EXPLOITING PROCESSOR SIDE CHANNELS TO ENABLE CROSS VM MALICIOUS CODE EXECUTION

Given the rise in popularity of cloud computing and platform-as-a-service, vulnerabilities inherent to systems which share hardware resources will become increasingly attractive targets to malicious software authors. This thesis first classifies the possible mediums for hardware side channel construction. Then we construct potential adversarial models associated with each. Additionally, a novel side channel is described and implemented across the central processing unit using out of order execution. Finally, this thesis constructs seven adversarial applications, one from each adversarial model. These applications are deployed across a novel side channel to prove existence of each exploit. We then analyze successful detection and mitigation techniques of the side channel attacks.

[1]  Loïc Hélouët,et al.  Covert channel detection using Information Theory , 2010, SecCo.

[2]  Vijay Laxmi,et al.  SPADE: Signature based PAcker DEtection , 2012, SecurIT '12.

[3]  Ruby B. Lee,et al.  Covert and Side Channels Due to Processor Architecture , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[4]  Andrew R. Pleszkun,et al.  Implementation of precise interrupts in pipelined processors , 1985, ISCA '98.

[5]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[6]  Mário M. Freire,et al.  Security issues in cloud environments: a survey , 2014, International Journal of Information Security.

[7]  Pavol Zavarsky,et al.  Enhanced side-channel analysis method to detect hardware virtualization based rootkits , 2012, World Congress on Internet Security (WorldCIS-2012).

[8]  David Schultz,et al.  The Program Counter Security Model: Automatic Detection and Removal of Control-Flow Side Channel Attacks , 2005, ICISC.

[9]  Mohammad Zulkernine,et al.  Preventing Cache-Based Side-Channel Attacks in a Cloud Environment , 2014, IEEE Transactions on Cloud Computing.

[10]  Wojciech Mazurczyk,et al.  Improving Hard Disk Contention-Based Covert Channel in Cloud Computing , 2014, 2014 IEEE Security and Privacy Workshops.

[11]  Yongji Wang,et al.  C2Detector: a covert channel detection framework in cloud computing , 2014, Secur. Commun. Networks.

[12]  Gui Xiaolin,et al.  Detecting VMs Co-residency in Cloud: Using Cache-based Side Channel Attacks , 2013 .

[13]  Ruth Breu,et al.  Anomaly Detection in the Cloud: Detecting Security Incidents via Machine Learning , 2012, EternalS@ECAI.

[14]  Onur Mutlu,et al.  Memory Performance Attacks: Denial of Memory Service in Multi-Core Systems , 2007, USENIX Security Symposium.

[15]  Michael M. Swift,et al.  Scheduler-based Defenses against Cross-VM Side-channels , 2014, USENIX Security Symposium.

[16]  Michael K. Reiter,et al.  Cross-VM side channels and their use to extract private keys , 2012, CCS.

[17]  파탁 자옌드라,et al.  Malware and exploit campaign detection system and method , 2014 .

[18]  Taesoo Kim,et al.  STEALTHMEM: System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud , 2012, USENIX Security Symposium.

[19]  Guru Venkataramani,et al.  CC-Hunter: Uncovering Covert Timing Channels on Shared Processor Hardware , 2014, 2014 47th Annual IEEE/ACM International Symposium on Microarchitecture.

[20]  Zahir Tari,et al.  Security and Privacy in Cloud Computing , 2014, IEEE Cloud Computing.

[21]  Michael K. Reiter,et al.  HomeAlone: Co-residency Detection in the Cloud via Side-Channel Analysis , 2011, 2011 IEEE Symposium on Security and Privacy.

[22]  Karl N. Levitt,et al.  A specification-based intrusion detection system for AODV , 2003, SASN '03.

[23]  Nate Lawson,et al.  Side-Channel Attacks on Cryptographic Software , 2009, IEEE Security & Privacy.

[24]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[25]  Colin Percival CACHE MISSING FOR FUN AND PROFIT , 2005 .

[26]  Vincent P. Heuring,et al.  Memory hierarchy , 2003 .

[27]  R. M. Tomasulo,et al.  An efficient algorithm for exploiting multiple arithmetic units , 1995 .

[28]  Adi Shamir,et al.  Efficient Cache Attacks on AES, and Countermeasures , 2010, Journal of Cryptology.

[29]  Yale N. Patt,et al.  HPSm, a high performance restricted data flow architecture having minimal functionality , 1986, ISCA '98.

[30]  Hiroshi Miyauchi,et al.  Cryptanalysis of DES Implemented on Computers with Cache , 2003, CHES.

[31]  Simha Sethumadhavan,et al.  TimeWarp: Rethinking timekeeping and performance monitoring mechanisms to mitigate side-channel attacks , 2012, 2012 39th Annual International Symposium on Computer Architecture (ISCA).

[32]  Zhenyu Wu,et al.  Whispers in the Hyper-space: High-speed Covert Channel Attacks in the Cloud , 2012, USENIX Security Symposium.

[33]  Trent Jaeger,et al.  New Side Channels Targeted at Passwords , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[34]  Andrea Maggiolo-Schettini,et al.  Time and Probability-Based Information Flow Analysis , 2010, IEEE Transactions on Software Engineering.

[35]  Haibo Chen,et al.  Limiting cache-based side-channel in multi-tenant cloud using dynamic page coloring , 2011, 2011 IEEE/IFIP 41st International Conference on Dependable Systems and Networks Workshops (DSN-W).

[36]  Dirk Grunwald,et al.  Microarchitectural denial of service: insuring microarchitectural fairness , 2002, MICRO.

[37]  Michael K. Reiter,et al.  Cross-Tenant Side-Channel Attacks in PaaS Clouds , 2014, CCS.

[38]  Yuval Yarom,et al.  FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack , 2014, USENIX Security Symposium.

[39]  Aleksandar Milenkovic,et al.  Using instruction block signatures to counter code injection attacks , 2005, CARN.