On the capacity of thermal covert channels in multicores

Modern multicore processors feature easily accessible temperature sensors that provide useful information for dynamic thermal management. These sensors were recently shown to be a potential security threat, since otherwise isolated applications can exploit them to establish a thermal covert channel and leak restricted information. Previous research showed experiments that document the feasibility of (low-rate) communication over this channel, but did not further analyze its fundamental characteristics. For this reason, the important questions of quantifying the channel capacity and achievable rates remain unanswered. To address these questions, we devise and exploit a new methodology that leverages both theoretical results from information theory and experimental data to study these thermal covert channels on modern multicores. We use spectral techniques to analyze data from two representative platforms and estimate the capacity of the channels from a source application to temperature sensors on the same or different cores. We estimate the capacity to be in the order of 300 bits per second (bps) for the same-core channel, i.e., when reading the temperature on the same core where the source application runs, and in the order of 50 bps for the 1-hop channel, i.e., when reading the temperature of the core physically next to the one where the source application runs. Moreover, we show a communication scheme that achieves rates of more than 45 bps on the same-core channel and more than 5 bps on the 1-hop channel, with less than 1% error probability. The highest rate shown in previous work was 1.33 bps on the 1-hop channel with 11% error probability.

[1]  Karthikeyan Sankaralingam,et al.  Dark Silicon and the End of Multicore Scaling , 2012, IEEE Micro.

[2]  P. P. Vaidyanathan,et al.  Signal Processing and Optimization for Transceiver Systems , 2010 .

[3]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[4]  W. Robert Daasch,et al.  A thermal-aware superscalar microprocessor , 2002, Proceedings International Symposium on Quality Electronic Design.

[5]  Adam Barth,et al.  Browser security , 2009, Commun. ACM.

[6]  Steven J. Murdoch,et al.  Hot or not: revealing hidden services by their clock skew , 2006, CCS '06.

[7]  Nael B. Abu-Ghazaleh,et al.  Covert channels through branch predictors: a feasibility study , 2015, HASP@ISCA.

[8]  Chris Heegard,et al.  Bounding the Capacity of Saturation Recording: The Lorentz Model and Applications , 1992, IEEE J. Sel. Areas Commun..

[9]  David Naccache,et al.  Temperature Attacks , 2009, IEEE Security & Privacy.

[10]  S. Russel and P. Norvig,et al.  “Artificial Intelligence – A Modern Approach”, Second Edition, Pearson Education, 2003. , 2015 .

[11]  Peter Norvig,et al.  Artificial Intelligence: A Modern Approach , 1995 .

[12]  David Naccache,et al.  Thermocommunication , 2009, IACR Cryptol. ePrint Arch..

[13]  Karthikeyan Sankaralingam,et al.  Dark silicon and the end of multicore scaling , 2011, 2011 38th Annual International Symposium on Computer Architecture (ISCA).

[14]  Carla E. Brodley,et al.  Heat stroke: power-density-based denial of service in SMT , 2005, 11th International Symposium on High-Performance Computer Architecture.

[15]  Thomas M. Cover,et al.  Elements of Information Theory (Wiley Series in Telecommunications and Signal Processing) , 2006 .

[16]  Srdjan Capkun,et al.  Thermal Covert Channels on Multi-core Platforms , 2015, USENIX Security Symposium.

[17]  P. Welch The use of fast Fourier transform for the estimation of power spectra: A method based on time averaging over short, modified periodograms , 1967 .

[18]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[19]  Zhenyu Wu,et al.  Whispers in the Hyper-space: High-speed Covert Channel Attacks in the Cloud , 2012, USENIX Security Symposium.

[20]  John G. van Bosse,et al.  Wiley Series in Telecommunications and Signal Processing , 2006 .

[21]  Alexandros G. Dimakis,et al.  Understanding contention-based channels and using them for defense , 2015, 2015 IEEE 21st International Symposium on High Performance Computer Architecture (HPCA).

[22]  Sebastian Zander,et al.  Capacity of Temperature-Based Covert Channels , 2011, IEEE Communications Letters.

[23]  Cyrille Artho,et al.  Memory deduplication as a threat to the guest OS , 2011, EUROSEC '11.

[24]  Thomas M. Cover,et al.  Elements of Information Theory , 2005 .

[25]  Maciej Nikodem,et al.  Temperature-based covert channel in FPGA systems , 2011, 6th International Workshop on Reconfigurable Communication-Centric Systems-on-Chip (ReCoSoC).

[26]  G. Andria,et al.  Windows and interpolation algorithms to improve electrical measurement accuracy , 1989 .

[27]  Lothar Thiele,et al.  Power agnostic technique for efficient temperature estimation of multicore embedded systems , 2012, CASES '12.

[28]  John M. Boone,et al.  INTEGRITY-ORIENTED CONTROL OBJECTIVES: PROPOSED REVISIONS TO THE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA (TCSEC), DoD 5200.28-STD , 1991 .

[29]  Giuseppe Di Battista,et al.  26 Computer Networks , 2004 .

[30]  Margaret Martonosi,et al.  Dynamic thermal management for high-performance microprocessors , 2001, Proceedings HPCA Seventh International Symposium on High-Performance Computer Architecture.

[31]  Michael Hutter,et al.  The Temperature Side Channel and Heating Fault Attacks , 2013, CARDIS.

[32]  Ruby B. Lee,et al.  Covert and Side Channels Due to Processor Architecture , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[33]  Yixin Diao,et al.  Feedback Control of Computing Systems , 2004 .

[34]  Matti A. Hiltunen,et al.  An exploration of L2 cache covert channels in virtualized environments , 2011, CCSW '11.

[35]  Sebastian Zander,et al.  An Improved Clock-skew Measurement Technique for Revealing Hidden Services , 2008, USENIX Security Symposium.

[36]  Mordechai Guri,et al.  BitWhisper: Covert Signaling Channel between Air-Gapped Computers Using Thermal Manipulations , 2015, 2015 IEEE 28th Computer Security Foundations Symposium.

[37]  Peter D. Welch,et al.  The Fast Fourier Transform and Its Applications , 1969 .

[38]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .

[39]  Aleksandra Mileva,et al.  Covert channels in TCP/IP protocol stack - extended version- , 2014, Central European Journal of Computer Science.

[40]  Kevin Skadron,et al.  Control-theoretic techniques and thermal-RC modeling for accurate and localized dynamic thermal management , 2002, Proceedings Eighth International Symposium on High Performance Computer Architecture.