduction to Operating Systems Class 12 - Virtual Memory (2) Jonathan Walpole Computer Science Portland State University.

CS 333 Introduction to Operating Systems Class 12 - Virtual Memory (2) Jonathan Walpole Computer Science Portland State University.
Basics of Operating Systems March 4, 2001 Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard.

Basics of Operating Systems March 4, 2001 Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard.
CS333 Intro to Operating Systems Jonathan Walpole.

CS333 Intro to Operating Systems Jonathan Walpole.
G53SEC 1 Reference Monitors Enforcement of Access Control.

G53SEC 1 Reference Monitors Enforcement of Access Control.

Similar presentations

Ads by Google