Security Issues in Parallel and Distributed Computing - Side Channel Attacks and Defenses

Slide Note
Embed
Share

Explore various security threats in parallel and distributed computing, focusing on side channel attacks and defenses. Learn about microarchitecture, cache hierarchy, popular attacks, defense mechanisms, and more. Discover how hardware vulnerabilities can lead to the compromise of sensitive data and encryption keys.

corella_j
corella_j Follow

Uploaded on Sep 24, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. SECURITY ISSUES IN PARALLEL AND DISTRIBUTED COMPUTING - SIDE CHANNEL ATTACKS AND DEFENSES Presented by: Kazi Mejbaul Islam

  2. Outline Introduction and Background Microarchitecture Cache hierarchy Side channels in microarchitecture Threats in parallel and distributed systems Popular Side Channel Attacks An example Popular Defense Mechanisms From Software s perspective From Hardware s perspective

  3. Introduction Hardware can not always be trusted! ISA Registers Memory Features that enhance the architecture, may be the cause of vulnerability Architecture Microarchitecture Branch Prediction Cache TLB Cache MMU Interconnection

  4. Introduction Several threats have been created using these features such as Stealing secret encryption key Tracking browser activity Keystroke sniffing etc. We will discuss these issues and defenses from cache s cache s perspective

  5. Background Cache architecture in Multicore Systems Cache architecture in Multicore Systems Figure 1. A dual-core dual-processor system

  6. Background Cache Hierarchy Cache Hierarchy Hit/Miss Figure 2. Multi-level chache

  7. Background Encryption (RSA) Encryption (RSA) RSA encryption contains c, m, e, and n represent ciphertext, plaintext, key, and the product of p and q (p, q are large prime numbers), respectively and calculates c using following equation: c memod n How do we calculate c efficiently?

  8. Background Side Channels Side Channels Channels/mediums those are not meant to be information exchange Unlike covert channel, the victim is unconscious about the attacker. For example: Cache, TLB, power consumption Figure 3: Power consumption pattern

  9. Threats in Distributed Systems To make computation systems massively parallel, current systems are: Multiprocessor Multicore Maintaining cache hierarchy To support multiple users simultaneously, Clouds today supports lots of VMs, containers co-locate on single architecture

  10. Threats in Distributed Systems Attacks can take place at: Cross VM Cross container In same OS among different processes

  11. Popular Side Channel Attacks Side channel attacks can be divided into two major types: Time Driven: In time-driven attacks, the attacker measures the total execution time of cryptographic operations to extract sensitive information Access Driven: Attacker probes the medium to infer the execution time and pattern

  12. Flush+Reload Consists of 3 steps: 1. Flushes the cache 2. Waits for the victim to run its program 3. Probes the cache for specific instruction/data

  13. Flush+Reload Figure 6: RSA encryption Figure 5: Flush+Reload Figure 7: Flush+Reload time flow

  14. Prime+Probe Fills all cache line with own data Waits for victim process to get allocated and being evicted Probes the access time taken by the victim Figure 8: Prime+Probe

  15. Example (Flush+Reload) Side-Channel Attacks on Everyday Applications by Taylor Hornby, University of Calgary Consider a scenario where Victim is going to search for pen, pencil or marker in Wikipedia. The Attacker knows that the Victim is going to search on Wikipedia and he has a list of words that the victim is going to search such as (pen, pencil, box, book, etc.) Step 1: Find the common functions that can be used to distinguish the word while searching Search each word in the list Record the pattern for each word. Suppose you have found A,B,C,D four functions.

  16. Example (Flush+Reload) The data for the attacker may look like this: 1. Pen: AABBCDADA 2. Pencil: BCDAACCBD 3. Box: CDACDAAADCB .

