Understanding Side Channels in Software Security

 
EXERCISE #15
 
1
 
SIDE CHANNEL REVIEW
 
Write your name and answer the following on a piece of paper
 
Provide an instance of a function with a sensitive argument v and leaks a bit of v via a
timing side channel
 
ADMINISTRIVIA
AND
ANNOUNCEMENTS
 
Paper review due Sunday at 11:59 PM
 
CLASS PROGRESS
 
SHOWING SOME APPLICATIONS OF
STATIC DATAFLOW
DESCRIBED A PARTICULAR TYPE OF
EVASION AGAINST EXPLICIT
DATAFLOW: SIDE CHANNELS
BEGAN TO CONSIDER WHAT WE
COULD DO ABOUT IT
 
3
 
4
 
LAST TIME: SIDE CHANNELS
 
REVIEW: LAST LECTURE
 
U
NDETECTABLE
 
VIA
 (
TYPICAL
) 
STATIC
 
DATAFLOW
 
General side-channel: using a predictable phenomenon
outside of the semantics of the program
Covert channel: special instance of a side channel that is
used intentionally by the program
 
REFERENCE MONITORS
 
EECS 677: Software Security Evaluation
Drew Davidson
 
OVERVIEW
 
PREVENTING BAD STUFF FROM
HAPPENING IN A PROGRAM
 
6
 
LECTURE OUTLINE
 
Overview
Details
Instances
 
8
 
LIMITATIONS OF ANALYSIS
 
REFERENCE MONITORS: OVERVIEW
 
S
O
 
FAR
, 
OUR
 
FOCUS
 
HAS
 
BEEN
 
LARGELY
ON
 
DETECTING
 
UNDESIRABLE
 
BEHAVIOR
 
That’s valuable!
Ask developers to correct their own mistakes
Empower users to forgo running bad software
 
9
 
LIMITATIONS OF ANALYSIS
 
REFERENCE MONITORS: OVERVIEW
 
D
ETECTION
 
MIGHT
 
NOT
 
BE
 
ENOUGH
 
False positives
Scalability issues
 
D
YNAMIC
 A
NALYSIS
 
False negatives
Run time issues
 
S
TATIC
 A
NALYSIS
 
May be in a position where we can’t run the analysis
 
10
 
A HANDS-ON ALTERNATIVE
 
REFERENCE MONITORS: OVERVIEW
 
K
EEP
 
BAD
 
THINGS
 
FROM
 
HAPPENING
 
DURING
SYSTEM
 
EXECUTION
 
Requires some sort of specification for “bad things”
Requires some sort of preventative capabilities
 
11
 
PREVENTATIVE CAPABILITIES
 
REFERENCE MONITORS: OVERVIEW
 
S
IMPLE
 
FORM
 
Kill the program
 
D
ATAFLOW
 F
ORM
 
Sanitize the data
 
12
 
THE BIG IDEA
 
REFERENCE MONITORS: OVERVIEW
 
K
EEP
 
PROGRAMS
 
ON
 
THE
STRAIGHT
 
AND
 
NARROW
 
- Articulate a policy for allowed behavior
- Keep a running record of security-relevant
behavior
- Prevent a violation of the policy
 
13
 
SAFETY POLICIES
 
REFERENCE MONITORS: INSTANCES
 
E
XECUTION
 
OF
 
A
 
PROCESS
 
AS
 
A
 
SEQUENCE
 
OF
 
STATES
 
Policy is a predicate on sequence prefix
 
Policy depends only on the past of a particular
execution – once violated, never “unviolates”
 
I
NCAPABLE
 
OF
 
HANDLING
 
LIVENESS
 
POLICIES
 
“If this server accepts a SYN, it will eventually
send a response”
 
LECTURE OUTLINE
 
Overview
Details
Instances
 
15
 
CONSIDER THE REACTIVE ADVERSARY
 
REFERENCE MONITORS: OVERVIEW
 
D
EFINITION
 
Reactive Adversary:
 An adversary with the
capability to understand the defense
mechanism and an opportunity to avoid it
 
