skip to main content
10.1145/3265723.3265724acmconferencesArticle/Chapter ViewAbstractPublication PagesapsysConference Proceedingsconference-collections
research-article

No Security Without Time Protection: We Need a New Hardware-Software Contract

Published: 27 August 2018 Publication History

Abstract

The recent Spectre exploits demonstrated that covert timing channels are a mainstream security threat. Their prevention requires that operating systems provide time protection, in addition to the established memory protection. We propose OS mechanisms and designs which provide time protection, and define requirements on the hardware to enable them. We demonstrate that present mainstream processors do not meet these requirements, making them inherently insecure. We argue the need for a new security-oriented hardware-software contract, which we call the aISA as it augments the ISA, in order to enable time protection.

References

[1]
Onur Acıiçmez. 2007. Yet another microarchitectural attack: exploiting I-cache. In ACM Computer Security Architecture Workshop (CSAW). Fairfax, VA, US.
[2]
Onur Acıiçmez, Billy Bob Brumley, and Philipp Grabher. 2010. New Results on Instruction Cache Attacks. In Workshop on Cryptographic Hardware and Embedded Systems. Santa Barbara, CA, US.
[3]
Amittai Aviram, Sen Hu, Bryan Ford, and Ramakrishna Gummadi. 2010a. Determinating timing channels in compute clouds. In ACM Workshop on Cloud Computing Security. Chicago, IL, US, 103--108.
[4]
Amittai Aviram, Shu-Chun Weng, Sen Hu, and Bryan Ford. 2010b. Efficient system-enforced deterministic parallelism. In Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation. Vancouver, BC, 1--16.
[5]
Ernie Brickell, Gary Graunke, Michael Neve, and Jean-Pierre Seifert. 2006. Software mitigations to hedge AES against cache-based software side channel vulnerabilities. IACR Cryptology ePrint Archive 2006 (2006), 52.
[6]
David Cock, Qian Ge, Toby Murray, and Gernot Heiser. 2014. The Last Mile: An Empirical Study of Some Timing Channels on seL4. In ACM Conference on Computer and Communications Security. Scottsdale, AZ, USA, 570--581.
[7]
Patrick J. Colp, Jiawen Zhang, James Gleeson, Sahil Suneja, Eyal de Lara, Himanshu Raj, Stefan Saroiu, and Alec Wolman. 2015. Protecting Data on Smartphones and Tablets from Memory Attacks. In International Conference on Architectural Support for Programming Languages and Operating Systems. Istambul, TK.
[8]
Data61, CSIRO. 2018. Timing Channel Mitigations. https://ts.data61.csiro.au/projects/TS/timingchannels/arch-mitigation.pml.
[9]
Leonid Domnister, Aamer Jaleel, Jason Loew, Nael Abu-Ghazaleh, and Dmitry Ponomarev. 2012. Non-Monopolizable Caches: Low-Complexity Mitigation of Cache Side Channel Attacks. ACM Transactions on Architecture and Code Optimization 8, 4 (Jan. 2012).
[10]
Stephen A. Edwards and Edward A. Lee. 2007. The Case for the Precision Timed (PRET) Machine. In Design Automation Conference (DAC).
[11]
Dmitry Evtyushkin and Dmitry Ponomarev. 2016. Covert Channels through Random Number Generator: Mechanisms, Capacity Estimation and Mitigations. In Proceedings of the 23rd ACM Conference on Computer and Communications Security. Vienna, AT, 843--857.
[12]
Dmitry Evtyushkin, Dmitry Ponomarev, and Nael Abu-Ghazaleh. 2016. Understanding and Mitigating Covert Channels Through Branch Predictors. ACM Transactions on Architecture and Code Optimization 13, 1 (April 2016), 10.
[13]
Qian Ge, Yuval Yarom, David Cock, and Gernot Heiser. 2018. A Survey of Microarchitectural Timing Attacks and Countermeasures on Contemporary Hardware. Journal of Cryptographic Engineering 8 (April 2018), 1--27.
[14]
