Skip to main content
Springer Nature Link
Log in

A Library for Removing Cache-Based Attacks in Concurrent Information Flow Systems

  • Conference paper
  • First Online:
Trustworthy Global Computing (TGC 2013)

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 8358))

Included in the following conference series:

Abstract

Information-flow control (IFC) is a security mechanism conceived to allow untrusted code to manipulate sensitive data without compromising confidentiality. Unfortunately, untrusted code might exploit some covert channels in order to reveal information. In this paper, we focus on the LIO concurrent IFC system. By leveraging the effects of hardware caches (e.g., the CPU cache), LIO is susceptible to attacks that leak information through the internal timing covert channel. We present a resumption-based approach to address such attacks. Resumptions provide fine-grained control over the interleaving of thread computations at the library level. Specifically, we remove cache-based attacks by enforcing that every thread yield after executing an “instruction,” i.e., atomic action. Importantly, our library allows for porting the full LIO library—our resumption approach handles local state and exceptions, both features present in LIO. To amend for performance degradations due to the library-level thread scheduling, we provide two novel primitives. First, we supply a primitive for securely executing pure code in parallel. Second, we provide developers a primitive for controlling the granularity of “instructions”; this allows developers to adjust the frequency of context switching to suit application demands.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    In our implementation, atomic actions \(\alpha \) (as referred as in \(\alpha \triangleright res\)) are actions described by the monad \( m \).

  2. 2.

    Spawning threads could also be represented by a equivalent constructor \( Fork' \mathbin {::}Thread\; m \;()\rightarrow Thread\; m \; a \), we choose \( Fork \) for pedagogical reasons.

  3. 3.

    For simplicity of exposition, we use \( get \) and \( set \). However, LIO only provides such functions to trusted code. In fact, the monad \( LIO \) is not an instance of \( MonadState \) since this would allow untrusted code to arbitrarily modify the current label—a clear security violation.

  4. 4.

    In the case of Haskell, lazy evaluation may pose a challenge since whether or not a thunk has been evaluate is indeed an effect on a cache [24]. Though our resumption-based approach handles this for the single-core case, handling this in general is part of our ongoing work.

  5. 5.

    As in [35], we consider a version of \(\longrightarrow \) which does not include the operation \( toLabeled \), since it is susceptible to internal timing attacks.

References

  1. Aciiçmez, O.: Yet another microarchitectural attack:: exploiting I-cache. In: Proceedings of the 2007 ACM workshop on Computer security architecture, CSAW ’07. ACM (2007)

    Google Scholar 

  2. Agat, J.: Transforming out timing leaks. In: Proceedings of the ACM Symposium on Principles of Programming Languages, pp. 40–53, January 2000

    Google Scholar 

  3. Barthe, G., Betarte, G., Campo, J., Luna, C.: Cache-leakage resilient OS isolation in an idealized model of virtualization. In: Proceedings of the IEEE Computer Security Foundations Symposium. IEEE Computer Society, June 2012

    Google Scholar 

  4. Boudol, G., Castellani, I.: Noninterference for concurrent programs. In: Orejas, F., Spirakis, P.G., van Leeuwen, J. (eds.) ICALP 2001. LNCS, vol. 2076, pp. 382–395. Springer, Heidelberg (2001)

    Google Scholar 

  5. Boudol, G., Castellani, I.: Non-interference for concurrent programs and thread systems. Theor. Comput. Sci. 281(1), 109–130 (2002)

    Article  MATH  MathSciNet  Google Scholar 

  6. Buiras, P., Levy, A., Stefan, D., Russo, A., Mazières, D.: A library for removing cache-based attacks in concurrent information flow systems: Extended version. http://www.cse.chalmers.se/~buiras/resLIO.html (2013)

  7. Claessen, K.: A poor man’s concurrency monad. J. Funct. Program. 9(3), 313–323 (1999)

    Article  MATH  Google Scholar 

  8. Devriese, D., Piessens, F.: Noninterference through secure multi-execution. In: Proceedings of the 2010 IEEE Symposium on Security and Privacy, SP ’10. IEEE Computer Society (2010)

