Using Information Flow to Design an ISA that Controls Timing Channels

Information-flow control (IFC) enforcing languages can provide high assurance that software does not leak information or allow an attacker to influence critical systems. IFC hardware description languages have also been used to design secure circuits that eliminate timing channels. However, there remains a gap between IFC hardware and software; these two components are built independently with no abstraction for how to compose their security guarantees. This paper presents a proposal for an instruction set architecture (ISA) that can provide the appropriate abstraction for joining hardware and software IFC mechanisms. Our ISA describes a RISC-V processor that tracks information-flow labels at run time and uses these labels to eliminate or mitigate timing channels. To make the ISA more practical, it allows constrained downgrading of information; it permits trading off security for performance; and still offers control primitives such as system calls. We prove timing-sensitive noninterference modulo downgrading and nonmalleability for programs executing our ISA. This involves novel restrictions on the mutability of labels beyond previous dynamic IFC systems. Furthermore, we define specific security conditions which correct hardware can implement to provide software-level security and sketch how such hardware may be designed and verified.

[1]  Michael Hamburg,et al.  Spectre Attacks: Exploiting Speculative Execution , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[2]  Emina Torlak,et al.  Nickel: A Framework for Design and Verification of Information Flow Control Systems , 2018, OSDI.

[3]  Gilles Barthe,et al.  Verifiable side-channel security of cryptographic implementations: constant-time MEE-CBC , 2016, IACR Cryptol. ePrint Arch..

[4]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[5]  Mohamad El Hajj,et al.  Data Oblivious ISA Extensions for Side Channel-Resistant and High Performance Computing , 2018, IACR Cryptol. ePrint Arch..

[6]  Thomas Plos,et al.  Cache-Access Pattern Attack on Disaligned AES T-Tables , 2013, COSADE.

[7]  Andrew Ferraiuolo Security Results for SIRRTL, A Hardware Description Language for Information Flow Security , 2017 .

[8]  Gorka Irazoqui Apecechea,et al.  A Faster and More Realistic Flush+Reload Attack on AES , 2015, COSADE.

[9]  David Sands,et al.  Dimensions and principles of declassification , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[10]  Gilles Barthe,et al.  System-level Non-interference for Constant-time Cryptography , 2014, IACR Cryptol. ePrint Arch..

[11]  Peter Schwabe,et al.  Faster and Timing-Attack Resistant AES-GCM , 2009, CHES.

[12]  Andrew C. Myers,et al.  Enforcing Robust Declassification and Qualified Robustness , 2006, J. Comput. Secur..

[13]  Jean-Pierre Seifert,et al.  Software mitigations to hedge AES against cache-based software side channel vulnerabilities , 2006, IACR Cryptol. ePrint Arch..

[14]  Andrew C. Myers,et al.  Dynamic Security Labels and Noninterference , 2004 .

[15]  Nadia Tawbi,et al.  A progress-sensitive flow-sensitive inlined information-flow control monitor (extended version) , 2017, Comput. Secur..

[16]  Diana Marculescu,et al.  Analysis of dynamic voltage/frequency scaling in chip-multiprocessors , 2007, Proceedings of the 2007 international symposium on Low power electronics and design (ISLPED '07).

[17]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[18]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[19]  Peter Marwedel,et al.  Scratchpad memory: a design alternative for cache on-chip memory in embedded systems , 2002, Proceedings of the Tenth International Symposium on Hardware/Software Codesign. CODES 2002 (IEEE Cat. No.02TH8627).

[20]  Gernot Heiser,et al.  No Security Without Time Protection: We Need a New Hardware-Software Contract , 2018, APSys.

[21]  John Wawrzynek,et al.  Chisel: Constructing hardware in a Scala embedded language , 2012, DAC Design Automation Conference 2012.

[22]  Frederic T. Chong,et al.  Caisson: a hardware description language for secure information flow , 2011, PLDI '11.