Matt Godbolt. 2016. The BTB in contemporary Intel chips. http://xania.org/201602/bpu-part-three
[15]
Michael Godfrey and Mohammad Zulkernine. 2013. A Server-Side Solution to Cache-Based Side-Channel Attacks in the Cloud. In Proceedings of the 6th IEEEInternational Conference on Cloud Computing. Santa Clara, CA, US.
[16]
Daniel Gruss, Clémentine Maurice, Klaus Wagner, and Stefan Mangard. 2016. Flush+Flush: A Fast and Stealthy Cache Attack. In Proceedings of the 13th Conference on Detection of Intrusions and Malware & Vulnerability Assessment. San Sebastián, Spain.
[17]
Roberto Guanciale, Hamed Nemati, Christoph Baumann, and Mads Dam. 2016. Cache Storage Channels: Alias-Driven Attacks and Verified Countermeasures. San Jose, CA, US, 38--55.
[18]
Gernot Heiser. 2018. For Safety's Sake: We Need a New Hardware-Software Contract! IEEE Design and Test 35 (March 2018), 27--30.
[19]
Wei-Ming Hu. 1991. Reducing timing channels with fuzzy time. In Proceedings of the 1991 IEEE Computer Society Symposium on Research in Security and Privacy. IEEE Computer Society, Oakland, CA, US, 8--20.
[20]
Intel. 2018a. Intel Responds to Security Research Findings. https://newsroom.intel.com/news/intel-responds-to-security-research-findings/
[21]
Intel. 2018b. Microcode Revision Guidance. https://www.intel.com/content/dam/www/public/us/en/documents/sa00115-microcode-update-guidance.pdf
[22]
Intel. 2018c. Root Cause of Reboot Issue Identified; Updated Guidance for Customers and Partners. https://newsroom.intel.com/news/root-cause-of-reboot-issue-identified-updated-guidance-for-customers-and-partners/
[23]
Intel. 2018d. Speculative Execution Side Channel Mitigations. https://software.intel.com/sites/default/files/managed/c5/63/336996-Speculative-Execution-Side-Channel-Mitigations.pdf
[24]
Intel Corporation 2016. Intel 64 and IA-32 Architecture Software Developer's Manual Volume 2: Instruction Set Reference, AZ. Intel Corporation. http://www.intel.com.au/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-instruction-set-reference-manual-325383.pdf.
[25]
R. E. Kessler and Mark D. Hill. 1992. Page placement algorithms for large real-indexed caches. ACM Transactions on Computer Systems 10 (1992), 338--359.
[26]
Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Haburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwartz, and Yuval Yarom. 2019. Spectre Attacks: Exploiting Speculative Execution. In IEEE Symposium on Security and Privacy. IEEE, San Francisco, 19--37.
[27]
Butler W. Lampson. 1973. A Note on the Confinement Problem. Commun. ACM 16 (1973), 613--615.
[28]
Peng Li, Debin Gao, and Michael K Reiter. 2013. Mitigating access-driven timing channels in clouds using StopWatch. In Proceedings of the 43rd International Conference on Dependable Systems and Networks (DSN). Budapest, HU, 1--12.
[29]
Jochen Liedtke, Hermann Härtig, and Michael Hohmuth. 1997. OS-controlled cache predictability for real-time systems. In IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS). IEEE, Montreal, CA, 213--223.
[30]
Moritz Lipp, Michael Schwartz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, and Mike Hamburg. 2018. Meltdown: Reading Kernel Memory from User Space. In USENIX Security Symposium. USENIX, Baltimore, MD, USA, --.
[31]
Fangfei Liu, Qian Ge, Yuval Yarom, Frank Mckeen, Carlos Rozas, Gernot Heiser, and Ruby B Lee. 2016. CATalyst: Defeating Last-Level Cache Side Channel Attacks in Cloud Computing. In IEEE Symposium on High-Performance Computer Architecture. Barcelona, Spain, 406--418.
[32]
Fangfei Liu and Ruby B Lee. 2014. Random fill cache architecture. In Proceedings of the 47th ACM/IEE International Symposium on Microarchitecture. Cambridge, UK.
