Abstract
Information flow control allows untrusted code to access sensitive and trustworthy information without leaking this information. However, the presence of covert channels subverts this security mechanism, allowing processes to communicate information in violation of IFC policies. In this paper, we show that concurrent deterministic IFC systems that use time-based scheduling are vulnerable to a cache-based internal timing channel. We demonstrate this vulnerability with a concrete attack on Hails, one particular IFC web framework. To eliminate this internal timing channel, we implement instruction-based scheduling, a new kind of scheduler that is indifferent to timing perturbations from underlying hardware components, such as the cache, TLB, and CPU buses. We show this scheduler is secure against cache-based internal timing attacks for applications using a single CPU. To show the feasibility of instruction-based scheduling, we have implemented a version of Hails that uses the CPU retired-instruction counters available on commodity Intel and AMD hardware. We show that instruction-based scheduling does not impose significant performance penalties. Additionally, we formally prove that our modifications to Hails’ underlying IFC system preserve non-interference in the presence of caches.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Agat, J.: Transforming out timing leaks. In: Proc. ACM Symp. on Principles of Programming Languages, pp. 40–53 (January 2000)
Ahmad, A., DeYoung, H.: Cache performance of lazy functional programs on current hardware. Technical report, CMU (December 2009)
AMD. BIOS and kernel developer’s guide for AMD family 11h processors (July 2008)
Askarov, A., Zhang, D., Myers, A.C.: Predictive black-box mitigation of timing channels. In: Proc. of the 17th ACM CCS, ACM (2010)
Barthe, G., Rezk, T., Warnier, M.: Preventing timing leaks through transactional branching instructions. Electron. Notes Theor. Comput. Sci. 153 (May 2006)
Barthe, G., Betarte, G., Campo, J., Luna, C.: Cache-leakage resilient OS isolation in an idealized model of virtualization. In: 2012 IEEE 25th Computer Security Foundations Symposium (CSF). IEEE Computer Society (June 2012)
Bonneau, J., Mironov, I.: Cache-collision timing attacks against AES. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 201–215. Springer, Heidelberg (2006)
Devriese, D., Piessens, F.: Noninterference through secure multi-execution. In: Proc. of the 2010 IEEE Symposium on Security and Privacy, SP 2010. IEEE Computer Society (2010)
Eranian, S.: Perfmon2: a flexible performance monitoring interface for Linux. In: Proc. of the 2006 Ottawa Linux Symposium, pp. 269–288. Citeseer (2006)
GHC. Infinite loops can hang Concurrent Haskell (2005), http://hackage.haskell.org/trac/ghc/ticket/367
Giffin, D.B., Levy, A., Stefan, D., Terei, D., Mazières, D., Mitchell, J., Russo, A.: Hails: Protecting data privacy in untrusted web applications. In: Proc. of the 10th Symposium on Operating Systems Design and Implementation (October 2012)
Hedin, D., Sands, D.: Timing aware information flow security for a JavaCard-like bytecode. Elec. Notes Theor. Comput. Sci. 141 (2005)
Honda, K., Vasconcelos, V.T., Yoshida, N.: Secure information flow as typed process behaviour. In: Smolka, G. (ed.) ESOP 2000. LNCS, vol. 1782, pp. 180–199. Springer, Heidelberg (2000)
Huisman, M., Worah, P., Sunesen, K.: A temporal logic characterisation of observational determinism. In: Proc. IEEE Computer Sec. Foundations Workshop (July 2006)
Intel. Intel 64 and IA-32 architectures software developer’s manual (August 2012)
Kashyap, V., Wiedermann, B., Hardekopf, B.: Timing- and termination-sensitive secure information flow: Exploring a new approach. In: Proc. of IEEE Symposium on Sec. and Privacy. IEEE (2011)
Kim, T., Peinado, M., Mainar-Ruiz, G.: STEALTHMEM: system-level protection against cache-based side channel attacks in the cloud. In: Proceedings of the 21st USENIX Conference on Security Symposium, Security 2012. USENIX Association (2012)
Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)
Köpf, B., Mauborgne, L., Ochoa, M.: Automatic quantification of cache side-channels. In: Madhusudan, P., Seshia, S.A. (eds.) CAV 2012. LNCS, vol. 7358, pp. 564–580. Springer, Heidelberg (2012)
Krohn, M., Yip, A., Brodsky, M., Cliffer, N., Kaashoek, M.F., Kohler, E., Morris, R.: Information flow control for standard OS abstractions. In: Proc. of the 21st Symp. on Operating Systems Principles (October 2007a)
Krohn, M., Yip, A., Brodsky, M., Morris, R., Walfish, M.: A World Wide Web Without Walls. In: 6th ACM Workshop on Hot Topics in Networking (Hotnets) (November 2007b)
Lampson, B.W.: A note on the confinement problem. Communications of the ACM 16(10), 613–615 (1973)
Li, P., Zdancewic, S.: Arrows for secure information flow. Theoretical Computer Science 411(19), 1974–1994 (2010)
