Survey of Transient Execution Attacks

Xiong, Wenjie; Szefer, Jakub

doi:10.48550/arxiv.2005.13435

Cited by 5 publications

(3 citation statements)

References 87 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…These two attack technologies affect a wide range of processors [3] since they target speculative execution, which has been deployed in commercial processors for decades. Moreover, despite the advances in the proposed and deployed defenses against transient execution attacks [56], [55], [28], [8], [35], [49], [27], [31], they are still limited [12].…”

Section: B Micro-architectural Attacksmentioning

confidence: 99%

Repttack: Exploiting Cloud Schedulers to Guide Co-Location Attacks

Fang¹,

Wang²,

Nazari³

et al. 2022

Proceedings 2022 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Cloud computing paradigms have emerged as a major facility to store and process the massive data produced by various business units, public organizations, Internet-of-Things (IoT), and cyber-physical systems (CPS). To meet users' performance requirements while maximizing resource utilization to achieve cost-efficiency, cloud administrators leverage schedulers to orchestrate tasks to different physical nodes and allow applications from different users to share the same physical node. On the other hand, micro-architectural attacks, e.g, side-channel attacks, transient execution attacks, and Rowhammer attacks, exploit the shared resources to compromise the confidentiality/integrity of a co-located victim application. Since co-location is an essential requirement for micro-architectural attacks, in this work, we investigate whether attackers can exploit the cloud schedulers to satisfy the co-location requirement of the micro-architectural attacks. Specifically, in this paper, we comprehensively analyze if attackers can influence the scheduling process of cloud schedulers to co-locate with specific targeted applications in the cloud. Our analysis shows that for cloud schedulers that allow users to submit application requirements, an attacker can carefully select the attacker's application requirements to influence the scheduler to co-locate it with a targeted victim application. We call such attack Replication Attack (REPTTACK). Our experimental results, in both a simulated cluster environment and a real cluster, show similar trends; a single attack instance can reach up to 50% co-location rate (probability of co-location) and with only 5 instances the co-location rate can reach up to 80% in a heterogeneous cloud. Furthermore, we propose and evaluate a mitigation strategy that can help defend against REPTTACK. We believe that our results highlight the fact that schedulers in multi-user clusters need to be more carefully designed with security in mind, and the process of making scheduling decisions should involve as little user-defined information as possible.

show abstract

Section: B Micro-architectural Attacksmentioning

confidence: 99%

Repttack: Exploiting Cloud Schedulers to Guide Co-Location Attacks

Fang¹,

Wang²,

Nazari³

et al. 2022

Proceedings 2022 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…Defenders are playing a game of whack-a-mole as researchers are still bringing new attacks that exploit the leakage from the microarchitecture to the architectural level of the processor. Works that survey this landscape in greater detail than allowed in the scope of this paper include those by Xiong and Szefer (2020), and Canella et al (2020). While these works deeply evaluate the technical aspects and theory of transient execution attacks, this paper will focus more heavily on our experience with researching currently available exploit examples and testing them on real world hardware and software.…”

Section: Background and Related Workmentioning

confidence: 99%

Transient Execution and Side Channel Analysis: a Vulnerability or a Science Experiment?

Shepherd

Brookes

Denz

2022

iccws

View full text Add to dashboard Cite

In the world of computer security, attackers are constantly looking for new exploits to gain data from or control over a computer system. One category of exploit that can prove quite effective at accessing privileged data is side channel exploits. These exploits attempt to take advantage of vulnerabilities that are inherent in the design of a system rather than vulnerabilities in the code that has been written for and is running on said system. In other words, they exploit side effects of computation. Examples of this include measuring the power consumption of a system’s processor over time and analysing that power usage to leak system secrets or reading secrets from a system by analysing the electromagnetic radiation the system leaks as it processes data. Another type of side channel attack is a cache-based side channel attack, which exploits the timings of cache and memory accesses to determine data from the target system. We discuss some of the more common types of side channel attacks used to interpret data values from the microarchitectural changes created by transient executions. In particular, we will focus on attacks that are capable of recovering data that is processed through transient execution in some way and then wrongly accessed using a side channel, such as the Spectre and Meltdown classes of attack. We also discuss other attacks of a similar type and survey some popular mitigations for these attacks. We provide a survey of all available Spectre proof-of-concept repositories on GitHub, evaluating whether they work on different platforms. Finally, we review our experiences with these types of attacks on modern systems and comment on the attacks’ practicality, reliability, and portability. We conclude that these types of attacks are interesting, but there are some practicality and reliability concerns that make other attacks easier much of the time.

show abstract

“…According to the length of the information carrier's life span, timing-based covert channels can be grouped into two types: the persistent and the volatile [68]. The information carrier in a persistent covert channel is usually the layout of a storage unit, such as the cache [55], translation lookaside buffer (TLB) [57], and branch target buffer (BTB) [70], or a state change such as the on/off state of high bits in the AVX2 vector register [51].…”

Section: B Timing-based Covert Channelmentioning

confidence: 99%

SpecBox: A Label-Based Transparent Speculation Scheme Against Transient Execution Attacks

Tang¹,

Wu²,

Wang³

et al. 2021

Preprint

View full text Add to dashboard Cite

Speculative execution techniques have been a cornerstone of modern processors to improve instruction-level parallelism. However, recent studies showed that this kind of techniques could be exploited by attackers to leak secret data via transient execution attacks, such as Spectre. Many defenses are proposed to address this problem, but they all face various challenges: (1) Tracking data flow in the instruction pipeline could comprehensively address this problem, but it could cause pipeline stalls and incur high performance overhead; (2) Making side effect of speculative execution imperceptible to attackers, but it often needs additional storage components and complicated data movement operations. In this paper, we propose a label-based transparent speculation scheme called SPECBOX. It dynamically partitions the cache system to isolate speculative data and nonspeculative data, which can prevent transient execution from being observed by subsequent execution. Moreover, it uses thread ownership semaphores to prevent speculative data from being accessed across cores. In addition, SPECBOX also enhances the auxiliary components in the cache system against transient execution attacks, such as hardware prefetcher. Our security analysis shows that SPECBOX is secure and the performance evaluation shows that the performance overhead on SPEC CPU 2006 and PARSEC-3.0 benchmarks is small.

show abstract

Survey of Transient Execution Attacks

Cited by 5 publications

References 87 publications

Repttack: Exploiting Cloud Schedulers to Guide Co-Location Attacks

Repttack: Exploiting Cloud Schedulers to Guide Co-Location Attacks

Transient Execution and Side Channel Analysis: a Vulnerability or a Science Experiment?

SpecBox: A Label-Based Transparent Speculation Scheme Against Transient Execution Attacks

Contact Info

Product

Resources

About