  17. Example (Flush+Reload) Step 2: Launch the attack 1. Load the program 2. Flush the cache 3. Reload A,B,C,D and record time to load If it is a hit, note that If it is a miss, omit 4. Flush again

  18. Example (Flush+Reload) Step 3: Match with the fist recorded data The attacker will get a string like: AABCDAADCBA . Using statistical algorithm or machine learning (authors have used Levenshtein distance)

  19. Defense mechanism How do you defend it? Attack detection Soft partitioning Page coloring Restricting fine grained time measurement Disallowing KSM Software measures Designing new cache Cache partition Attack detection Hardware measures

  20. Attack Detection Monitor hit/miss, clock cycle, branch miss etc. Use machine learning/statistical methods to classify suspicious pattern Able to detect flush+reload and prime+probe Some researchers offloaded the detection system to dedicated hardware Cons: Requires some iterations to get data, attacker might be able to launch attack before detection Resource expensive for some applications

  21. Constant Timing Modify the code to make the execution time abstract For example, in the RSA encryption, insert a condition for bit 0 and a constant time for both 1 and 0 bit. It makes timing information abstract Cons: Not possible to implement in all cases Creates performance overhead

  22. Restricting Fine-Grained Time Measurements As the attacker relies on timing information and it needs to be fine-grained, kernel can limit the time measurement Cons: Measuring time at high precision is used in many softwares and making these obsolete is not a practical idea.

  23. Page coloring Software mechanism to partition cache Color the memory pages and pages of same color can be mapped into the same cache set Cons: Not very efficient for VM. Being inherently coarse-grained it may lead performance degradation.

  24. The Intel Cache Allocation Technology CLOS refers to one Class of Service Programs/VMs/Cores can be associated to a CLOS Program from one CLOS can not evict cache line from other CLOS Programs can get hit from all cache Figure 9: Sample CAT bitmask

  25. Soft-partitioning Cache It is unnecessary to isolate all programs or VMs A small portion of cache can be declared as dedicated to security sensitive applications This approach can be taken from both software and hardware side

  26. CATalyst Partition cache using CAT Use one small partition for security sensitive tasks Figure 10: CATalys

  27. HybCache Fix last two ways for security intensive task This isolation is used for all L1, L2 and L3 cache Figure 11: HybCache architecture

  28. Trade-off between hardware and software approach Defense mechanisms from software side can be implemented quickly to secure almost all systems Hardware approaches are more efficient but it would take a long time to be used in practice Moreover, hardware approaches would not be able to secure the existing systems

  29. Conclusion Side channel attacks are practical for distributed systems and must be taken care of. Based on the defense mechanisms proposed by the researchers, we can conclude, a practical defense system should have: Good security Low performance overhead Able to secure existing system

  30. Question?

Related


Understanding Parallel and Distributed Computing Systems

Understanding Parallel and Distributed Computing Systems

aleeza
Understanding Parallel and Distributed Systems in Computing

Understanding Parallel and Distributed Systems in Computing

macklin
Understanding Control Hijacking Attacks and Defenses

Understanding Control Hijacking Attacks and Defenses

dawn_o
Types Cyber Attacks: Cyber Security Training Workshop

Types Cyber Attacks: Cyber Security Training Workshop

anara
Understanding Network Denial of Service (DoS) Attacks

Understanding Network Denial of Service (DoS) Attacks

zahra
Understanding Parallel Sorting Algorithms and Amdahl's Law

Understanding Parallel Sorting Algorithms and Amdahl's Law

kay_xav
Mitigation of DMA-based Rowhammer Attacks on ARM

Mitigation of DMA-based Rowhammer Attacks on ARM

baylee
Adversarial Machine Learning in Cybersecurity: Challenges and Defenses

Adversarial Machine Learning in Cybersecurity: Challenges and Defenses

thirza
Scatter-and-Gather Revisited: High-Performance Side-Channel-Resistant AES on GPUs

Scatter-and-Gather Revisited: High-Performance Side-Channel-Resistant AES on GPUs

somm_3
Overview of Distributed Systems: Characteristics, Classification, Computation, Communication, and Fault Models

Overview of Distributed Systems: Characteristics, Classification, Computation, Communication, and Fault Models

paulina
Understanding Channel Design in Marketing

Understanding Channel Design in Marketing

sumayyah
Defending Against Cache-Based Side-Channel Attacks

Defending Against Cache-Based Side-Channel Attacks

eath_634
Automated Signature Extraction for High Volume Attacks in Cybersecurity

Automated Signature Extraction for High Volume Attacks in Cybersecurity

klos_k
Exploring Adversarial Machine Learning in Cybersecurity

Exploring Adversarial Machine Learning in Cybersecurity

bartholomew
Understanding Malicious Attacks, Threats, and Vulnerabilities in IT Security

