Abstract
Computing system security is important for everyday functioning of
society, among other things. We say that computing systems should
preserve Confidentiality (your se- crets stay secret) and Integrity (if
you store information, it should remain unchanged). Another fundamental
security property is Availability (the systems you rely on should always
be available for you to do work on our behalf), but this thesis doesn’t
consider this aspect.
It is common that people and organizations share computing resources with
other people and organizations, ones that are not necessarily trusted. One
example of that is cloud computing - a scenario where a single computer
is used by many tenants at the same time. Tenants are isolated logically
from each other by presenting each with a Virtual Machine (VM). It’s
virtual because you can pretend it’s a real machine. But can you really?
It is a previously-established fact that sharing computing resources
concurrently can have unexpected side effects. In normal usage these
effects are typically not noticed. Everything keeps working as if you
are the only user, as computer hardware is extremely well verified to
maintain semantic correctness, no matter what the usage patterns and no
matter how many different users there are. However, subtle differences
in how shared resources behave, even if they are presented as exclusive
access to each tenant, can be observed, that depend on what the other
tenant is doing. This is known as a side channel.
The most popular example of this is the CPU cache. The cache is typically
shared between all tenants on a computer system (or, in the case of
multi-socket systems, those on the same CPU package, which is still a
large fraction of the users on the same computer system). This phenomenon
be exploited by a spying tenant by exercising corner cases in how such
a resource is normally used, in a way that can lead to stealing secrets
from another tenant. This is called a side channel attack. This thesis
builds on research in this field and explores generalization in several
different dimensions. This thesis finds that the classic way to exploit
shared resources, the CPU Cache, also applies to other resources.
We show successful, practical cryptographic key recovery from a single
signal capture, even between Virtual Machines. We also show that,
even if software is written to be very quiet in its footprint, the CPU
can still touch items in the CPU Cache on the applications’ behalf,
necessary for it to work, that betray some secrets.
All Confidentiality violations are broadly similar to eachother in
effect - when Confidentiality is violated, secrets are lost. Serious as
this can be, we also find realistic examples of Integrity violations,
and find that the repercussions are more complex and unpredictable,
and not easy to summarize in a single category. We show that by violating
Integrity, we can undermine the security of a system in 2 very different
ways. One allows us to break in, the other allows us to bypass software
update verification and get our own, malicious, software installed
when a user upgrades software packages. There are many more possible
examples of how undermining the security of a system can happen, just
as invisibly as when secrets are stolen, when Integrity is violated.
We finally show a generalization in method. We allow for an arbitrary
software target to be analyzed to be coupled with an arbitrary CPU,
with specific exploitable shared resources, and automatically allow
side channel analysis to happen, by using black-box analysis and
machine learning.
Original language | English |
---|---|
Qualification | PhD |
Awarding Institution |
|
Supervisors/Advisors |
|
Award date | 3 Jun 2022 |
Place of Publication | s.l. |
Publisher | |
Print ISBNs | 9789464194890 |
Publication status | Published - 3 Jun 2022 |
Keywords
- cpu, microarchitecture, side channels, rowhammer, security