Lin, J., Lu, Q., Ding, X., Zhang, Z., Zhang, X., Sadayappan, P.: Gaining insights into multicore cache partitioning: Bridging the gap between simulation and real systems. In: Proc. of the Intl. Symposium on High Performance Computer Architecture. IEEE (2008)
Millen, J.: 20 years of covert channel modeling and analysis. In: IEEE Symp. on Security and Privacy (1999)
Murray, T., Matichuk, D., Brassil, M., Gammie, P., Bourke, T., Seefried, S., Lewis, C., Gao, X., Klein, G.: sel4: from general purpose to a proof of information flow enforcement. In: Proceedings of the 34th IEEE Symp. on Security and Privacy (2013)
Myers, A.C., Liskov, B.: A decentralized model for information flow control. In: Proc. of the 16th ACM Symp. on Operating Systems Principles, pp. 129–142 (1997)
Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: the case of AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer, Heidelberg (2006)
Page, D.: Partitioned cache architecture as a side-channel defence mechanism. IACR Cryptology ePrint Archive 2005 (2005)
Partain, W.: The nofib benchmark suite of Haskell programs. In: Proceedings of the 1992 Glasgow Workshop on Functional Programming (1992)
Percival, C.: Cache missing for fun and profit. In: Proc. of BSDCan 2005 (2005)
Russo, A., Sabelfeld, A.: Securing interaction between threads and the scheduler. In: Proc. IEEE Computer Sec. Foundations Workshop, pp. 177–189 (July 2006a)
Russo, A., Sabelfeld, A.: Security for multithreaded programs under cooperative scheduling. In: Virbitskaite, I., Voronkov, A. (eds.) PSI 2006. LNCS, vol. 4378, pp. 474–480. Springer, Heidelberg (2007)
Russo, A., Claessen, K., Hughes, J.: A library for light-weight information-flow security in Haskell. In: Proc. ACM SIGPLAN Symposium on Haskell, pp. 13–24. ACM Press (September 2008)
Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE Journal on Selected Areas in Communications 21(1) (January 2003)
Sabelfeld, A., Sands, D.: Probabilistic noninterference for multi-threaded programs. In: Proc. IEEE Computer Sec. Foundations Workshop, pp. 200–214 (July 2000)
Sanchez, D., Kozyrakis, C.: Vantage: Scalable and efficient fine-grain cache partitioning. In: International Symposium on Computer Architecture. ACM IEEE (2011)
Smith, G., Volpano, D.: Secure information flow in a multi-threaded imperative language. In: Proc. ACM Symp. on Principles of Programming Languages, pp. 355–364 (January 1998)
Stefan, D., Russo, A., Mitchell, J.C., Mazières, D.: Flexible dynamic information flow control in Haskell. In: Haskell Symposium. ACM SIGPLAN (September 2011)
Stefan, D., Russo, A., Buiras, P., Levy, A., Mitchell, J.C., Mazières, D.: Addressing covert termination and timing channels in concurrent information flow systems. In: Proc. of the 17th ACM SIGPLAN International Conference on Functional Programming (September 2012)
Stefan, D., Buiras, P., Yang, E., Levy, A., Terei, D., Russo, A., Mazières, D.: Eliminating cache-based timing attacks with instruction-based scheduling: Extended version (2013), http://www.cse.chalmers.se/~buiras/esorics2013_extended.pdf
Tsai, T.C., Russo, A., Hughes, J.: A library for secure multi-threaded information flow in Haskell. In: Proc. IEEE Computer Sec. Foundations Symposium (July 2007)
Vogl, S., Eckert, C.: Using Hardware Performance Events for Instruction-Level Monitoring on the x86 Architecture. In: Proceedings of the 2012 European Workshop on System Security EuroSec 2012 (2012)
Volpano, D., Smith, G.: Probabilistic noninterference in a concurrent language. J. Computer Security 7(2-3) (November 1999)
Weaver, V.M., McKee, S.A.: Can hardware performance counters be trusted? Workload Characterization 08 (2008), http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=4636099
Zdancewic, S., Myers, A.C.: Observational determinism for concurrent program security. In: Proc. IEEE Computer Sec. Foundations Workshop, pp. 29–43 (June 2003)
Zeldovich, N., Boyd-Wickizer, S., Kohler, E., Mazières, D.: Making information flow explicit in HiStar. In: Proc. of the 7th Symp. on Operating Systems Design and Implementation, Seattle, WA, pp. 263–278 (November 2006)
Zhang, D., Askarov, A., Myers, A.C.: Predictive mitigation of timing channels in interactive systems. In: Proc. of the 18th ACM CCS. ACM (2011)
Zhang, D., Askarov, A., Myers, A.C.: Language-based control and mitigation of timing channels. In: Proc. of PLDI. ACM (2012)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Stefan, D. et al. (2013). Eliminating Cache-Based Timing Attacks with Instruction-Based Scheduling. In: Crampton, J., Jajodia, S., Mayes, K. (eds) Computer Security – ESORICS 2013. ESORICS 2013. Lecture Notes in Computer Science, vol 8134. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-40203-6_40
Download citation
DOI: https://doi.org/10.1007/978-3-642-40203-6_40
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-40202-9
Online ISBN: 978-3-642-40203-6
eBook Packages: Computer ScienceComputer Science (R0)