Understanding Side Channels in Software Security

Slide Note
Embed
Share

This content delves into the topic of side channels in software security, focusing on the leakage of sensitive information through timing side channels. It discusses the concept of covert channels, reference monitors, limitations of analysis, and prevention strategies to mitigate the risks associated with side-channel attacks.

zeppelin
zeppelin Follow

Uploaded on Aug 14, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. EXERCISE #15 SIDE CHANNEL REVIEW Write your name and answer the following on a piece of paper Provide an instance of a function with a sensitive argument v and leaks a bit of v via a timing side channel 1

  2. Paper review due Sunday at 11:59 PM ADMINISTRIVIA AND ANNOUNCEMENTS

  3. 3 CLASS PROGRESS SHOWING SOME APPLICATIONS OF STATIC DATAFLOW DESCRIBED A PARTICULAR TYPE OF EVASION AGAINST EXPLICIT DATAFLOW: SIDE CHANNELS BEGAN TO CONSIDER WHAT WE COULD DO ABOUT IT

  4. 4 LAST TIME: SIDE CHANNELS REVIEW: LAST LECTURE UNDETECTABLEVIA (TYPICAL) STATICDATAFLOW General side-channel: using a predictable phenomenon outside of the semantics of the program Covert channel: special instance of a side channel that is used intentionally by the program

  5. REFERENCE MONITORS EECS 677: Software Security Evaluation Drew Davidson

  6. 6 OVERVIEW PREVENTING BAD STUFF FROM HAPPENING IN A PROGRAM

  7. LECTURE OUTLINE Overview Details Instances

  8. 8 LIMITATIONS OF ANALYSIS REFERENCE MONITORS: OVERVIEW SOFAR, OURFOCUSHASBEENLARGELY ONDETECTINGUNDESIRABLEBEHAVIOR That s valuable! Ask developers to correct their own mistakes Empower users to forgo running bad software

  9. 9 LIMITATIONS OF ANALYSIS REFERENCE MONITORS: OVERVIEW DETECTIONMIGHTNOTBEENOUGH May be in a position where we can t run the analysis STATIC ANALYSIS False positives Scalability issues DYNAMIC ANALYSIS False negatives Run time issues

  10. 10 A HANDS-ON ALTERNATIVE REFERENCE MONITORS: OVERVIEW KEEPBADTHINGSFROMHAPPENINGDURING SYSTEMEXECUTION Requires some sort of specification for bad things Requires some sort of preventative capabilities

  11. 11 PREVENTATIVE CAPABILITIES REFERENCE MONITORS: OVERVIEW SIMPLEFORM Kill the program DATAFLOW FORM Sanitize the data

  12. 12 THE BIG IDEA REFERENCE MONITORS: OVERVIEW KEEPPROGRAMSONTHE STRAIGHTANDNARROW - Articulate a policy for allowed behavior - Keep a running record of security-relevant behavior - Prevent a violation of the policy

  13. 13 SAFETY POLICIES REFERENCE MONITORS: INSTANCES EXECUTIONOFAPROCESSASASEQUENCEOFSTATES Policy is a predicate on sequence prefix Policy depends only on the past of a particular execution once violated, never unviolates INCAPABLEOFHANDLINGLIVENESSPOLICIES If this server accepts a SYN, it will eventually send a response

  14. LECTURE OUTLINE Overview Details Instances

  15. 15 CONSIDER THE REACTIVE ADVERSARY REFERENCE MONITORS: OVERVIEW DEFINITION Reactive Adversary: An adversary with the capability to understand the defense mechanism and an opportunity to avoid it IFA DEFENSECANBEAVOIDEDIT HARDLYMATTERSWHATTHE ENFORCEMENTDOES Recall the history of the Maginot Line

  16. 16 SECURITY VS PRECISION REFERENCE MONITORS: OVERVIEW PROGRAM PROXIMITY Far Close Inline reference monitor External reference monitor

  17. 17 REFERENCE MONITOR DESIGN REFERENCE MONITORS: INSTANCES KERNELIZED WRAPPER INLINE

  18. 18 PROPERTIES WE CARE ABOUT REFERENCE MONITORS: INSTANCES MEMORY SAFETY e.g. Programs respect aggregate type sizes, process boundaries, code v data TYPE SAFETY e.g. Functions and intrinsic operations have arguments that adhere to the type system CONTROL FLOW SAFETY e.g. All control transfers are envisioned by the original program

  19. LECTURE OUTLINE Overview Details Instances

  20. 20 OS AS REFERENCE MONITOR REFERENCE MONITORS: INSTANCES COLLECTIONOFRUNNINGPROCESSESANDFILES Processes are associated with users Files have ACLs OS ENFORCESVARIOUSSAFETYPOLICIES - File access - Process space write Same policy for all processes of the same user

  21. 21 SOFTWARE FAULT ISOLATION (SFI) REFERENCE MONITORS: INSTANCES ISOLATEPROCESSFAULTSONSHAREDHARDWARE Each process is a logical fault domain Ensure all memory references and jump is within the process fault domain

  22. 22 INLINE REFERENCE MONITORS: SASI REFERENCE MONITORS: INSTANCES CORNELLPROJECTFORINLINEPOLICYENFORCEMENT Change the program to enforce any safety policy Express allowed behavior as an FSM Examples: - No division by zero - No network send after file read

  23. 23 SASI: COST REFERENCE MONITORS: INSTANCES ATTEMPTSTOMINIMIZETHENUMBEROFCHECKS Looking at every instruction is incredibly expensive Example: only need to check divide-by-zero before DIV instructions

  24. 24 CONTROL FLOW INTEGRITY: CFI REFERENCE MONITORS: INSTANCES ENSURETHEPROGRAMCONTROL FLOWISALLOWEDBYTHE CFG In a sense, the policy is the control-flow graph Why would we need to do this?

