Detecting Covert Timing Channels with Time-Deterministic Replay

This paper presents a mechanism called time-deterministic replay (TDR) that can reproduce the execution of a program, including its precise timing. Without TDR, reproducing the timing of an execution is difficult because there are many sources of timing variability - such as preemptions, hardware interrupts, cache effects, scheduling decisions, etc. TDR uses a combination of techniques to either mitigate or eliminate most of these sources of variability. Using a prototype implementation of TDR in a Java Virtual Machine, we show that it is possible to reproduce the timing to within 1.85% of the original execution, even on commodity hardware. The paper discusses several potential applications of TDR, and studies one of them in detail: the detection of a covert timing channel. Timing channels can be used to exfiltrate information from a compromised machine; they work by subtly varying the timing of the machine's outputs, and it is this variation that can be detected with TDR. Unlike prior solutions, which generally look for a specific type of timing channel, our approach can detect a wide variety of channels with high accuracy.

[1]  Peng Ning,et al.  On the secrecy of timing-based active watermarking trace-back techniques , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[2]  Sushil Jajodia,et al.  Tracking anonymous peer-to-peer VoIP calls on the internet , 2005, CCS '05.

[3]  Samuel T. King,et al.  ReVirt: enabling intrusion analysis through virtual-machine logging and replay , 2002, OPSR.

[4]  Sen Hu,et al.  Efficient system-enforced deterministic parallelism , 2010, OSDI.

[5]  C. Brodley,et al.  Network covert channels: design, analysis, detection, and elimination , 2006 .

[6]  Carla E. Brodley,et al.  IP covert timing channels: design and detection , 2004, CCS '04.

[7]  Jong-Deok Choi,et al.  Deterministic replay of Java multithreaded applications , 1998, SPDT '98.

[8]  Reinhard Wilhelm Determining Bounds on Execution Times , 2009, Embedded Systems Design and Verification.

[9]  Yuanyuan Zhou,et al.  PRES: probabilistic replay with execution sketching on multiprocessors , 2009, SOSP '09.

[10]  David Broman,et al.  A PRET microarchitecture implementation with repeatable timing and competitive performance , 2012, 2012 IEEE 30th International Conference on Computer Design (ICCD).

[11]  Gaurav Shah,et al.  Keyboards and Covert Channels , 2006, USENIX Security Symposium.

[12]  Edward A. Lee,et al.  PRET DRAM controller: Bank privatization for predictability and temporal isolation , 2011, 2011 Proceedings of the Ninth IEEE/ACM/IFIP International Conference on Hardware/Software Codesign and System Synthesis (CODES+ISSS).

[13]  Suguru Arimoto,et al.  An algorithm for computing the capacity of arbitrary discrete memoryless channels , 1972, IEEE Trans. Inf. Theory.

[14]  Andreas Haeberlen,et al.  Practical accountability for distributed systems , 2007 .

[15]  David A. Wood,et al.  Calvin: Deterministic or not? Free will to choose , 2011, 2011 IEEE 17th International Symposium on High Performance Computer Architecture.

[16]  Danfeng Zhang,et al.  Predictive black-box mitigation of timing channels , 2010, CCS '10.

[17]  Jochen Liedtke,et al.  OS-controlled cache predictability for real-time systems , 1997, Proceedings Third IEEE Real-Time Technology and Applications Symposium.

[18]  Peter M. Chen,et al.  Execution replay of multiprocessor virtual machines , 2008, VEE '08.

[19]  Marek Olszewski,et al.  Kendo: efficient deterministic multithreading in software , 2009, ASPLOS.

[20]  Jakob Engblom,et al.  The worst-case execution-time problem—overview of methods and survey of tools , 2008, TECS.

[21]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[22]  Emery D. Berger,et al.  Dthreads: efficient deterministic multithreading , 2011, SOSP.

[23]  Wang Yi,et al.  Building timing predictable embedded systems , 2014, ACM Trans. Embed. Comput. Syst..

[24]  Neil C. Audsley,et al.  MCGREP--A Predictable Architecture for Embedded Real-Time Systems , 2006, 2006 27th IEEE International Real-Time Systems Symposium (RTSS'06).

[25]  Vincent H. Berk,et al.  Detection of Covert Channel Encoding in Network Packet Delays , 2005 .

[26]  Steven Gianvecchio,et al.  Detecting covert timing channels: an entropy-based approach , 2007, CCS '07.

[27]  Ira S. Moskowitz,et al.  A Network Pump , 1996, IEEE Trans. Software Eng..

[28]  Martin Schoeberl,et al.  A Java processor architecture for embedded real-time systems , 2008, J. Syst. Archit..

[29]  Andreas Haeberlen,et al.  PeerReview: practical accountability for distributed systems , 2007, SOSP.

[30]  Marcel Dischinger,et al.  Characterizing residential broadband networks , 2007, IMC '07.

[31]  Dan Grossman,et al.  CoreDet: a compiler and runtime system for deterministic multithreaded execution , 2010, ASPLOS XV.

[32]  Andreas Haeberlen,et al.  Accountable Virtual Machines , 2010, OSDI.

[33]  Wei-Ming Hu,et al.  Reducing timing channels with fuzzy time , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[34]  Peng Li,et al.  Mitigating access-driven timing channels in clouds using StopWatch , 2013, 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[35]  Steven Gianvecchio,et al.  An Entropy-Based Approach to Detecting Covert Timing Channels , 2011, IEEE Transactions on Dependable and Secure Computing.

[36]  Richard E. Blahut,et al.  Computation of channel capacity and rate-distortion functions , 1972, IEEE Trans. Inf. Theory.

[37]  Rodolfo Pellizzoni,et al.  Worst Case Analysis of DRAM Latency in Multi-requestor Systems , 2013, 2013 IEEE 34th Real-Time Systems Symposium.

[38]  Jong-Deok Choi,et al.  DejaVu: deterministic Java replay debugger for Jalapeño Java virtual machine , 2000, OOPSLA '00.

[39]  Jim X. Chen,et al.  Real-Time Covert Timing Channel Detection in Networked Virtual Environments , 2013, IFIP Int. Conf. Digital Forensics.

[40]  Min Xu ReTrace : Collecting Execution Trace with Virtual Machine Deterministic Replay , 2007 .

[41]  Haibo Chen,et al.  ORDER: Object centRic DEterministic Replay for Java , 2011, USENIX Annual Technical Conference.

[42]  Stephen A. Edwards,et al.  A Processor Extension for Cycle-Accurate Real-Time Software , 2006, EUC.

[43]  Luis Ceze,et al.  Deterministic Process Groups in dOS , 2010, OSDI.

[44]  Brandon Lucia,et al.  DMP: deterministic shared memory multiprocessing , 2009, IEEE Micro.

[45]  Josep Torrellas,et al.  QuickRec: prototyping an intel architecture extension for record and replay of multithreaded programs , 2013, ISCA.

[46]  Sushil Jajodia,et al.  Model-Based Covert Timing Channels: Automated Modeling and Evasion , 2008, RAID.

[47]  Douglas S. Reeves,et al.  Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays , 2003, CCS '03.

[48]  Johan Agat,et al.  Transforming out timing leaks , 2000, POPL '00.

[49]  Emery D. Berger,et al.  Grace: safe multithreaded programming for C/C++ , 2009, OOPSLA 2009.

[50]  Ion Stoica,et al.  ODR: output-deterministic replay for multicore debugging , 2009, SOSP '09.