    Google Scholar 

  9. Giffin, D.B., Levy, A., Stefan, D., Terei, D., Mazières, D., Mitchell, J., Russo, A.: Hails: protecting data privacy in untrusted web applications. In: Proceedings of the 10th Symposium on Operating Systems Design and Implementation, October 2012

    Google Scholar 

  10. Harrison, B.: Cheap (but functional) threads. J. Funct. Program. http://people.cs.missouri.edu/~harrisonwl/drafts/CheapThreads.pdf (2004)

  11. Harrison, W.L., Hook, J.: Achieving information flow security through precise control of effects. In: Proceedings of the IEEE Computer Security Foundations Workshop. IEEE Computer Society (2005)

    Google Scholar 

  12. Hedin, D., Sands, D.: Timing aware information flow security for a JavaCard-like bytecode. Electron. Notes Theor. Comput. Sci. 141(1), 163–182 (2005)

    Article  Google Scholar 

  13. Jones, S.P., Gordon, A., Finne, S.: Concurrent Haskell. In: Proceedings of the 23rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. ACM (1996)

    Google Scholar 

  14. Kashyap, V., Wiedermann, B., Hardekopf, B.: Timing- and termination-sensitive secure information flow: exploring a new approach. In: Proceedings of the IEEE Symposium on Security and Privacy. IEEE (2011)

    Google Scholar 

  15. Kim, T., Peinado, M., Mainar-Ruiz, G.: STEALTHMEM: system-level protection against cache-based side channel attacks in the cloud. In: Proceedings of the USENIX Conference on Security Symposium, Security’12. USENIX Association (2012)

    Google Scholar 

  16. Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)

    Google Scholar 

  17. Köpf, B., Mauborgne, L., Ochoa, M.: Automatic quantification of cache side-channels. In: Madhusudan, P., Seshia, S.A. (eds.) CAV 2012. LNCS, vol. 7358, pp. 564–580. Springer, Heidelberg (2012)

    Google Scholar 

  18. Krohn, M., Yip, A., Brodsky, M., Morris, R., Walfish, M.: A world wide web without walls. In: 6th ACM Workshop on Hot Topics in Networking (Hotnets), Atlanta, November 2007

    Google Scholar 

  19. Lampson, B.W.: A note on the confinement problem. Commun. ACM 16(10), 613–615 (1973)

    Article  Google Scholar 

  20. Li, P., Zdancewic, S.: Arrows for secure information flow. Theor. Comput. Sci. 411(19), 1974–1994 (2010)

    Article  MATH  MathSciNet  Google Scholar 

  21. Marlow, S., Newton, R., Jones, S.L.P.: A monad for deterministic parallelism. In: Proceedings of the ACM SIGPLAN Symposium on Haskell (2011)

    Google Scholar 

  22. Moggi, E.: Notions of computation and monads. Inf. Comput. 93(1), 55–92 (1991)

    Article  MATH  MathSciNet  Google Scholar 

  23. Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: the case of AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer, Heidelberg (2006)

    Google Scholar 

  24. Pablo, B., Russo, A.: Lazy programs leak secrets. In: The Pre-proceedings of the 18th Nordic Conference on Secure IT Systems (NordSec), October 2013

    Google Scholar 

  25. Page, D.: Partitioned cache architecture as a side-channel defence mechanism. IACR Cryptology ePrint Archive 2005 (2005)

    Google Scholar 

  26. Percival, C.: Cache missing for fun and profit. In: Proceedings of BSDCan 2005 (2005)

    Google Scholar 

  27. Pottier, F.: A simple view of type-secure information flow in the \(\pi \)-calculus. In: Proceedings of the 15th IEEE Computer Security Foundations Workshop (2002)

    Google Scholar 

  28. Russo, A., Sabelfeld, A.: Securing interaction between threads and the scheduler. In: Proceedings of the IEEE Computer Security Foundations Workshop, July 2006

    Google Scholar 

  29. Russo, A., Sabelfeld, A.: Security for multithreaded programs under cooperative scheduling. In: Virbitskaite, I., Voronkov, A. (eds.) PSI 2006. LNCS, vol. 4378, pp. 474–480. Springer, Heidelberg (2007)

    Google Scholar 

  30. Russo, A., Hughes, J., Naumann, D.A., Sabelfeld, A.: Closing internal timing channels by transformation. In: Okada, M., Satoh, I. (eds.) ASIAN 2006. LNCS, vol. 4435, pp. 120–135. Springer, Heidelberg (2007)

