Warding off timing attacks in Deterland

The massive parallelism and resource sharing embodying today's cloud business model not only exacerbate the security challenge of timing channels, but also undermine the viability of defenses based on resource partitioning. This paper proposes hypervisor-enforced timing mitigation to control timing channels in cloud environments. This approach closes "reference clocks" internal to the cloud by imposing a deterministic view of time on guest code, and uses timing mitigators to pace I/O and rate-limit potential information leakage to external observers. Our prototype hypervisor implementation is the first system that can mitigate timing-channel leakage across full-scale existing operating systems such as Linux and applications written in arbitrary languages. Mitigation incurs a varying performance cost, depending on workload and tunable leakage-limiting parameters, but this cost may be justified for security-critical cloud applications and data.

[1]  David Sands,et al.  Probabilistic noninterference for multi-threaded programs , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[2]  Carla E. Brodley,et al.  IP covert timing channels: design and detection , 2004, CCS '04.

[3]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .

[4]  Carlo Curino,et al.  OLTP-Bench: An Extensible Testbed for Benchmarking Relational Databases , 2013, Proc. VLDB Endow..

[5]  Edward W. Felten,et al.  Timing attacks on Web privacy , 2000, CCS.

[6]  Danfeng Zhang,et al.  Predictive black-box mitigation of timing channels , 2010, CCS '10.

[7]  Xiaowei Yang,et al.  High performance network virtualization with SR-IOV , 2010, HPCA - 16 2010 The Sixteenth International Symposium on High-Performance Computer Architecture.

[8]  Brandon Lucia,et al.  DMP: Deterministic Shared-Memory Multiprocessing , 2010, IEEE Micro.

[9]  Gerry Kane,et al.  PA-RISC 2.0 Architecture , 1995 .

[10]  Michael K. Reiter,et al.  HomeAlone: Co-residency Detection in the Cloud via Side-Channel Analysis , 2011, 2011 IEEE Symposium on Security and Privacy.

[11]  Adam Silberstein,et al.  Benchmarking cloud serving systems with YCSB , 2010, SoCC '10.

[12]  Andrew C. Myers,et al.  Observational determinism for concurrent program security , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[13]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[14]  Johan Agat,et al.  Transforming out timing leaks , 2000, POPL '00.

[15]  Richard A. Kemmerer,et al.  Shared resource matrix methodology: an approach to identifying storage and timing channels , 1983, TOCS.

[16]  Michael K. Reiter,et al.  Cross-VM side channels and their use to extract private keys , 2012, CCS.

[17]  Danfeng Zhang,et al.  Predictive mitigation of timing channels in interactive systems , 2011, CCS '11.

[18]  John C. Wray An Analysis of Covert Timing Channels , 1992, J. Comput. Secur..

[19]  David Brumley,et al.  Remote timing attacks are practical , 2003, Comput. Networks.

[20]  Gil Neiger,et al.  IntelŴVirtualization Technology: Hardware Support for Efficient Processor Virtualization , 2006 .

[21]  Andreas Haeberlen,et al.  Differential Privacy Under Fire , 2011, USENIX Security Symposium.

[22]  Colin Percival CACHE MISSING FOR FUN AND PROFIT , 2005 .

[23]  Onur Aciiçmez,et al.  Predicting Secret Keys Via Branch Prediction , 2007, CT-RSA.

[24]  A. Kivity,et al.  kvm : the Linux Virtual Machine Monitor , 2007 .

[25]  Ruby B. Lee,et al.  Covert and Side Channels Due to Processor Architecture , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[26]  Bruce E. Hajek,et al.  An information-theoretic and game-theoretic study of timing channels , 2002, IEEE Trans. Inf. Theory.

[27]  Peng Ning,et al.  On the secrecy of timing-based active watermarking trace-back techniques , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[28]  Marieke Huisman,et al.  A temporal logic characterisation of observational determinism , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[29]  Carsten Willems,et al.  Practical Timing Side Channel Attacks against Kernel Space ASLR , 2013, 2013 IEEE Symposium on Security and Privacy.

[30]  Deian Stefan,et al.  Addressing covert termination and timing channels in concurrent information flow systems , 2012, ICFP '12.

[31]  Danfeng Zhang,et al.  Language-based control and mitigation of timing channels , 2012, PLDI.

[32]  Wei-Ming Hu Reducing Timing Channels with Fuzzy Time , 1992, J. Comput. Secur..

[33]  Andreas Haeberlen,et al.  Detecting Covert Timing Channels with Time-Deterministic Replay , 2014, OSDI.

[34]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[35]  Liang Gu,et al.  CertiKOS: a certified kernel for secure cloud computing , 2011, APSys.

[36]  Xiao Zhang,et al.  Towards practical page coloring-based multicore cache management , 2009, EuroSys '09.

[37]  Christian Bienia,et al.  Benchmarking modern multiprocessors , 2011 .

[38]  Peter M. Chen,et al.  Execution replay of multiprocessor virtual machines , 2008, VEE '08.

[39]  Onur Aciiçmez,et al.  Yet another MicroArchitectural Attack:: exploiting I-Cache , 2007, CSAW '07.

[40]  Daniel J. Bernstein,et al.  Cache-timing attacks on AES , 2005 .

[41]  Geoffrey Smith,et al.  Eliminating covert flows with minimum typings , 1997, Proceedings 10th Computer Security Foundations Workshop.

[42]  Samuel T. King,et al.  ReVirt: enabling intrusion analysis through virtual-machine logging and replay , 2002, OPSR.

[43]  Ruby B. Lee,et al.  A novel cache architecture with enhanced performance and security , 2008, 2008 41st IEEE/ACM International Symposium on Microarchitecture.

[44]  Onur Aciiçmez,et al.  Cache Based Remote Timing Attack on the AES , 2007, CT-RSA.

[45]  Benedikt Heinz,et al.  A Cache Timing Attack on AES in Virtualization Environments , 2012, Financial Cryptography.

[46]  Stefan Katzenbeisser,et al.  Hide and Seek in Time - Robust Covert Timing Channels , 2009, ESORICS.

[47]  Rusty Russell,et al.  virtio: towards a de-facto standard for virtual I/O devices , 2008, OPSR.

[48]  Ramakrishna Gummadi,et al.  Determinating timing channels in compute clouds , 2010, CCSW '10.

[49]  James Matthew Barrie,et al.  Peter and Wendy , 1911 .

[50]  Vincent Rijmen,et al.  A Side-Channel Analysis Resistant Description of the AES S-Box , 2005, FSE.

[51]  Geoffrey Smith,et al.  Secure information flow in a multi-threaded imperative language , 1998, POPL '98.

[52]  Steven Gianvecchio,et al.  Detecting covert timing channels: an entropy-based approach , 2007, CCS '07.

[53]  Peng Li,et al.  StopWatch: A Cloud Architecture for Timing Channel Mitigation , 2014, TSEC.