[23]  Yao Wang,et al.  A Hardware Design Language for Timing-Sensitive Information-Flow Security , 2015, ASPLOS.

[24]  Deian Stefan,et al.  On Dynamic Flow-Sensitive Floating-Label Systems , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[25]  Danfeng Zhang,et al.  Predictive black-box mitigation of timing channels , 2010, CCS '10.

[26]  Andrew Ferraiuolo,et al.  HyperFlow: A Processor Architecture for Nonmalleable, Timing-Safe Information Flow Security , 2018, CCS.

[27]  Rui Xu,et al.  Verification of a Practical Hardware Security Architecture Through Static Information Flow Analysis , 2017, ASPLOS.

[28]  Daniel J. Bernstein,et al.  Cache-timing attacks on AES , 2005 .

[29]  Deian Stefan,et al.  CT-wasm: type-driven secure cryptography for the web ecosystem , 2018, Proc. ACM Program. Lang..

[30]  Joan Daemen,et al.  AES Proposal : Rijndael , 1998 .

[31]  Geoffrey Smith,et al.  Eliminating covert flows with minimum typings , 1997, Proceedings 10th Computer Security Foundations Workshop.

[32]  Andrew Ferraiuolo,et al.  Secure information flow verification with mutable dependent types , 2017, 2017 54th ACM/EDAC/IEEE Design Automation Conference (DAC).

[33]  Danfeng Zhang,et al.  Language-based control and mitigation of timing channels , 2012, PLDI.

[34]  Thomas F. Wenisch,et al.  Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution , 2018, USENIX Security Symposium.

[35]  Frederic T. Chong,et al.  Sapper: a language for hardware-level security policy enforcement , 2014, ASPLOS.

[36]  Thomas H. Austin,et al.  Efficient purely-dynamic information flow analysis , 2009, PLAS '09.

[37]  Andrew C. Myers,et al.  Observational determinism for concurrent program security , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[38]  David Zhang,et al.  Secure program execution via dynamic information flow tracking , 2004, ASPLOS XI.

[39]  Margaret Martonosi,et al.  PipeCheck: Specifying and Verifying Microarchitectural Enforcement of Memory Consistency Models , 2014, 2014 47th Annual IEEE/ACM International Symposium on Microarchitecture.

[40]  Johan Agat,et al.  Transforming out timing leaks , 2000, POPL '00.

[41]  Dominique Devriese,et al.  Noninterference through Secure Multi-execution , 2010, 2010 IEEE Symposium on Security and Privacy.

[42]  Ben Hardekopf,et al.  Timing- and Termination-Sensitive Secure Information Flow: Exploring a New Approach , 2011, 2011 IEEE Symposium on Security and Privacy.

[43]  Michael Hamburg,et al.  Meltdown: Reading Kernel Memory from User Space , 2018, USENIX Security Symposium.

[44]  Carlos V. Rozas,et al.  Innovative instructions and software model for isolated execution , 2013, HASP '13.

[45]  Jerome H. Saltzer,et al.  Protection and the control of information sharing in multics , 1974, CACM.

[46]  Margaret Martonosi,et al.  RTLCheck: Verifying the Memory Consistency of RTL Designs , 2017, 2017 50th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[47]  Deian Stefan,et al.  Addressing covert termination and timing channels in concurrent information flow systems , 2012, ICFP '12.

[48]  Alejandro Russo,et al.  HLIO: mixing static and dynamic typing for information-flow control in Haskell , 2015, ICFP.

[49]  Andrew Waterman,et al.  The RISC-V Instruction Set Manual. Volume 1: User-Level ISA, Version 2.0 , 2014 .

[50]  Birgit Pfitzmann,et al.  Computational probabilistic noninterference , 2004, International Journal of Information Security.

[51]  Andrew C. Myers,et al.  Nonmalleable Information Flow Control , 2017, CCS.

[52]  Gorka Irazoqui Apecechea,et al.  Wait a Minute! A fast, Cross-VM Attack on AES , 2014, RAID.