TY - GEN
T1 - A library for removing cache-based attacks in concurrent information flow systems
AU - Buiras, Pablo
AU - Levy, Amit
AU - Stefan, Deian
AU - Russo, Alejandro
AU - Mazières, David
N1 - Funding Information:
We would like to thank Josef Svenningsson and our colleagues in the ProSec and Functional Programming group at Chalmers for useful comments. This work was supported by the Swedish research agency VR, STINT, the Barbro Osher foundation, DARPA CRASH under contract #N66001-10-2-4088, and multiple gifts from Google. Deian Stefan is supported by the DoD through the NDSEG Fellowship Program.
PY - 2014
Y1 - 2014
N2 - Information-flow control (IFC) is a security mechanism conceived to allow untrusted code to manipulate sensitive data without compromising confidentiality. Unfortunately, untrusted code might exploit some covert channels in order to reveal information. In this paper, we focus on the LIO concurrent IFC system. By leveraging the effects of hardware caches (e.g., the CPU cache), LIO is susceptible to attacks that leak information through the internal timing covert channel. We present a resumption-based approach to address such attacks. Resumptions provide fine-grained control over the interleaving of thread computations at the library level. Specifically, we remove cache-based attacks by enforcing that every thread yield after executing an "instruction," i.e., atomic action. Importantly, our library allows for porting the full LIO library - our resumption approach handles local state and exceptions, both features present in LIO. To amend for performance degradations due to the library-level thread scheduling, we provide two novel primitives. First, we supply a primitive for securely executing pure code in parallel. Second, we provide developers a primitive for controlling the granularity of "instructions"; this allows developers to adjust the frequency of context switching to suit application demands.
AB - Information-flow control (IFC) is a security mechanism conceived to allow untrusted code to manipulate sensitive data without compromising confidentiality. Unfortunately, untrusted code might exploit some covert channels in order to reveal information. In this paper, we focus on the LIO concurrent IFC system. By leveraging the effects of hardware caches (e.g., the CPU cache), LIO is susceptible to attacks that leak information through the internal timing covert channel. We present a resumption-based approach to address such attacks. Resumptions provide fine-grained control over the interleaving of thread computations at the library level. Specifically, we remove cache-based attacks by enforcing that every thread yield after executing an "instruction," i.e., atomic action. Importantly, our library allows for porting the full LIO library - our resumption approach handles local state and exceptions, both features present in LIO. To amend for performance degradations due to the library-level thread scheduling, we provide two novel primitives. First, we supply a primitive for securely executing pure code in parallel. Second, we provide developers a primitive for controlling the granularity of "instructions"; this allows developers to adjust the frequency of context switching to suit application demands.
UR - http://www.scopus.com/inward/record.url?scp=84901360505&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84901360505&partnerID=8YFLogxK
U2 - 10.1007/978-3-319-05119-2_12
DO - 10.1007/978-3-319-05119-2_12
M3 - Conference contribution
AN - SCOPUS:84901360505
SN - 9783319051185
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 199
EP - 216
BT - Trustworthy Global Computing - 8th International Symposium, TGC 2013, Revised Selected Papers
PB - Springer Verlag
T2 - 8th International Symposium on Trustworthy Global Computing, TGC 2013
Y2 - 30 August 2013 through 31 August 2013
ER -