Security – Side Channel Attacks

John

Covert Channels

  • Covert means of transferring data
  • Channel that transfers information in a way that violates a security policy
    • An insider process leaks information to an outsider process not normally allowed to access that information
  • Often divided into two (three) main categories:
    • Storage
      • Communication done in some memory space
    • Timing
      • Delay or some action in communication channel
    • (Statistics)
      • Behavior that happens at some distribution 
  • Low signal-to-noise ratio and low data rates
  • Example:
    • Two students covertly communicate together during examination to share answers
    • Professor dont notice it because the communication is subtle, like pencil tabs or foot positions
  • Remediation
    • Monitoring communication, storage, data
    • Difficult. Just need to look close at system

 

Side Channels

  • Any attack based on information gained from the implementation of a computer system rather than weaknesses in the implemented algorithm itself
  • Side channel attacks exploit information that can be gained or observed based on watching a computer system, program, etc. execute (such as timing information) instead of relying on implementation flaws (such as software bugs) 
  • Not as intentional as covert channel, this is more of exploring and then exploiting inadvertent vulnerabilities

 

Example: SSH Keystroke Timing – SIDE CHANNEL ATTACK

  • SSH encrypts and authenticates all communication
  • When connected to a computer over SSH, every time you press a key, your computer immediately generates a packet and sends it to the remote computer
  • The time between key presses leaks information about what you are typing!
  • Extract information to try to infer what password the user is typing
  • Send packets at a fixed rate 
  • Some keys take longer because same finger used to type it

  • Weaknesses:
    • Depends on user
    • Some words might be typed faster, like common words
  • Remediations
    • Make transmit unified timing

 

Rowhammer – SIDE CHANNEL ATTACK

  • Exploit to VRAM/RAM – as software runs it eats memory buffer, can send electrical current to disrupt memory address or adjacent memory cells
  • Repeatedly write to a row
  • Cause a bit error in an adjacent row
  • Improvement! Alternate between two rows
  • Used to root Android phones
    • Gain root privilege to Android OS
    • Hammers the right location in memory
  • Can impact phones from distance since electric charge 
  • Mitigations
    • Refresh memory more
    • Pseudo target row refresh (pTRR)
    • Increased patrol scrub timers

 

Other Side Channel Attacks

  • Typical threat model: attacker dont have root access to machine
    • So we can safely store keys on machine memory
  • But what if the attacker had physical access to machine?

Cold Boot Attacks

Liquid Nitrogen – less than 0.1% decay after 1 hour

 

Remediations

  • Encrypt memory (increases CPU load)
  • Use trusted hardware (xbox)
    • TPM (Trusted Platform Module) storeskeys in hardware that is very difficult to inspect (some self district)
  • Limit amount time keys live in memory

 

Meltdown and Spectre

Meltdown breaks mechanism that separates app and storage data/memory. Spectre is similar. Both are classes of attacks and have many variants.

Meltdown takes advantage of Intel specific whereas Spectre is more generic memory management

  • Hardware vulnerability (namely flawed implementations of speculative execution)
  • Programs are typically not permitted to read data from other programs
  • But in special circumstances, you can “break the walls” between programs executing concurrently on the same computer
  • Speculative execution allows processors to speculate on future instruction directions and proactively execute instructions along these paths before knowing if the instructions are correct
    • CPU is trying to be efficient, guess ahead, always want to be doing something
  • Out-of-order execution allows for the simultaneous use of all the execution units in a CPU core  
  • Meltdown takes advantage of a privilege escalation flaw allowing kernel memory access from user space
    • Privilege escalation flaw in kernel
    • Could access any memory 
  • Spectre works by tricking processors into executing instructions they should not have been able to, granting access to sensitive information in other applications’ memory space 
    • Some program that makes CPU predict the wrong thing, try to lead it down false trail
    • CPU executes some malicious code and puts in cache state, that cache data is extracted by program to extract data

More examples of Side Channel Attacks

 

https://web.eecs.umich.edu/~genkin/teaching/fall2018/EECS598-12.html