[33]
Fangfei Liu, Yuval Yarom, Qian Ge, Gernot Heiser, and Ruby B Lee. 2015. Last-Level Cache Side-Channel Attacks are Practical. In IEEE Symposium on Security and Privacy. San Jose, CA, US, 605--622.
[34]
William L. Lynch, Brian K. Bray, and M. J. Flynn. 1992. The effect of page allocation on caches. In ACM/IEE International Symposium on Microarchitecture. 222--225.
[35]
Clémentine Maurice, Manuel Weber, Michael Schwartz, Lukas Giner, Daniel Gruss, Carlo Alberto Boano, Kay Römer, and Stefan Mangard. 2017. Hello from the Other Side: SSH over Robust Cache Covert Channels in the Cloud. In Network and Distributed System Security Symposium (NDSS). San Diego, CA, US.
[36]
Milena Milenkovic, Aleksandar Milenkovic, and Jeffrey Kulick. 2004. Microbenchmarks for Determining Branch Predictor Organization. Software: Practice and Experience 34, 5 (April 2004), 465--487.
[37]
Dag Arne Osvik, Adi Shamir, and Eran Tromer. 2006. Cache Attacks and Countermeasures: The Case of AES. In Proceedings of the 2006 Crytographers' track at the RSA Conference on Topics in Cryptology.
[38]
Rodolfo Pellizzoni, Emiliano Betti, Stanley Bak, Gang Yao, John Criswell, Marco Caccamo, and Russell Kegley. 2011. A Predictble Execution Model for COTS-based Embedded Systems. In IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS). 269--279.
[39]
Colin Percival. 2005. Cache Missing for Fun and Profit. In BSDCon 2005. Ottawa, CA.
[40]
Daniel Sanchez and Christos Kozyrakis. 2011. Vantage: Scalable and Efficient Fine-Grain Cache Partitioning. In International Symposium on Computer Architecture. 57--68.
[41]
Jicheng Shi, Xiang Song, Haibo Chen, and Binyu Zang. 2011. Limiting cache-based side-channel in multi-tenant cloud using dynamic page coloring. In International Conference on Dependable Systems and Networks Workshops (DSN-W). HK, 194--199.
[42]
Mohit Tiwari, Xun Li, Hassan M. G. Wassel, Frederic T. Chong, and Timothy Sherwood. 2009. Execution Leases: A Hardware-supported Mechanism for Enforcing Strong Non-interference. In Proceedings of the 42nd ACM/IEE International Symposium on Microarchitecture. New York, NY, US.
[43]
Mohit Tiwari, Jason K Oberg, Xun Li, Jonathan Valamehr, Timothy Levin, Ben Hardekopf, Ryan Kastner, Frederic T Chong, and Timothy Sherwood. 2011. Crafting a usable microkernel, processor, and I/O system with strict and provable information flow security. In Proceedings of the 38th International Symposium on Computer Architecture. San Jose, CA, US.
[44]
Vish Viswanathan. 2014. Disclosure of H/W Prefetcher Control on some Intel Processors. https://software.intel.com/en-us/articles/disclosure-of-hw-prefetcher-control-on-some-intel-processors
[45]
Zhenghong Wang and Ruby B. Lee. 2007. New Cache Designs for Thwarting Software Cache-based Side Channel Attacks. In Proceedings of the 34th International Symposium on Computer Architecture. San Diego, CA, US.
[46]
Yuval Yarom. 2016. Mastik: A Micro-Architectural Side-Channel Toolkit. http://cs.adelaide.edu.au/~yval/Mastik/Mastik.pdf
[47]
Yuval Yarom, Qian Ge, Fangfei Liu, Ruby B. Lee, and Gernot Heiser. 2015. Mapping the Intel Last-Level Cache. http://eprint.iacr.org/.
[48]
Danfeng Zhang, Aslan Askarov, and Andrew C. Myers. 2012. Language-based control and mitigation of timing channels. In Proceedings of the 2012 ACM SIGPLAN Conference on Programming Language Design and Implementation. Beijing, CN, 99--110.
[49]
Yinqian Zhang and Michael K. Reiter. 2013. Düppel: Retrofitting Commodity Operating Systems to Mitigate Cache Side Channels in the Cloud. In Proceedings of the 20th ACM Conference on Computer and Communications Security. Berlin, DE, 827--838.

