Cache-Leakage Resilient OS Isolation in an Idealized Model of Virtualization

Virtualization platforms allow multiple operating systems to run on the same hardware. One of their central goal is to provide strong isolation between guest operating systems, unfortunately, they are often vulnerable to practical side-channel attacks. Cache attacks are a common class of side-channel attacks that use the cache as a side channel. We formalize an idealized model of virtualization that features the cache and the Translation Look aside Buffer (TLB), and that provides an abstract treatment of cache-based side-channels. We then use the model for reasoning about cache-based attacks and countermeasures, and for proving that isolation between guest operating systems can be enforced by flushing the cache upon context switch. In addition, we show that virtualized platforms are transparent, i.e. a guest operating system cannot distinguish whether it executes alone or together with other guest operating systems on the platform. The models and proofs have been machine-checked in the Coqproof assistant.

[1]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[2]  Hendrik Tews,et al.  Formal Memory Models for the Verification of Low-Level Operating-System Code , 2009, Journal of Automated Reasoning.

[3]  Sagar Chaki,et al.  Scalable Parametric Verification of Secure Systems: How to Verify Reference Monitors without Worrying about Data Structure Size , 2010, 2010 IEEE Symposium on Security and Privacy.

[4]  Laurent Mauborgne,et al.  Automatic Quantification of Cache Side-Channels , 2012, CAV.

[5]  Ariel J. Feldman,et al.  Lest we remember: cold-boot attacks on encryption keys , 2008, CACM.

[6]  Michael Norrish,et al.  seL4: formal verification of an operating-system kernel , 2010, Commun. ACM.

[7]  John Rushby,et al.  Noninterference, Transitivity, and Channel-Control Security Policies 1 , 2005 .

[8]  David Sands,et al.  Declassification: Dimensions and principles , 2009, J. Comput. Secur..

[9]  Johan Agat,et al.  Transforming out timing leaks , 2000, POPL '00.

[10]  David Sands,et al.  Dimensions and principles of declassification , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[11]  James R. Larus,et al.  Singularity: rethinking the software stack , 2007, OPSR.

[12]  Gilles Barthe,et al.  Relational Verification Using Product Programs , 2011, FM.

[13]  Alexander Aiken,et al.  Secure Information Flow as a Safety Problem , 2005, SAS.

[14]  Adi Shamir,et al.  Efficient Cache Attacks on AES, and Countermeasures , 2010, Journal of Cryptology.

[15]  P ? ? ? ? ? ? ? % ? ? ? ? , 1991 .

[16]  Eddie Kohler,et al.  Information flow control for standard OS abstractions , 2007, SOSP.

[17]  Chris Hawblitzel,et al.  Safe to the last instruction: automated verification of a type-safe operating system , 2011, CACM.

[18]  Ruby B. Lee,et al.  New cache designs for thwarting software cache-based side channel attacks , 2007, ISCA '07.

[19]  Myla Archer,et al.  Formal specification and verification of data separation in a separation kernel for an embedded system , 2006, CCS '06.

[20]  Markus Dürmuth,et al.  A Provably Secure and Efficient Countermeasure against Timing Attacks , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[21]  Thorsten Bormer,et al.  Proving Memory Separation in a Microkernel by Code Level Verification , 2011, 2011 14th IEEE International Symposium on Object/Component/Service-Oriented Real-Time Distributed Computing Workshops.

[22]  Thomas Santen,et al.  Verifying the Microsoft Hyper-V Hypervisor with VCC , 2009, FM.

[23]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[24]  Zhong Shao Certified software , 2010, Commun. ACM.

[25]  Pedro R. D'Argenio,et al.  Secure information flow by self-composition , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[26]  A. Goldberg,et al.  Formal construction of the Mathematically Analyzed Separation Kernel , 2000, Proceedings ASE 2000. Fifteenth IEEE International Conference on Automated Software Engineering.

[27]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[28]  Michael R. Clarkson,et al.  Hyperproperties , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[29]  Ernie Cohen,et al.  Validating the Microsoft Hypervisor , 2006, FM.

[30]  Silvio Micali,et al.  Physically Observable Cryptography (Extended Abstract) , 2004, TCC.

[31]  Yu Guo,et al.  Certifying Low-Level Programs with Hardware Interrupts and Preemptive Threads , 2009, Journal of Automated Reasoning.

[32]  Heiko Mantel A uniform framework for the formal specification and verification of information flow security , 2003 .

[33]  Stefan Dziembowski,et al.  Leakage-Resilient Cryptography , 2008, 2008 49th Annual IEEE Symposium on Foundations of Computer Science.

[34]  Gilles Barthe,et al.  Formally Verifying Isolation and Availability in an Idealized Model of Virtualization , 2011, FM.

[35]  Hongseok Yang,et al.  Modular verification of preemptive OS kernels , 2011, Journal of Functional Programming.

[36]  Stephan Krenn,et al.  Cache Games -- Bringing Access-Based Cache Attacks on AES to Practice , 2011, 2011 IEEE Symposium on Security and Privacy.

[37]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[38]  Volkmar Lotz,et al.  Analyzing SLE 88 memory management security using Interacting State Machines , 2005, International Journal of Information Security.

[39]  Daniel J. Bernstein,et al.  Cache-timing attacks on AES , 2005 .

[40]  John Rushby A Separation Kernel Formal Security Policy in PVS , 2004 .

[41]  Frederic T. Chong,et al.  Crafting a usable microkernel, processor, and I/O system with strict and provable information flow security , 2011, 2011 38th Annual International Symposium on Computer Architecture (ISCA).

[42]  Rafal Kolanski Verification of programs in virtual memory using separation logic , 2011 .

[43]  David A. Basin,et al.  An information-theoretic model for adaptive side-channel attacks , 2007, CCS '07.

[44]  Matthew Wilding,et al.  A Separation Kernel Formal Security Policy , 2003, ACL 2003.

[45]  Gerwin Klein,et al.  seL4 Enforces Integrity , 2011, ITP.

[46]  Ueli Maurer,et al.  Optimal Randomizer Efficiency in the Bounded-Storage Model , 2003, Journal of Cryptology.

[47]  David von Oheimb Information Flow Control Revisited: Noninfluence = Noninterference + Nonleakage , 2004, ESORICS.

[48]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[49]  David Schultz,et al.  The Program Counter Security Model: Automatic Detection and Removal of Control-Flow Side Channel Attacks , 2005, ICISC.

[50]  Eran Tromer,et al.  Noninterference for a Practical DIFC-Based Operating System , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[51]  Mark A. Hillebrand,et al.  Verifying shadow page table algorithms , 2010, Formal Methods in Computer Aided Design.

[52]  Sagar Chaki,et al.  Parametric Verification of Address Space Separation , 2012, POST.

[53]  Sriram K. Rajamani,et al.  Thorough static analysis of device drivers , 2006, EuroSys.

[54]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[55]  José Meseguer,et al.  Unwinding and Inference Control , 1984, 1984 IEEE Symposium on Security and Privacy.

[56]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[57]  Gerwin Klein,et al.  Operating system verification—An overview , 2009 .

[58]  Sang-Bum Suh,et al.  Xen on ARM: System Virtualization Using Xen Hypervisor for ARM-Based Secure Mobile Phones , 2008, 2008 5th IEEE Consumer Communications and Networking Conference.