research-article

Towards Provable Timing-Channel Prevention

Authors:
Gernot Heiser

UNSW Sydney, Sydney, Australia

UNSW Sydney, Sydney, Australia
View Profile

,
Toby Murray

University of Melbourne, Melbourne, Australia

University of Melbourne, Melbourne, Australia
View Profile

,
Gerwin Klein

UNSW Sydney, Sydney, Australia

UNSW Sydney, Sydney, Australia
View Profile

Authors Info & Claims

ACM SIGOPS Operating Systems Review Volume 54 Issue 1July 2020pp 1–7https://doi.org/10.1145/3421473.3421475

Published:31 August 2020Publication History

ACM SIGOPS Operating Systems Review

Abstract

We describe our ongoing research that aims to eliminate microarchitectural timing channels through time protection, which eliminates the root cause of these channels, competition for capacity-limited hardware resources. A proof-ofconcept implementation of time protection demonstrated the approach can be effective a nd l ow o verhead, b ut also that present hardware fails to support the approach in some aspects and that we need an improved hardXare-software contract to achieve real security. We have demonstrated that these mechanisms are not hard to provide, and are working on their inclusion in the RISC-V ISA. Assuming compliant hardware, we outline how we think we can then formally prove that timing channels are eliminated.

References

ARINC 2012. Avionics Application Software Standard Interface. ARINC. ARINC Standard 653.Google Scholar
Alasdair Armstrong, Thomas Bauereiss, Brian Campbell, Alastair Reid, Kathryn E. Gray, Robert M. Norton, Prashanth Mundkur, Mark Wassell, Jon French, Christopher Pulte, Shaked Flur, Ian Stark, Neel Krishnaswami, and Peter Sewell. 2019. ISA semantics for ARMv8-a, RISC-V, and CHERI-MIPS. Proc. ACM Program. Lang. 3, ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (2019), 71:1--71:31. Google ScholarDigital Library
Leonid Domnister, Aamer Jaleel, Jason Loew, Nael Abu-Ghazaleh, and Dmitry Ponomarev. 2012. Non-Monopolizable Caches: Low-Complexity Mitigation of Cache Side Channel Attacks. ACM Transactions on Architecture and Code Optimization 8, 4 (Jan. 2012). Google ScholarDigital Library
Anthony Fox and Magnus Myreen. 2010. A Trustworthy Monadic Formalization of the ARMv7 Instruction Set Architecture. In Proceedings of the 1st International Conference on Interactive Theorem Proving (Lecture Notes in Computer Science), Matt Kaufmann and Lawrence C. Paulson (Eds.), Vol. 6172. Springer, Edinburgh, UK, 243--258. Google ScholarDigital Library
Qian Ge, Yuval Yarom, Tom Chothia, and Gernot Heiser. 2019. Time Protection: the Missing OS Abstraction. In EuroSys Conference. ACM, Dresden, Germany, 17. https://ts.data61.csiro.au/publications/csiro_full_text//Ge_ YCH_19.pdf Google ScholarDigital Library
Qian Ge, Yuval Yarom, David Cock, and Gernot Heiser. 2018b. A Survey of Microarchitectural Timing Attacks and Countermeasures on Contemporary Hardware. Journal of Cryptographic Engineering 8 (April 2018), 1--27. https://ts.data61.csiro.au/publications/csiro_full_text//Ge_YCH_18.pdfGoogle ScholarCross Ref
Qian Ge, Yuval Yarom, and Gernot Heiser. 2018a. No Security Without Time Protection: We Need a New Hardware-Software Contract. In Asia- Pacific Workshop on Systems (APSys). ACM SIGOPS, Korea, 9. https: //ts.data61.csiro.au/publications/csiro_full_text//Ge_YH_18.pdf Google ScholarDigital Library
Michael Godfrey and Mohammad Zulkernine. 2013. A Server-Side Solution to Cache-Based Side-Channel Attacks in the Cloud. In Proceedings of the 6th IEEEInternational Conference on Cloud Computing. Santa Clara, CA, US. Google ScholarDigital Library
Roberto Guanciale, Hamed Nemati, Christoph Baumann, and Mads Dam. 2016. Cache Storage Channels: Alias-Driven Attacks and Verified Countermeasures. San Jose, CA, US, 38--55.Google Scholar
Gernot Heiser, Gerwin Klein, and Toby Murray. 2019. Can We Prove Time Protection?. In Workshop on Hot Topics in Operating Systems (HotOS). ACM, Bertinoro, Italy, 23--29. https://ts.data61.csiro.au/publications/ csiro_full_text//Heiser_KM_19.pdf Google ScholarDigital Library
Intel. 2018a. Deep Dive: Intel Analysis of L1 Terminal Fault. https://software.intel.com/security-software-guidance/insights/deepdive- intel-analysis-l1-terminal-faultGoogle Scholar
Intel. 2018b. Speculative Execution Side Channel Mitigations. https://software.intel.com/sites/default/files/managed/c5/63/336996- Speculative-Execution-Side-Channel-Mitigations.pdfGoogle Scholar
Intel Corporation 2016. Intel 64 and IA-32 Architecture Software Developer's Manual Volume 2: Instruction Set Reference, A-Z. Intel Corporation. http://www.intel.com.au/content/dam/www/public/us/en/documents/ manuals/64-ia-32-architectures-software-developer-instruction-setreference- manual-325383.pdf.Google Scholar
R. E. Kessler and Mark D. Hill. 1992. Page placement algorithms for large real-indexed caches. ACM Transactions on Computer Systems 10 (1992), 338--359. Google ScholarDigital Library
Gerwin Klein, Kevin Elphinstone, Gernot Heiser, June Andronick, David Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Rafal Kolanski, Michael Norrish, Thomas Sewell, Harvey Tuch, and Simon Winwood. 2009. seL4: Formal Verification of an OS Kernel. In ACM Symposium on Operating Systems Principles. ACM, Big Sky, MT, USA, 207--220. https://ts.data61.csiro.au/publications/nicta_full_text/1852.pdf Google ScholarDigital Library