Cited By

View all
  • (2024)A Survey of of Side-Channel Attacks and Mitigation for Processor InterconnectsApplied Sciences10.3390/app1415669914:15(6699)Online publication date: 31-Jul-2024
  • (2024)Formal Hardware/Software Models for Cache Locking Enabling Fast and Secure CodeComputer Security – ESORICS 202410.1007/978-3-031-70896-1_8(153-173)Online publication date: 6-Sep-2024
  • (2023)Secure Instruction and Data-Level Information Flow Tracking Model for RISC-VCryptography10.3390/cryptography70400587:4(58)Online publication date: 16-Nov-2023
  • Show More Cited By
  1. No Security Without Time Protection: We Need a New Hardware-Software Contract

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    APSys '18: Proceedings of the 9th Asia-Pacific Workshop on Systems
    August 2018
    150 pages
    ISBN:9781450360067
    DOI:10.1145/3265723
    © 2018 Association for Computing Machinery. ACM acknowledges that this contribution was authored or co-authored by an employee, contractor or affiliate of a national government. As such, the Government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for Government purposes only.

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 27 August 2018

    Permissions

    Request permissions for this article.

    Check for updates

    Qualifiers

    • Research-article
    • Research
    • Refereed limited

    Conference

    APSys '18
    Sponsor:
    APSys '18: 9th Asia-Pacific Workshop on Systems
    August 27 - 28, 2018
    Jeju Island, Republic of Korea

    Acceptance Rates

    APSys '18 Paper Acceptance Rate 18 of 48 submissions, 38%;
    Overall Acceptance Rate 169 of 430 submissions, 39%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)15
    • Downloads (Last 6 weeks)1
    Reflects downloads up to 20 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2024)A Survey of of Side-Channel Attacks and Mitigation for Processor InterconnectsApplied Sciences10.3390/app1415669914:15(6699)Online publication date: 31-Jul-2024
    • (2024)Formal Hardware/Software Models for Cache Locking Enabling Fast and Secure CodeComputer Security – ESORICS 202410.1007/978-3-031-70896-1_8(153-173)Online publication date: 6-Sep-2024
    • (2023)Secure Instruction and Data-Level Information Flow Tracking Model for RISC-VCryptography10.3390/cryptography70400587:4(58)Online publication date: 16-Nov-2023
    • (2023)Formalizing, Verifying and Applying ISA Security Guarantees as Universal ContractsProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3616602(2083-2097)Online publication date: 15-Nov-2023
    • (2023)Systematic Prevention of On-Core Timing Channels by Full Temporal PartitioningIEEE Transactions on Computers10.1109/TC.2022.321263672:5(1420-1430)Online publication date: 1-May-2023
    • (2023)Formalising the Prevention of Microarchitectural Timing Channels by Operating SystemsFormal Methods10.1007/978-3-031-27481-7_8(103-121)Online publication date: 3-Mar-2023
    • (2022)Under the Dome: Preventing Hardware Timing Information LeakageSmart Card Research and Advanced Applications10.1007/978-3-030-97348-3_13(233-253)Online publication date: 9-Mar-2022
    • (2021)Microarchitectural Timing Channels and their Prevention on an Open-Source 64-bit RISC-V Core2021 Design, Automation & Test in Europe Conference & Exhibition (DATE)10.23919/DATE51398.2021.9474214(627-632)Online publication date: 1-Feb-2021
    • (2021)Hardware Secure Execution and Simulation Model Correlation using IFT on RISC-VProceedings of the 2021 Great Lakes Symposium on VLSI10.1145/3453688.3461517(409-414)Online publication date: 22-Jun-2021
    • (2021)Hardware-Software Contracts for Secure Speculation2021 IEEE Symposium on Security and Privacy (SP)10.1109/SP40001.2021.00036(1868-1883)Online publication date: May-2021
    • Show More Cited By

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media