Mitigating timing based information leakage in shared schedulers

In this work, we study information leakage in timing side channels that arise in the context of shared event schedulers. Consider two processes, one of them an innocuous process (referred to as Alice) and the other a malicious one (referred to as Bob), using a common scheduler to process their jobs. Based on when his jobs get processed, Bob wishes to learn about the pattern (size and timing) of jobs of Alice. Depending on the context, knowledge of this pattern could have serious implications on Alice's privacy and security. For instance, shared routers can reveal traffic patterns, shared memory access can reveal cloud usage patterns, and suchlike. We present a formal framework to study the information leakage in shared resource schedulers using the pattern estimation error as a performance metric. In this framework, a uniform upper bound is derived to benchmark different scheduling policies. The first-come-first-serve scheduling policy is analyzed, and shown to leak significant information when the scheduler is loaded heavily. To mitigate the timing information leakage, we propose an “Accumulate-and-Serve” policy which trades in privacy for a higher delay. The policy is analyzed under the proposed framework and is shown to leak minimum information to the attacker, and is shown to have comparatively lower delay than a fixed scheduler that preemptively assigns service times irrespective of traffic patterns.

[1]  Neri Merhav,et al.  Relations between entropy and error probability , 1994, IEEE Trans. Inf. Theory.

[2]  Ira S. Moskowitz,et al.  The channel capacity of a certain noisy timing channel , 1992, IEEE Trans. Inf. Theory.

[3]  XiaoFeng Wang,et al.  Peeping Tom in the Neighborhood: Keystroke Eavesdropping on Multi-User Systems , 2009, USENIX Security Symposium.

[4]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[5]  Johan Agat,et al.  Transforming out timing leaks , 2000, POPL '00.

[6]  Charles V. Wright,et al.  Spot Me if You Can: Uncovering Spoken Phrases in Encrypted VoIP Conversations , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[7]  Raphael Rom,et al.  Multiple Access Protocols: Performance and Analysis , 1990, SIGMETRICS Perform. Evaluation Rev..

[8]  Dawn Xiaodong Song,et al.  Timing Analysis of Keystrokes and Timing Attacks on SSH , 2001, USENIX Security Symposium.

[9]  John N. Tsitsiklis,et al.  Introduction to Probability , 2002 .

[10]  Xun Gong,et al.  Low-Cost Side Channel Remote Traffic Analysis Attack in Packet Networks , 2010, 2010 IEEE International Conference on Communications.

[11]  Moshe Zukerman,et al.  Internet traffic modeling and future technology implications , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[12]  J. McFadden The Entropy of a Point Process , 1965 .

[13]  Jonathan K. Millen,et al.  Covert Channel Capacity , 1987, 1987 IEEE Symposium on Security and Privacy.

[14]  John C. Wray An Analysis of Covert Timing Channels , 1992, J. Comput. Secur..

[15]  Wei-Ming Hu,et al.  Reducing timing channels with fuzzy time , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[16]  Raphael Rom,et al.  Multiple Access Protocols: Performance and Analysis , 1990, SIGMETRICS Perform. Evaluation Rev..

[17]  Brian Neil Levine,et al.  Inferring the source of encrypted HTTP connections , 2006, CCS '06.

[18]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[19]  David D. Jensen,et al.  Privacy Vulnerabilities in Encrypted HTTP Streams , 2005, Privacy Enhancing Technologies.

[20]  Dimitri P. Bertsekas,et al.  Data Networks , 1986 .

[21]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[22]  David Chaum,et al.  Blind Signatures for Untraceable Payments , 1982, CRYPTO.

[23]  Wei-Ming Hu,et al.  Lattice scheduling and covert channels , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[24]  David Brumley,et al.  Remote timing attacks are practical , 2003, Comput. Networks.

[25]  Bruce E. Hajek,et al.  An information-theoretic and game-theoretic study of timing channels , 2002, IEEE Trans. Inf. Theory.