Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
When Oblivious is Not: Attacks against OPAM
1
WOOT’20@USENIX-SECURITY
Nirjhar Roy (Indian Institute of Technology - Kanpur)Nikhil Bansal (Indian Institute of Technology - Kanpur)Gourav Takhar (Indian Institute of Technology - Kanpur)Nikhil Mittal (Fortanix Inc)Pramod Subramanyan (Indian Institute of Technology - Kanpur)
● Introduction
● Attacks on InvisiPage/OPAM
● Covert Channels using Reuse Distances and its evaluation
● Conclusion
Presentation Roadmap
2
Enclaves Demystified
Enclaves: hardware-supported environment for isolated execution with strong application-level security guarantees despite the presence of malicious/compromised privileged software
3
Introducing ORAMs
● Interface between a client and and an untrusted server
● Shuffles the data from time to time
● Hides access patterns and access frequencies
● Examples: Square root ORAM, Tree-based ORAMs including Path ORAM, Ring ORAM, etc.
4
[i]
D[[i]]
Read D
[i]
Client
OR
AM
Interface
iAccess Oblivious Client
Untrusted Server
ORAM Meets Demand Paging and EnclavesThreat Model
● The Host OS/apps are considered malicious trying to find out access pattern/access frequency/memory content of the pages being read or written
● The OS observes only a random set of pages ( encrypted) getting read/written after in step 3.
● The attacker can choose to tamper the pages but that will detected after step 6 in Runtime
● Attackers having physical access to the memory will also see cipher text 5
Enclave app
Runtime
ORAM Interface
OS
1
2
3
4
5
6
7
Trusted world inside the enclave (ORAM Client)
Untrusted world outside of enclave (ORAM Server)
Untrusted Memory
Our Contributions● Discovering vulnerability in InvisiPage ● Implementation of a demand paging system inside Keystone● Exploiting it to design new attacks:-
○ The reuse distance attacks○ The level tracking attack
● Designing a covert channel using Reuse Distances
6
Attacks on InvisiPage
7
Shaizeen Aga and Satish Narayanasamy. 2019. InvisiPage: oblivious demand paging for secure enclaves. In Proceedings of the 46th International Symposium on Computer Architecture (ISCA ’19).
Introduction to Invisipage/OPAM
8
100
692 250
468 D 88 605
Leaf = 0 Leaf = 1 Leaf = 2 Leaf = 3
468 → 0, … 88→ 2, 250→ 2, 100 → 2
Position mapUpdated Position map
ORAM Path Read
Metadata Tree Data Tree100
692 250
468 D 88 605
Leaf = 0 Leaf = 1 Leaf = 2 Leaf = 3
All
dec+
aut
h an
d ch
ecke
d
468 → 0, … 88→ 0, 250→ 2, 100 → 2
Dec + auth
Access (88, Fetch)
Introduction to Invisipage/OPAM
9
D
692 100
468 D 250 605
Leaf = 0 Leaf = 1 Leaf = 2 Leaf = 3
Updated Position map
ORAM Path Write/Shuffle
Metadata Tree Data TreeD
692 100
468 D 250 605
Leaf = 0 Leaf = 1 Leaf = 2 Leaf = 3
All
ecn
+ au
th a
nd s
ent
468 → 0, … 88→ 0, 250→ 2, 100 → 2
Access (88, Fetch)
Vulnerability in OPAM (Invisipage)● On every page fault or ORAM access exactly one page gets transferred.
● The adversary is able to observe which page got exchanged
● Transferred page is the page of interest and is definitely NOT a dummy page.
● Adversary can calculate number of intervening ORAM accesses
● This in fact leaks information and makes OPAM access not oblivious.10
● Reuse Distance:- # of faults between the time a page gets evicted and when the page is brought back to the enclave (i.e, reused).
● This sequence of reuse distances will be different for different types of memory accesses/applications.
● We use this fact to distinguish and predict/identify the secret applications running inside the enclave.
Introducing Reuse Distance Attack
11
Example of Reuse Distance Attack
● Enclave has 2 physical pages available and LRU is used.
● In Figure (a) every page is reused after 2 page faults and
● In Figure (b), the reuse distance of the root is 2 because the root node is accessed in every iteration and for non-root pages are multiples of 2 because non-root pages may or may not be accessed in successive iterations.
12
0 1 2 3
2 2 2 2
0 1 3 7
2k 2k 2k 2k
0 2 5 12
2k 2k 2k 2k...
Iteration 1 Iteration 2
Figure (b) Repeated Binary Tree TraversalFigure (a) Linear scan over an array
Attack MethodologyTraining
● Collect trace of reuse distances for many apps on many inputs
● Train CNN sequence classifier on these● Classes are the different applications
Testing
● Run app on a new input never seen before● Measure classification accuracy
13
Enclave app
Runtime
Invisipage Interface
OS
1
2
3 (ocalls)Access (88, Evict)
5
6
7
Trusted world inside the enclave (Invisipage Client)
Untrusted world outside of enclave (Invisipage Client)
4Record (88, evict) ocall
(ocalls) Access (88,Fetch)
Record (88, Read) ocall
.
.
.Records other faults
Methodology
● Execute with many (~100-200) inputs and collecte reuse distances traces● Data divided into training and test in 3:1 ratio and evaluation repeated 10 times● Reuse distance trace is used as the input feature● Random splits of the data into training and test datasets
Secret Application Classification Accuracy (OPAM)
14
Covert Channels Using Reuse Distances
15
Basic Idea● Reuse distance leakage of provides
a covert channel to leak secret information (e.g. an input genome data).
● Engineering the access patterns to cause a particular sequence of page faults and associated reuse distances
● Interpret the reuse distances to leak the bits 16
Enclave App(colluding)
Host OS(colluding)
Untrusted Memory
Message Passing
Page exchanges (paging)
Trace faults to receive bits
Reuse distance Covert Channel Model
Threat Model
● Standard enclave threat model corresponding to a software attacker
● Enclave RT and the hardware platform are trusted and we do not use microarchitectural side-channels and/or HW access to DRAM
● Enclave app colludes with host OS to leak sensitive input data
● Host OS is aware of the encoding used by the enclave application
17
Example of an Encoding With Reuse Distance
● Application wants to transmit a message 1001, n = 4 and k = 2
● Page replacement policy is FIFO and enclave has P = 4 pages
● To transmit a bit 1, reuse distance in range [8, 16) (Pages 1-8)
● To transmit a bit 0, reuse distance in the range [0, 8)(Pages 9-16)
● Generate reuse distance sequence (12, 5, 5, 14) corresponding to message 1001
18
A1
A2
A3
A4
A5
A6
A7
A8
A9
A10
A11
A12
A13
A14
A15
A16
A1
A9
A10
A2
E1
E2
E3
E4
E5
E6
E7
E8
E9
E10
E11
E12
E13
E14
E15
E16
RU = 12RU = 14
RU = 5
RU = 5
Bit Leakage Bandwidth Analysis
● We see a peak bandwidth with arity 4
● As we increase k, more data is transmitted with each page fault, but the number of page-faults required to setup the algorithm also increases and the overheads associated with increased number of initial page faults dominate and we see a steady decline in transmission bandwidth.
19
Conclusions● Introduction of a new side channel attack, The Reuse Distance attack, which
is able to infer confidential information about an enclave’s execution
● Introduction of a new covert channel using reuse distances
● Found and systematically exploited a vulnerability in state-of-the-art approach
to secure demand paging enclave (Invisipage/OPAM)
20
21
In Memory of Dr. Pramod Subramanyan
8th June 1984 - 8th July 2020
22
Thank you