  25. WRAP-UP

Related


Enhancing Secondary Channel Usage in IEEE 802.11 Standards

Enhancing Secondary Channel Usage in IEEE 802.11 Standards

brantley
Understanding Software Processes and Models

Understanding Software Processes and Models

fatima
IEEE 802.11-20/0479r0 240 MHz Channelization Options

IEEE 802.11-20/0479r0 240 MHz Channelization Options

egan
Understanding Information Flow in Software Security

Understanding Information Flow in Software Security

lolarose
Understanding Software Measurement and Metrics in Software Engineering

Understanding Software Measurement and Metrics in Software Engineering

asmodeus
Software Cost Estimation in Software Engineering

Software Cost Estimation in Software Engineering

aislinn
Understanding the Role of Security Champions in Organizations

Understanding the Role of Security Champions in Organizations

irvin
Understanding the Roles of a Security Partner

Understanding the Roles of a Security Partner

zaara
Understanding Software Engineering: Concepts and Characteristics

Understanding Software Engineering: Concepts and Characteristics

elle
Understanding Distribution Channels in Marketing Management

Understanding Distribution Channels in Marketing Management

susanna
ATST Safety Review High-Level Software Overview

ATST Safety Review High-Level Software Overview

keelan
Understanding Payment Channels in Cryptocurrency Networks

Understanding Payment Channels in Cryptocurrency Networks

hajra
Understanding Hydraulics II: Simulation and Analysis in Open Channels

Understanding Hydraulics II: Simulation and Analysis in Open Channels

ari
Understanding Telecommunications Transmission Systems

Understanding Telecommunications Transmission Systems

nira
Understanding International Distribution Channels

Understanding International Distribution Channels

kismet
Understanding LXI Network Security in Industrial Environments

Understanding LXI Network Security in Industrial Environments

renae
Sales Leadership Management

Sales Leadership Management

alijah
Software Security Principles and Practices: Enhancing Program Code Security

Software Security Principles and Practices: Enhancing Program Code Security

abcde
Evolving Security Practices in DevOps: A Holistic Approach

Evolving Security Practices in DevOps: A Holistic Approach

madisyn
Understanding Software: Types and Classifications

Understanding Software: Types and Classifications

stiorra
Aircraft Software Management and Control

Aircraft Software Management and Control

sirius
Understanding Software Processes and Models

Understanding Software Processes and Models

azari
Understanding Software Requirements and Design Principles

Understanding Software Requirements and Design Principles

laurel
Understanding Requirements Analysis in Software Engineering

Understanding Requirements Analysis in Software Engineering

legacy

More Related Content

Understanding Computer Software and Operating Systems
Understanding Computer Software and Operating Systems
Understanding Triangle Inequalities and Angle-Side Relationships
Understanding Triangle Inequalities and Angle-Side Relationships
Advanced Data Logging Software for Efficient Record Generation
Advanced Data Logging Software for Efficient Record Generation
Stata-Python Rosetta Stone: Side-by-side Code Examples v1.0
Stata-Python Rosetta Stone: Side-by-side Code Examples v1.0
Software Security Evaluation: Points to Analysis Review
Software Security Evaluation: Points to Analysis Review
EMT Just-In-Time Training Modules for Health Emergencies: COVID-19 Team Security Program
EMT Just-In-Time Training Modules for Health Emergencies: COVID-19 Team Security Program
Understanding Computer Security and Software Vulnerabilities
Understanding Computer Security and Software Vulnerabilities
Developing and Enforcing Cyber Security Policy as Code in a Software Factory
Developing and Enforcing Cyber Security Policy as Code in a Software Factory
Enhance Software Security with SAMM 2.0 Dashboard
Enhance Software Security with SAMM 2.0 Dashboard
Understanding Security Management in an ICT Environment
Understanding Security Management in an ICT Environment
International Approaches to Enhance Nuclear Safety and Security
International Approaches to Enhance Nuclear Safety and Security
Understanding Security Onion: Network Security Monitoring Tools
Understanding Security Onion: Network Security Monitoring Tools
Understanding Transport Layer Security (TLS)
Understanding Transport Layer Security (TLS)
Understanding Cyber Security and Risks
Understanding Cyber Security and Risks
Understanding Provable Security Models in Cryptography
Understanding Provable Security Models in Cryptography
Understanding Computer Security Principles and Practices
Understanding Computer Security Principles and Practices
Understanding Utility Software in IT Systems
Understanding Utility Software in IT Systems
Understanding Software Testing: Test Cases, Selection, and Execution
Understanding Software Testing: Test Cases, Selection, and Execution
BCA 601(N): Computer Network Security
BCA 601(N): Computer Network Security
Enhancing Security Definitions for Functional Encryption
Enhancing Security Definitions for Functional Encryption
TSA Updates on Security Training Rule for OTRB Companies
TSA Updates on Security Training Rule for OTRB Companies
AEP Enterprise Security Program Overview - June 2021 Update
AEP Enterprise Security Program Overview - June 2021 Update
Certification and Training in Information Security
Certification and Training in Information Security
Overview of Social Security and Health Care System in Turkey
Overview of Social Security and Health Care System in Turkey