Understanding Malicious Attacks, Threats, and Vulnerabilities in IT Security

ciel
Adversarial Machine Learning

Adversarial Machine Learning

caterina
Channel Design

Channel Design

kendra
Exploring Parallel Computing: Concepts and Applications

Exploring Parallel Computing: Concepts and Applications

leyla
Understanding Spectre and Meltdown Security Vulnerabilities

Understanding Spectre and Meltdown Security Vulnerabilities

mcsherry_k
Cybersecurity Challenges: Attacks on Web Applications and Cost of Security Breaches

Cybersecurity Challenges: Attacks on Web Applications and Cost of Security Breaches

hari
Real-Time Detection of Polluted Drive-by Download Attacks with JShield

Real-Time Detection of Polluted Drive-by Download Attacks with JShield

caniya
Location Privacy Protection Strategies: A Comprehensive Overview

Location Privacy Protection Strategies: A Comprehensive Overview

zebu_576
Managing Covid-19 Cyber and Data Protection Risks

Managing Covid-19 Cyber and Data Protection Risks

kaisen
Understanding Side Channels in Software Security

Understanding Side Channels in Software Security

zeppelin

More Related Content

Secure and Efficient Multi-Variant Execution in Distributed Settings
Secure and Efficient Multi-Variant Execution in Distributed Settings
Distributed Software Engineering Overview
Distributed Software Engineering Overview
Understanding Denial-of-Service Attacks and Defense Strategies
Understanding Denial-of-Service Attacks and Defense Strategies
Understanding Cloud Computing, Edge Computing, and Their Applications
Understanding Cloud Computing, Edge Computing, and Their Applications
Preventing Active Timing Attacks in Low-Latency Anonymous Communication
Preventing Active Timing Attacks in Low-Latency Anonymous Communication
Parallel Processing and SIMD Architecture Overview
Parallel Processing and SIMD Architecture Overview
Successful Channel Modification Techniques and Benefits
Successful Channel Modification Techniques and Benefits
Strategies to Protect School Systems from Cyber Attacks
Strategies to Protect School Systems from Cyber Attacks
Understanding Triangle Congruence Properties
Understanding Triangle Congruence Properties
Understanding Parallel Skyline Queries in Distributed Systems
Understanding Parallel Skyline Queries in Distributed Systems
Scaling Condor on XSEDE for LIGO - Collaborative Computing Project
Scaling Condor on XSEDE for LIGO - Collaborative Computing Project
Introduction to GPUs in Parallel Computer Architecture
Introduction to GPUs in Parallel Computer Architecture
Effective Channel Management Decisions for Marketing Success
Effective Channel Management Decisions for Marketing Success
Understanding Distributed Hash Table (DHT) in Distributed Systems
Understanding Distributed Hash Table (DHT) in Distributed Systems
Principles of Cyber Security
Principles of Cyber Security
Understanding Network Security: Hijacking, Denial of Service, and IDS
Understanding Network Security: Hijacking, Denial of Service, and IDS
Overview of the Computing Community Consortium
Overview of the Computing Community Consortium
Distributed and Cluster Computing Overview
Distributed and Cluster Computing Overview
Effective Method to Protect Web Servers Against Breach Attacks
Effective Method to Protect Web Servers Against Breach Attacks
The THz Channel Model in Wireless Data Center
The THz Channel Model in Wireless Data Center
Overview of Distributed Systems, RAID, Lustre, MogileFS, and HDFS
Overview of Distributed Systems, RAID, Lustre, MogileFS, and HDFS
Evolution of Parallel Programming in Computing
Evolution of Parallel Programming in Computing
Buffer Overflow: Understanding, Defenses, and Detection
Buffer Overflow: Understanding, Defenses, and Detection
Understanding Remote Method Invocation (RMI) in Distributed Systems
Understanding Remote Method Invocation (RMI) in Distributed Systems