Leveraging Gate-Level Properties to Identify Hardware Timing Channels

Oberg, Jason; Meiklejohn, Sarah; Sherwood, Timothy; Kastner, Ryan

doi:10.1109/tcad.2014.2331332

Cited by 40 publications

(16 citation statements)

References 32 publications

(51 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This demands a priori knowledge about possible covert channels. In order to capture and remove timing-based side channels in the design the gate-level netlist can be instrumented with IFT capabilities [15]. Such a gate-level IFT method is meant to be applied to selected modules such as a crypto-core or a bus controller.…”

Section: Related Workmentioning

confidence: 99%

Processor Hardware Security Vulnerabilities and their Detection by Unique Program Execution Checking

Fadiheh

Stoffel

Barrett

et al. 2019

2019 Design, Automation &Amp; Test in Europe Conference &Amp; Exhibition (DATE)

View full text Add to dashboard Cite

Recent discovery of security attacks in advanced processors, known as Spectre and Meltdown, has resulted in high public alertness about security of hardware. The root cause of these attacks is information leakage across "covert channels" that reveal secret data without any explicit information flow between the secret and the attacker. Many sources believe that such covert channels are intrinsic to highly advanced processor architectures based on speculation and out-of-order execution, suggesting that such security risks can be avoided by staying away from highend processors. This paper, however, shows that the problem is of wider scope: we present new classes of covert channel attacks which are possible in average-complexity processors with in-order pipelining, as they are mainstream in applications ranging from Internet-of-Things to Autonomous Systems.We present a new approach as a foundation for remedy against covert channels: while all previous attacks were found by clever thinking of human attackers, this paper presents an automated and exhaustive method called "Unique Program Execution Checking" which detects and locates vulnerabilities to covert channels systematically, including those to covert channels unknown so far.

show abstract

Section: Related Workmentioning

confidence: 99%

Processor Hardware Security Vulnerabilities and their Detection by Unique Program Execution Checking

Fadiheh

Stoffel

Barrett

et al. 2019

2019 Design, Automation &Amp; Test in Europe Conference &Amp; Exhibition (DATE)

View full text Add to dashboard Cite

show abstract

“…As CC-Hunter is based on detecting contention, it is not directly applicable to detecting the covert channels through branch predictors proposed here, as these channels are not created based on contention. Another fundamental approach that builds the system from the ground up to detect the presence of side channels [Domnitser et al 2012], covert channels, and other unintended information flows is gate-level information flow tracking (GLIFT) [Tiwari et al 2009;Oberg et al 2014]. Although shown to be effective, GLIFT requires significant rearchitecting and redesign of the entire system.…”

Section: Related Workmentioning

confidence: 99%

Understanding and Mitigating Covert Channels Through Branch Predictors

Evtyushkin

Ponomarev

Abu-Ghazaleh

2016

ACM Trans. Archit. Code Optim.

View full text Add to dashboard Cite

Covert channels through shared processor resources provide secret communication between two malicious processes: the trojan and the spy. In this article, we classify, analyze, and compare covert channels through dynamic branch prediction units in modern processors. Through experiments on a real hardware platform, we compare contention-based channel and the channel that is based on exploiting the branch predictor's residual state. We analyze these channels in SMT and single-threaded environments under both clean and noisy conditions. Our results show that the residual state-based channel provides a cleaner signal and is effective even in noisy execution environments with another application sharing the same physical core with the trojan and the spy. We also estimate the capacity of the branch predictor covert channels and describe a software-only mitigation technique that is based on randomizing the state of the predictor tables on context switches. We show that this protection eliminates all covert channels through the branch prediction unit with minimal impact on performance.CCS Concepts: r Security and privacy → Security in hardware; Systems security; r Computer systems organization → Architectures;Additional Key Words and Phrases: Security, covert channel, branch predictor ACM Reference Format: Dmitry Evtyushkin, Dmitry Ponomarev, and Nael Abu-Ghazaleh. 2016. Understanding and mitigating covert channels through branch predictors.

show abstract

“…By employing a multilevel security lattice, it allows finer classification of data objects and a better understanding of the leakage process. We refer the interested reader to other works that provide more detail on GLIFT for detecting timing channels [Oberg et al 2013a;2014], which is out of the scope of this work.…”

Section: Static Testing/verification Analysismentioning

confidence: 99%

“…Oberg has shown how GLIFT can be used to identify and eliminate timing channels in shared buses architectures such as I2C, USB, and Wishbone [Oberg et al , 2013a. Further, a practical testing framework is constructed to prove strict isolation between IP blocks with different trust basis in SoC (System-on-Chip) systems [Oberg et al 2014]. Again, GLIFT is used to identify and eliminate harmful flows of information, including those through hard-to-detect timing channels.…”

mentioning

confidence: 99%

Gate-Level Information Flow Tracking for Security Lattices

Oberg

et al. 2014

ACM Trans. Des. Autom. Electron. Syst.

Self Cite

View full text Add to dashboard Cite

High-assurance systems found in safety-critical infrastructures are facing steadily increasing cyber threats. These critical systems require rigorous guarantees in information flow security to prevent confidential information from leaking to an unclassified domain and the root of trust from being violated by an untrusted party. To enforce bit-tight information flow control, gate-level information flow tracking (GLIFT) has recently been proposed to precisely measure and manage all digital information flows in the underlying hardware, including implicit flows through hardware-specific timing channels. However, existing work in this realm either restricts to two-level security labels or essentially targets two-input primitive gates and several simple multilevel security lattices. This article provides a general way to expand the GLIFT method for multilevel security. Specifically, it formalizes tracking logic for an arbitrary Boolean gate under finite security lattices, presents a precise tracking logic generation method for eliminating false positives in GLIFT logic created in a constructive manner, and illustrates application scenarios of GLIFT for enforcing multilevel information flow security. Experimental results show various trade-offs in precision and performance of GLIFT logic created using different methods. It also reveals the area and performance overheads that should be expected when expanding GLIFT for multilevel security.

show abstract

Leveraging Gate-Level Properties to Identify Hardware Timing Channels

Cited by 40 publications

References 32 publications

Processor Hardware Security Vulnerabilities and their Detection by Unique Program Execution Checking

Processor Hardware Security Vulnerabilities and their Detection by Unique Program Execution Checking

Understanding and Mitigating Covert Channels Through Branch Predictors

Gate-Level Information Flow Tracking for Security Lattices

Contact Info

Product

Resources

About