    Google Scholar 

  31. Russo, A., Claessen, K., Hughes, J.: A library for light-weight information-flow security in Haskell. In: Proceedings of the ACM SIGPLAN Symposium on Haskell, pp. 13–24. ACM Press, September 2008

    Google Scholar 

  32. Sabelfeld, A., Sands, D.: Probabilistic noninterference for multi-threaded programs. In: Proceedings of the IEEE Computer Security Foundations Workshop, July 2000

    Google Scholar 

  33. Smith, G., Volpano, D.: Secure information flow in a multi-threaded imperative language. In: Proceedings of the ACM Symposium on Principles of Programming Languages, January 1998

    Google Scholar 

  34. Stefan, D., Russo, A., Mitchell, J.C., Mazières, D.: Flexible dynamic information flow control in Haskell. In: Haskell Symposium. ACM SIGPLAN, September 2011

    Google Scholar 

  35. Stefan, D., Russo, A., Buiras, P., Levy, A., Mitchell, J.C., Mazières, D.: Addressing covert termination and timing channels in concurrent information flow systems. In: The 17th ACM SIGPLAN International Conference on Functional Programming (ICFP), pp. 201–213. ACM, September 2012

    Google Scholar 

  36. Stefan, D., Russo, A., Mitchell, J.C., Mazières, D.: Flexible dynamic information flow control in the presence of exceptions. Arxiv preprint arXiv:1207.1457 (2012)

  37. Stefan, D., Buiras, P., Yang, E.Z., Levy, A., Terei, D., Russo, A., Mazières, D.: Eliminating cache-based timing attacks with instruction-based scheduling. In: Proceedings of the European Symposium on Research in Computer Security, pp. 718–735 (2013)

    Google Scholar 

  38. Swierstra, W.: A Functional specification of effects. Ph.D. thesis, University of Nottingham, November 2008

    Google Scholar 

  39. Volpano, D., Smith, G.: Probabilistic noninterference in a concurrent language. J. Comput. Secur. 7(2–3), 231–253 (1999)

    Google Scholar 

  40. Wong, W.H.: Timing attacks on RSA: revealing your secrets through the fourth dimension. Crossroads 11(3), p. 5 (2005)

    Google Scholar 

  41. Zdancewic, S., Myers, A.C.: Observational determinism for concurrent program security. In: Proceedings of the IEEE Computer Security Foundations Workshop, June 2003

    Google Scholar 

  42. Zhang, D., Askarov, A., Myers, A.C.: Language-based control and mitigation of timing channels. In: Proceedings of PLDI. ACM (2012)

    Google Scholar 

Download references

Acknowledgments

We would like to thank Josef Svenningsson and our colleagues in the ProSec and Functional Programming group at Chalmers for useful comments. This work was supported by the Swedish research agency VR, STINT, the Barbro Osher foundation, DARPA CRASH under contract #N66001-10-2-4088, and multiple gifts from Google. Deian Stefan is supported by the DoD through the NDSEG Fellowship Program.

Author information

Authors and Affiliations

  1. Chalmers University of Technology, Göteborg, Sweden

    Pablo Buiras & Alejandro Russo

  2. Stanford University, Stanford, USA

    Amit Levy, Deian Stefan & David Mazières

Authors
  1. Pablo Buiras
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Amit Levy
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Deian Stefan
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Alejandro Russo
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. David Mazières
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Pablo Buiras .

Editor information

Editors and Affiliations

  1. Microsoft Research, Mountain View, California, USA

    Martín Abadi

  2. IMT Institute for Advanced Studies, Lucca, Italy

    Alberto Lluch Lafuente

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Buiras, P., Levy, A., Stefan, D., Russo, A., Mazières, D. (2014). A Library for Removing Cache-Based Attacks in Concurrent Information Flow Systems. In: Abadi, M., Lluch Lafuente, A. (eds) Trustworthy Global Computing. TGC 2013. Lecture Notes in Computer Science(), vol 8358. Springer, Cham. https://doi.org/10.1007/978-3-319-05119-2_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-05119-2_12

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-05118-5

  • Online ISBN: 978-3-319-05119-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics