A Library for Removing Cache-Based Attacks in Concurrent Information Flow Systems

Information-flow control IFC is a security mechanism conceived to allow untrusted code to manipulate sensitive data without compromising confidentiality. Unfortunately, untrusted code might exploit some covert channels in order to reveal information. In this paper, we focus on the LIO concurrent IFC system. By leveraging the effects of hardware caches e.g., the CPU cache, LIO is susceptible to attacks that leak information through the internal timing covert channel. We present a resumption-based approach to address such attacks. Resumptions provide fine-grained control over the interleaving of thread computations at the library level. Specifically, we remove cache-based attacks by enforcing that every thread yield after executing an "instruction," i.e., atomic action. Importantly, our library allows for porting the full LIO library--our resumption approach handles local state and exceptions, both features present in LIO. To amend for performance degradations due to the library-level thread scheduling, we provide two novel primitives. First, we supply a primitive for securely executing pure code in parallel. Second, we provide developers a primitive for controlling the granularity of "instructions"; this allows developers to adjust the frequency of context switching to suit application demands.

[1]  Alejandro Russo,et al.  Security for Multithreaded Programs Under Cooperative Scheduling , 2006, Ershov Memorial Conference.

[2]  Johan Agat,et al.  Transforming out timing leaks , 2000, POPL '00.

[3]  W. Harrison,et al.  Cheap (But Functional) Threads † , 2015 .

[4]  Dominique Devriese,et al.  Noninterference through Secure Multi-execution , 2010, 2010 IEEE Symposium on Security and Privacy.

[5]  Geoffrey Smith,et al.  Secure information flow in a multi-threaded imperative language , 1998, POPL '98.

[6]  Gilles Barthe,et al.  Cache-Leakage Resilient OS Isolation in an Idealized Model of Virtualization , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[7]  Ben Hardekopf,et al.  Timing- and Termination-Sensitive Secure Information Flow: Exploring a New Approach , 2011, 2011 IEEE Symposium on Security and Privacy.

[8]  Alejandro Russo,et al.  Securing interaction between threads and the scheduler , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[9]  Geoffrey Smith,et al.  Probabilistic noninterference in a concurrent language , 1998, Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238).

[10]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[11]  Guy L. Steele,et al.  Proceedings of the 23rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages , 1996, POPL 1996.

[12]  Colin Percival CACHE MISSING FOR FUN AND PROFIT , 2005 .

[13]  StefanDeian,et al.  Flexible dynamic information flow control in Haskell , 2011 .

[14]  Alejandro Russo,et al.  Closing Internal Timing Channels by Transformation , 2006, ASIAN.

[15]  Wouter Swierstra,et al.  A functional specification of effects , 2009 .

[16]  François Pottier A simple view of type-secure information flow in the /spl pi/-calculus , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[17]  Alejandro Russo,et al.  Lazy Programs Leak Secrets , 2013, NordSec.

[18]  David Sands,et al.  Probabilistic noninterference for multi-threaded programs , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[19]  Koen Claessen,et al.  A poor man's concurrency monad , 1999, Journal of Functional Programming.

[20]  Deian Stefan,et al.  Addressing covert termination and timing channels in concurrent information flow systems , 2012, ICFP '12.

[21]  Peng Li,et al.  Arrows for secure information flow , 2010, Theor. Comput. Sci..

[22]  Simon L. Peyton Jones,et al.  Concurrent Haskell , 1996, POPL '96.

[23]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[24]  Deian Stefan,et al.  Eliminating Cache-Based Timing Attacks with Instruction-Based Scheduling , 2013, ESORICS.

[25]  Michael Walfish,et al.  World Wide Web Without Walls , 2007, HotNets.

[26]  Deian Stefan,et al.  Flexible dynamic information flow control in Haskell , 2012 .

[27]  William L. Harrison,et al.  Achieving information flow security through precise control of effects , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[28]  Ilaria Castellani,et al.  Noninterference for concurrent programs and thread systems , 2002, Theor. Comput. Sci..

[29]  Onur Aciiçmez,et al.  Yet another MicroArchitectural Attack:: exploiting I-Cache , 2007, CSAW '07.

[30]  M. F.,et al.  Bibliography , 1985, Experimental Gerontology.

[31]  David Sands,et al.  Timing Aware Information Flow Security for a JavaCard-like Bytecode , 2005, Electron. Notes Theor. Comput. Sci..

[32]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[33]  Ilaria Castellani,et al.  Noninterference for Concurrent Programs , 2001, ICALP.

[34]  Taesoo Kim,et al.  STEALTHMEM: System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud , 2012, USENIX Security Symposium.

[35]  Eugenio Moggi,et al.  Notions of Computation and Monads , 1991, Inf. Comput..

[36]  Wing H. Wong,et al.  Timing attacks on RSA: revealing your secrets through the fourth dimension , 2005, CROS.

[37]  Danfeng Zhang,et al.  Language-based control and mitigation of timing channels , 2012, PLDI.

[38]  Dan Page,et al.  Partitioned Cache Architecture as a Side-Channel Defence Mechanism , 2005, IACR Cryptology ePrint Archive.

[39]  Laurent Mauborgne,et al.  Automatic Quantification of Cache Side-Channels , 2012, CAV.

[40]  Simon Peyton Jones,et al.  A monad for deterministic parallelism , 2012 .

[41]  Andrew C. Myers,et al.  Observational determinism for concurrent program security , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[42]  Koen Claessen,et al.  A library for light-weight information-flow security in haskell , 2008, Haskell '08.