Gerwin Klein, Toby Murray, Peter Gammie, Thomas Sewell, and Simon Winwood. 2011. Provable Security: How feasible is it?. In Workshop on Hot Topics in Operating Systems (HotOS). USENIX, Napa, USA, 5. https://ts.data61.csiro.au/publications/nicta_full_text/4631.pdf Google ScholarDigital Library
Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss,Werner Haas, Mike Haburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwartz, and Yuval Yarom. 2019. Spectre Attacks: Exploiting Speculative Execution. In IEEE Symposium on Security and Privacy. IEEE, San Francisco, 19--37. https://ts.data61.csiro.au/publications/csiro_full_ text//Kocher_HFGGHHLMPSY_19.pdfGoogle Scholar
Butler W. Lampson. 1973. A Note on the Confinement Problem. Commun. ACM 16 (1973), 613--615. Google ScholarDigital Library
Jochen Liedtke, Hermann Härtig, and Michael Hohmuth. 1997. OScontrolled cache predictability for real-time systems. In IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS). IEEE, Montreal, CA, 213--223. Google ScholarDigital Library
Fangfei Liu, Qian Ge, Yuval Yarom, Frank Mckeen, Carlos Rozas, Gernot Heiser, and Ruby B Lee. 2016. CATalyst: Defeating Last-Level Cache Side Channel Attacks in Cloud Computing. In IEEE Symposium on High- Performance Computer Architecture. IEEE, Barcelona, Spain, 406--418. https://ts.data61.csiro.au/publications/nicta_full_text/8984.pdfGoogle Scholar
William L. Lynch, Brian K. Bray, and M. J. Flynn. 1992. The effect of page allocation on caches. In ACM/IEE International Symposium on Microarchitecture. IEEE, Portland, OR, US, 222--225. Google ScholarDigital Library
Anna Lyons, Kent McLeod, Hesham Almatary, and Gernot Heiser. 2018. Scheduling-Context Capabilities: A Principled, Light-Weight OS Mechanism for Managing Time. In EuroSys Conference. ACM, Porto, Portugal, 14. https://ts.data61.csiro.au/publications/csiro_full_text//Lyons_MAH_ 18.pdf Google ScholarDigital Library
Toby Murray, Daniel Matichuk, Matthew Brassil, Peter Gammie, Timothy Bourke, Sean Seefried, Corey Lewis, Xin Gao, and Gerwin Klein. 2013. seL4: from General Purpose to a Proof of Information Flow Enforcement. In IEEE Symposium on Security and Privacy. IEEE, San Francisco, CA, 415--429. https://ts.data61.csiro.au/publications/nicta_full_text/6464.pdf Google ScholarDigital Library
Dag Arne Osvik, Adi Shamir, and Eran Tromer. 2006. Cache Attacks and Countermeasures: The Case of AES. In Proceedings of the 2006 Crytographers' track at the RSA Conference on Topics in Cryptology. Springer, San Jose, CA, US, 1--20. Google ScholarDigital Library
Hira Syeda and Gerwin Klein. 2018. Program Verification in the Presence of Cached Address Translation. In International Conference on Interactive Theorem Proving, Vol. 10895. Lecture Notes in Computer Science, Oxford, UK, 542--559. https://ts.data61.csiro.au/publications/csiro_full_ text//Syeda_Klein_18.pdf 6Google Scholar
Mohit Tiwari, Xun Li, Hassan M. G. Wassel, Frederic T. Chong, and Timothy Sherwood. 2009. Execution Leases: A Hardware-supported Mechanism for Enforcing Strong Non-interference. In Proceedings of the 42nd ACM/IEE International Symposium on Microarchitecture. New York, NY, US. Google ScholarDigital Library
Mohit Tiwari, Jason K Oberg, Xun Li, Jonathan Valamehr, Timothy Levin, Ben Hardekopf, Ryan Kastner, Frederic T Chong, and Timothy Sherwood. 2011. Crafting a usable microkernel, processor, and I/O system with strict and provable information flow security. In Proceedings of the 38th International Symposium on Computer Architecture. San Jose, CA, US. Google ScholarDigital Library
Freek Verbeek, Oto Havle, Julien Schmaltz, Sergey Tverdyshev, Holger Blasum, Bruno Langenstein, Werner Stephan, Burkhart Wolff, and Yakoub Nemouchi. 2015. Formal API specification of the PikeOS separation kernel. In NASA Formal Methods Symposium. Springer, 375--389.Google ScholarCross Ref
ZhenghongWang and Ruby B. Lee. 2007. New Cache Designs for Thwarting Software Cache-based Side Channel Attacks. In Proceedings of the 34th International Symposium on Computer Architecture. ACM, San Diego, CA, US, 494--505. Google ScholarDigital Library
Nils Wistoff, Moritz Schneider, Frank Gürkaynak, Luca Benini, and Gernot Heiser. 2020. Prevention of Microarchitectural Covert Channels on an Open-Source 64-bit RISC-V Core. In Workshop on Computer Architecture Research with RISC-V (CARRV). ACM, Valencia, Spain, 7. https://ts.data61. csiro.au/publications/csiro_full_text//Wistoff_SGBH_20.pdfGoogle Scholar
John C. Wray. 1991. An analysis of covert timing channels. In Proceedings of the 1991 IEEE Computer Society Symposium on Research in Security and Privacy. IEEE, Oakland, CA, US, 2--7.Google ScholarCross Ref
Heechul Yun, Gang Yao, Rodolfo Pellizzoni, Marco Caccamo, and Lui Sha. 2013. MemGuard: Memory Bandwidth Reservation System for Efficient Performance Isolation in Multi-core Platforms. In IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS). IEEE, Philadelphia, PA, US, 55--64. Google ScholarDigital Library
Yinqian Zhang and Michael K. Reiter. 2013. Düppel: Retrofitting Commodity Operating Systems to Mitigate Cache Side Channels in the Cloud. In Proceedings of the 20th ACM Conference on Computer and Communications Security. Berlin, DE, 827--838. Google ScholarDigital Library

