KeyDrown: Eliminating Software-Based Keystroke Timing Side-Channel Attacks

Besides cryptographic secrets, software-based side-channel attacks also leak sensitive user input. The most accurate attacks exploit cache timings or interrupt information to monitor keystroke timings and subsequently infer typed words and sentences. These attacks have also been demonstrated in JavaScript embedded in websites by a remote attacker. We extend the state-of-the-art with a new interrupt-based attack and the first Prime+ Probe attack on kernel interrupt handlers. Previously proposed countermeasures fail to prevent software-based keystroke timing attacks as they do not protect keystroke processing through the entire software stack. We close this gap with KeyDrown, a new defense mechanism against software-based keystroke timing attacks. KeyDrown injects a large number of fake keystrokes in the kernel, making the keystroke interrupt density uniform over time, i.e., independent of the real keystrokes. All keystrokes, including fake keystrokes, are carefully propagated through the shared library to make them indistinguishable by exploiting the specific properties of software-based side channels. We show that attackers cannot distinguish fake keystrokes from real keystrokes anymore and we evaluate KeyDrown on a commodity notebook as well as on Android smartphones. We show that KeyDrown eliminates any advantage an attacker can gain from using software-based side-channel attacks.

[1]  Carl Staelin,et al.  lmbench: Portable Tools for Performance Analysis , 1996, USENIX Annual Technical Conference.

[2]  Stephan Krenn,et al.  Cache Games -- Bringing Access-Based Cache Attacks on AES to Practice , 2011, 2011 IEEE Symposium on Security and Privacy.

[3]  Ross J. Anderson,et al.  Don’t Interrupt Me While I Type: Inferring Text Entered Through Gesture Typing on Android Keyboards , 2016, Proc. Priv. Enhancing Technol..

[4]  Ninghui Li,et al.  A Study of Probabilistic Password Models , 2014, 2014 IEEE Symposium on Security and Privacy.

[5]  Angelos D. Keromytis,et al.  The Spy in the Sandbox: Practical Cache Attacks in JavaScript and their Implications , 2015, CCS.

[6]  Stefan Mangard,et al.  ARMageddon: Cache Attacks on Mobile Devices , 2015, USENIX Security Symposium.

[7]  Vitaly Shmatikov,et al.  Memento: Learning Secrets from Process Footprints , 2012, 2012 IEEE Symposium on Security and Privacy.

[8]  Gernot Heiser,et al.  Mapping the Intel Last-Level Cache , 2015, IACR Cryptol. ePrint Arch..

[9]  Gorka Irazoqui Apecechea,et al.  Cache Attacks Enable Bulk Key Recovery on the Cloud , 2016, CHES.

[10]  Pepe Vila,et al.  Loophole: Timing Attacks on Shared Event Loops in Chrome , 2017, USENIX Security Symposium.

[11]  Julie Thorpe,et al.  On Semantic Patterns of Passwords and their Security Impact , 2014, NDSS.

[12]  Dawn Xiaodong Song,et al.  Timing Analysis of Keystrokes and Timing Attacks on SSH , 2001, USENIX Security Symposium.

[13]  XiaoFeng Wang,et al.  Peeping Tom in the Neighborhood: Keystroke Eavesdropping on Multi-User Systems , 2009, USENIX Security Symposium.

[14]  Daniel Pierre Bovet,et al.  Understanding the Linux Kernel , 2000 .

[15]  Taesoo Kim,et al.  Breaking Kernel Address Space Layout Randomization with Intel TSX , 2016, CCS.

[16]  Christophe Rosenberger,et al.  Soft biometrics for keystroke dynamics: Profiling individuals while typing passwords , 2014, Comput. Secur..

[17]  Colin Percival CACHE MISSING FOR FUN AND PROFIT , 2005 .

[18]  Nicolas Le Scouarnec,et al.  Reverse Engineering Intel Last-Level Cache Complex Addressing Using Performance Counters , 2015, RAID.

[19]  Xiangyu Liu,et al.  No Pardon for the Interruption: New Inference Attacks on Android Through Interrupt Timing Analysis , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[20]  Daniel Gruss,et al.  Strong and Efficient Cache Side-Channel Protection using Hardware Transactional Memory , 2017, USENIX Security Symposium.

[21]  Po-Ming Lee,et al.  The Influence of Emotion on Keyboard Typing: An Experimental Study Using Auditory Stimuli , 2015, PloS one.

[22]  Shumin Zhai,et al.  Smart phone use by non-mobile business users , 2011, Mobile HCI.

[23]  Hao Chen,et al.  TouchLogger: Inferring Keystrokes on Touch Screen from Smartphone Motion , 2011, HotSec.

[24]  Rick Wash,et al.  Understanding Password Choices: How Frequently Entered Passwords Are Re-used across Websites , 2016, SOUPS.

[25]  Lujo Bauer,et al.  Encountering stronger password requirements: user attitudes and behaviors , 2010, SOUPS.

[26]  J. Ziegler,et al.  Typing is writing: Linguistic properties modulate typing execution , 2016, Psychonomic Bulletin & Review.

[27]  Stefan Mangard,et al.  DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks , 2015, USENIX Security Symposium.

[28]  Gernot Heiser,et al.  Last-Level Cache Side-Channel Attacks are Practical , 2015, 2015 IEEE Symposium on Security and Privacy.

[29]  Vitaly Shmatikov,et al.  Fast dictionary attacks on passwords using time-space tradeoff , 2005, CCS '05.

[30]  Stefan Mangard,et al.  Practical Keystroke Timing Attacks in Sandboxed JavaScript , 2017, ESORICS.

[31]  Klaus Wagner,et al.  Flush+Flush: A Fast and Stealthy Cache Attack , 2015, DIMVA.

[32]  Sudhir Aggarwal,et al.  Password Cracking Using Probabilistic Context-Free Grammars , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[33]  Yuval Yarom,et al.  FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack , 2014, USENIX Security Symposium.

[34]  Gernot Heiser,et al.  A survey of microarchitectural timing attacks and countermeasures on contemporary hardware , 2016, Journal of Cryptographic Engineering.

[35]  Stefan Mangard,et al.  Cache Template Attacks: Automating Attacks on Inclusive Last-Level Caches , 2015, USENIX Security Symposium.

[36]  Nitesh Saxena,et al.  Slogger: Smashing Motion-based Touchstroke Logging with Transparent System Noise , 2016, WISEC.

[37]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[38]  Edward W. Felten,et al.  Password management strategies for online accounts , 2006, SOUPS '06.

[39]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[40]  Blase Ur,et al.  Fast, Lean, and Accurate: Modeling Password Guessability Using Neural Networks , 2016, USENIX Annual Technical Conference.

[41]  Kai Li,et al.  The PARSEC benchmark suite: Characterization and architectural implications , 2008, 2008 International Conference on Parallel Architectures and Compilation Techniques (PACT).