I
F
 
A
 D
EFENSE
 
CAN
 
BE
 
AVOIDED
 
IT
HARDLY
 
MATTERS
 
WHAT
 
THE
ENFORCEMENT
 
DOES
 
Recall the history of the Maginot Line
 
16
 
SECURITY VS PRECISION
 
REFERENCE MONITORS: OVERVIEW
 
P
ROGRAM
 P
ROXIMITY
 
Far
 
Close
 
Inline reference monitor
 
External reference monitor
 
17
 
REFERENCE MONITOR DESIGN
 
REFERENCE MONITORS: INSTANCES
 
K
ERNELIZED
 
W
RAPPER
 
I
NLINE
 
18
 
PROPERTIES WE CARE ABOUT
 
REFERENCE MONITORS: INSTANCES
 
M
EMORY
 S
AFETY
 
T
YPE
 S
AFETY
 
C
ONTROL
 F
LOW
 S
AFETY
 
e.g. Programs respect aggregate type sizes,
process boundaries, code v data
 
e.g. Functions and intrinsic operations have
arguments that adhere to the type system
 
e.g. All control transfers are envisioned by the
original program
 
LECTURE OUTLINE
 
Overview
Details
Instances
 
20
 
OS AS REFERENCE MONITOR
 
REFERENCE MONITORS: INSTANCES
 
C
OLLECTION
 
OF
 
RUNNING
 
PROCESSES
 
AND
 
FILES
 
OS 
ENFORCES
 
VARIOUS
 
SAFETY
 
POLICIES
 
Processes are associated with users
 
- File access
- Process space write
 
Same policy for all processes of the same user
 
Files have ACLs
 
21
 
SOFTWARE FAULT ISOLATION (SFI)
 
REFERENCE MONITORS: INSTANCES
 
I
SOLATE
 
PROCESS
 
FAULTS
 
ON
 
SHARED
 
HARDWARE
 
Each process is a logical fault domain
 
Ensure all memory references and jump is
within the process fault domain
 
22
 
INLINE REFERENCE MONITORS: SASI
 
REFERENCE MONITORS: INSTANCES
 
C
ORNELL
 
PROJECT
 
FOR
 
INLINE
 
POLICY
 
ENFORCEMENT
 
Change the program to enforce “any” safety policy
 
Express allowed behavior as an FSM
 
Examples:
- No division by zero
- No network send after file read
 
23
 
SASI: COST
 
REFERENCE MONITORS: INSTANCES
 
A
TTEMPTS
 
TO
 
MINIMIZE
 
THE
 
NUMBER
 
OF
 
CHECKS
 
Looking at every instruction is incredibly expensive
 
Example: only need to check divide-by-zero
before DIV instructions
 
24
 
CONTROL FLOW INTEGRITY: CFI
 
REFERENCE MONITORS: INSTANCES
 
E
NSURE
 
THE
 
PROGRAM
 
CONTROL
 F
LOW
 
IS
 
ALLOWED
 
BY
THE
 CFG
 
In a sense, the policy is the control-flow graph
 
Why would we need to do this?
 
WRAP-UP
Slide Note
Embed
Share

This content delves into the topic of side channels in software security, focusing on the leakage of sensitive information through timing side channels. It discusses the concept of covert channels, reference monitors, limitations of analysis, and prevention strategies to mitigate the risks associated with side-channel attacks.


Uploaded on Aug 14, 2024 | 0 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. EXERCISE #15 SIDE CHANNEL REVIEW Write your name and answer the following on a piece of paper Provide an instance of a function with a sensitive argument v and leaks a bit of v via a timing side channel 1

  2. Paper review due Sunday at 11:59 PM ADMINISTRIVIA AND ANNOUNCEMENTS

  3. 3 CLASS PROGRESS SHOWING SOME APPLICATIONS OF STATIC DATAFLOW DESCRIBED A PARTICULAR TYPE OF EVASION AGAINST EXPLICIT DATAFLOW: SIDE CHANNELS BEGAN TO CONSIDER WHAT WE COULD DO ABOUT IT

  4. 4 LAST TIME: SIDE CHANNELS REVIEW: LAST LECTURE UNDETECTABLEVIA (TYPICAL) STATICDATAFLOW General side-channel: using a predictable phenomenon outside of the semantics of the program Covert channel: special instance of a side channel that is used intentionally by the program