Recommendations

Compaction with General Synchronous Timing

In current microcode generation systems, one simplification that is frequently made is to assume an absence of timing restrictions. It is critical that timing is considered when the target architecture involves branch delays, volatile registers, or ...
Read More
Robust joint fine timing synchronization and channel estimation for MIMO systems

This paper proposes a joint timing synchronization and channel estimation scheme for multiple-input single-output or multiple-input multiple-output communication systems. All timing offsets and channel impulse responses (CIR) of different transmit-...
Read More
Systematic Prevention of On-Core Timing Channels by Full Temporal Partitioning
Microarchitectural timing channels enable unwanted information flow across security boundaries, violating fundamental security assumptions. They leverage timing variations of several state-holding microarchitectural components and have been demonstrated ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM SIGOPS Operating Systems Review Volume 54, Issue 1
July 2020
76 pages
ISSN:0163-5980
DOI:10.1145/3421473
Editors:
Robbert van Renesse
Cornell University, Ithaca, New York
,
Christopher J. Rossbach
Stop D9500, Austin, TX
,
Kishore Pusukuri
1850 Nantucket Cir APT 149 Santa Clara, CA, USA
,
John Chandy
University of Connecticut
,
Antônio Fröhlich
Dederal Univ. of Santa Catarina
,
Ashvin Goel
University of Toronto
Issue’s Table of Contents
Copyright © 2020 Copyright is held by the owner/author(s)
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 31 August 2020
Check for updates
Qualifiers
- research-article
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 6
  Total Citations
  View Citations
- 150
  Total Downloads
- Downloads (Last 12 months)15
- Downloads (Last 6 weeks)1
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Towards Provable Timing-Channel Prevention

ACM SIGOPS Operating Systems Review

Abstract

References

Cited By

Recommendations

Compaction with General Synchronous Timing

Robust joint fine timing synchronization and channel estimation for MIMO systems

Systematic Prevention of On-Core Timing Channels by Full Temporal Partitioning