Efficient Defense against Covert and Side Channel Attack on Multi-core Processor using Signal Processing Techniques Open Access
Downloadable ContentDownload PDF
Modern application workloads are mostly deployed on cloud computing platforms. Illicit communication across user domains is prohibited by Operating System (OS) or Virtual Machine Manager (VMM) to prevent information leakage. To bypass the software-level isolation maintained by OS or VMM, the adversaries turn to hardware for information exfiltration. Various works demonstrate that shared hardware could be exploited to leak secret through hardware covert/side channels. It is hard to eliminate this type of information leakage with traditional software-based solutions due to frequent accesses to these resources and limited information on related hardware events provided by existing hardware. Frequently accessed microarchitecture like cache and Graphics Processing Unit (GPU) provide large attack surfaces for hardware covert/side channel since these microarchitecture are shared among a large number of processes to boost performance. Simply disabling shared microarchitecture would cause severe performance degradation. In this work, we explore efficient and robust designs to defeat adversaries exploiting shared microarchitecture which are critical for performance of computer systems while being vulnerable to hardware side/covert channel attacks. A cache timing channel attack occurs when a spy process infers secrets of another process by covertly observing its cache access pattern. Cache timing channel can be combined with speculative instructions to launch powerful attack which enable the spy to read secret values of the kernel or other processes. Software layers in the computing stack cannot fully eliminate cache timing channels since caches are typically shared between multiple processes. We propose three frameworks, Prefetch-guard, Reuse-trap and COTSKnight to identify and obfuscate cache timing channel. Prefetch-guard detects cache timing channels by analyzing the cache access pattern of applications. Reuse-trap repurposes the performance metric, reuse distance, to identify advanced cache timing channel which tries to evade detection. Both frameworks leverage existing hardware prefetcher to obfuscate cache timing channel through noise injection. Experimental results show that the spy processes suffer 50\% bit error rate on average which is difficult or impossible for adversaries to receive any information. COTSKnight repurposes existing hardware mechanisms, namely Cache Allocation Technology (CAT) and Cache Monitoring Technology (CMT), to disband cache timing channels on commercial-off-the-shelf processors. Experimental results show that COTSKnight is able to mitigate adversary with less than 5\% overhead of benign workloads. Recent work demonstrated that modern GPUs do not erase the remnant data in GPU memory left behind by previous applications prior to OS context switch. A spy process can steal the sensitive data of the previous application by allocating large size of memory region and dumping the data within the region before it is overwritten. Initializing every memory page on context switch would slowdown GPU which is against its original purpose to boost performance of computer systems. We propose EraseMe, an efficient framework which intelligently removes memory pages with highest information entropy. Preliminary experimental results show that EraseMe can increase the difficulty by 10x for the attacker. Side channels can be implemented on various microarchitecture in different ways. We extend Reuse-trap to explore the possibility of detecting different types of side channels using a generic framework. We analyzed the fundamentals of side channels using a three-step model and found that repetitive interference is necessary for most of side channel implementations regardless of the attack surface. We proposed a generic framework recording repurposed reuse distance to detect side channels on various microarchitecture. We discussed the configuration of the framework to detect different implementations of the side channels. We demonstrated our framework using Spectre attack. The experimental results show that our proposal can efficiently distinguish the adversary from benign workloads. Combined with Prefetch-guard, the detector can obfuscate Spectre side channel and make the spy difficult or impossible to recover the leaked information.