  5. REFERENCE MONITORS EECS 677: Software Security Evaluation Drew Davidson

  6. 6 OVERVIEW PREVENTING BAD STUFF FROM HAPPENING IN A PROGRAM

  7. LECTURE OUTLINE Overview Details Instances

  8. 8 LIMITATIONS OF ANALYSIS REFERENCE MONITORS: OVERVIEW SOFAR, OURFOCUSHASBEENLARGELY ONDETECTINGUNDESIRABLEBEHAVIOR That s valuable! Ask developers to correct their own mistakes Empower users to forgo running bad software

  9. 9 LIMITATIONS OF ANALYSIS REFERENCE MONITORS: OVERVIEW DETECTIONMIGHTNOTBEENOUGH May be in a position where we can t run the analysis STATIC ANALYSIS False positives Scalability issues DYNAMIC ANALYSIS False negatives Run time issues

  10. 10 A HANDS-ON ALTERNATIVE REFERENCE MONITORS: OVERVIEW KEEPBADTHINGSFROMHAPPENINGDURING SYSTEMEXECUTION Requires some sort of specification for bad things Requires some sort of preventative capabilities

  11. 11 PREVENTATIVE CAPABILITIES REFERENCE MONITORS: OVERVIEW SIMPLEFORM Kill the program DATAFLOW FORM Sanitize the data

  12. 12 THE BIG IDEA REFERENCE MONITORS: OVERVIEW KEEPPROGRAMSONTHE STRAIGHTANDNARROW - Articulate a policy for allowed behavior - Keep a running record of security-relevant behavior - Prevent a violation of the policy

  13. 13 SAFETY POLICIES REFERENCE MONITORS: INSTANCES EXECUTIONOFAPROCESSASASEQUENCEOFSTATES Policy is a predicate on sequence prefix Policy depends only on the past of a particular execution once violated, never unviolates INCAPABLEOFHANDLINGLIVENESSPOLICIES If this server accepts a SYN, it will eventually send a response

  14. LECTURE OUTLINE Overview Details Instances

  15. 15 CONSIDER THE REACTIVE ADVERSARY REFERENCE MONITORS: OVERVIEW DEFINITION Reactive Adversary: An adversary with the capability to understand the defense mechanism and an opportunity to avoid it IFA DEFENSECANBEAVOIDEDIT HARDLYMATTERSWHATTHE ENFORCEMENTDOES Recall the history of the Maginot Line

  16. 16 SECURITY VS PRECISION REFERENCE MONITORS: OVERVIEW PROGRAM PROXIMITY Far Close Inline reference monitor External reference monitor

  17. 17 REFERENCE MONITOR DESIGN REFERENCE MONITORS: INSTANCES KERNELIZED WRAPPER INLINE

  18. 18 PROPERTIES WE CARE ABOUT REFERENCE MONITORS: INSTANCES MEMORY SAFETY e.g. Programs respect aggregate type sizes, process boundaries, code v data TYPE SAFETY e.g. Functions and intrinsic operations have arguments that adhere to the type system CONTROL FLOW SAFETY e.g. All control transfers are envisioned by the original program

  19. LECTURE OUTLINE Overview Details Instances

  20. 20 OS AS REFERENCE MONITOR REFERENCE MONITORS: INSTANCES COLLECTIONOFRUNNINGPROCESSESANDFILES Processes are associated with users Files have ACLs OS ENFORCESVARIOUSSAFETYPOLICIES - File access - Process space write Same policy for all processes of the same user

  21. 21 SOFTWARE FAULT ISOLATION (SFI) REFERENCE MONITORS: INSTANCES ISOLATEPROCESSFAULTSONSHAREDHARDWARE Each process is a logical fault domain Ensure all memory references and jump is within the process fault domain

  22. 22 INLINE REFERENCE MONITORS: SASI REFERENCE MONITORS: INSTANCES CORNELLPROJECTFORINLINEPOLICYENFORCEMENT Change the program to enforce any safety policy Express allowed behavior as an FSM Examples: - No division by zero - No network send after file read

  23. 23 SASI: COST REFERENCE MONITORS: INSTANCES ATTEMPTSTOMINIMIZETHENUMBEROFCHECKS Looking at every instruction is incredibly expensive Example: only need to check divide-by-zero before DIV instructions

  24. 24 CONTROL FLOW INTEGRITY: CFI REFERENCE MONITORS: INSTANCES ENSURETHEPROGRAMCONTROL FLOWISALLOWEDBYTHE CFG In a sense, the policy is the control-flow graph Why would we need to do this?

  25. WRAP-UP

Related


More Related Content

giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#