TY - GEN
T1 - Eliminating cache-based timing attacks with instruction-based scheduling
AU - Stefan, Deian
AU - Buiras, Pablo
AU - Yang, Edward Z.
AU - Levy, Amit
AU - Terei, David
AU - Russo, Alejandro
AU - Mazières, David
PY - 2013
Y1 - 2013
N2 - Information flow control allows untrusted code to access sensitive and trustworthy information without leaking this information. However, the presence of covert channels subverts this security mechanism, allowing processes to communicate information in violation of IFC policies. In this paper, we show that concurrent deterministic IFC systems that use time-based scheduling are vulnerable to a cache-based internal timing channel. We demonstrate this vulnerability with a concrete attack on Hails, one particular IFC web framework. To eliminate this internal timing channel, we implement instruction-based scheduling, a new kind of scheduler that is indifferent to timing perturbations from underlying hardware components, such as the cache, TLB, and CPU buses. We show this scheduler is secure against cache-based internal timing attacks for applications using a single CPU. To show the feasibility of instruction-based scheduling, we have implemented a version of Hails that uses the CPU retired-instruction counters available on commodity Intel and AMD hardware. We show that instruction-based scheduling does not impose significant performance penalties. Additionally, we formally prove that our modifications to Hails' underlying IFC system preserve non-interference in the presence of caches.
AB - Information flow control allows untrusted code to access sensitive and trustworthy information without leaking this information. However, the presence of covert channels subverts this security mechanism, allowing processes to communicate information in violation of IFC policies. In this paper, we show that concurrent deterministic IFC systems that use time-based scheduling are vulnerable to a cache-based internal timing channel. We demonstrate this vulnerability with a concrete attack on Hails, one particular IFC web framework. To eliminate this internal timing channel, we implement instruction-based scheduling, a new kind of scheduler that is indifferent to timing perturbations from underlying hardware components, such as the cache, TLB, and CPU buses. We show this scheduler is secure against cache-based internal timing attacks for applications using a single CPU. To show the feasibility of instruction-based scheduling, we have implemented a version of Hails that uses the CPU retired-instruction counters available on commodity Intel and AMD hardware. We show that instruction-based scheduling does not impose significant performance penalties. Additionally, we formally prove that our modifications to Hails' underlying IFC system preserve non-interference in the presence of caches.
UR - http://www.scopus.com/inward/record.url?scp=84884784978&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84884784978&partnerID=8YFLogxK
U2 - 10.1007/978-3-642-40203-6_40
DO - 10.1007/978-3-642-40203-6_40
M3 - Conference contribution
AN - SCOPUS:84884784978
SN - 9783642402029
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 718
EP - 735
BT - Computer Security, ESORICS 2013 - 18th European Symposium on Research in Computer Security, Proceedings
T2 - 18th European Symposium on Research in Computer Security, ESORICS 2013
Y2 - 9 September 2013 through 13 September 2013
ER -