When Oblivious is Not: Attacks against OPAM

1

WOOT’20@USENIX-SECURITY

Nirjhar Roy (Indian Institute of Technology - Kanpur)Nikhil Bansal (Indian Institute of Technology - Kanpur)Gourav Takhar (Indian Institute of Technology - Kanpur)Nikhil Mittal (Fortanix Inc)Pramod Subramanyan (Indian Institute of Technology - Kanpur)

● Introduction

● Attacks on InvisiPage/OPAM

● Covert Channels using Reuse Distances and its evaluation

● Conclusion

Presentation Roadmap

2

Enclaves Demystified

Enclaves: hardware-supported environment for isolated execution with strong application-level security guarantees despite the presence of malicious/compromised privileged software

3

Introducing ORAMs

● Interface between a client and and an untrusted server

● Shuffles the data from time to time

● Hides access patterns and access frequencies

● Examples: Square root ORAM, Tree-based ORAMs including Path ORAM, Ring ORAM, etc.

4

[i]

D[[i]]

Read D

[i]

Client

OR

AM

Interface

iAccess Oblivious Client

Untrusted Server

ORAM Meets Demand Paging and EnclavesThreat Model

● The Host OS/apps are considered malicious trying to find out access pattern/access frequency/memory content of the pages being read or written

● The OS observes only a random set of pages ( encrypted) getting read/written after in step 3.

● The attacker can choose to tamper the pages but that will detected after step 6 in Runtime

● Attackers having physical access to the memory will also see cipher text 5

Enclave app

Runtime

ORAM Interface

OS

1

2

3

4

5

6

7

Trusted world inside the enclave (ORAM Client)

Untrusted world outside of enclave (ORAM Server)

Untrusted Memory

Our Contributions● Discovering vulnerability in InvisiPage ● Implementation of a demand paging system inside Keystone● Exploiting it to design new attacks:-

○ The reuse distance attacks○ The level tracking attack

● Designing a covert channel using Reuse Distances

6

Attacks on InvisiPage

7

Shaizeen Aga and Satish Narayanasamy. 2019. InvisiPage: oblivious demand paging for secure enclaves. In Proceedings of the 46th International Symposium on Computer Architecture (ISCA ’19).

Introduction to Invisipage/OPAM

8

100

692 250

468 D 88 605

Leaf = 0 Leaf = 1 Leaf = 2 Leaf = 3

468 → 0, … 88→ 2, 250→ 2, 100 → 2

Position mapUpdated Position map

ORAM Path Read

Metadata Tree Data Tree100

692 250

468 D 88 605

Leaf = 0 Leaf = 1 Leaf = 2 Leaf = 3

All

dec+

aut

h an

d ch

ecke

d

468 → 0, … 88→ 0, 250→ 2, 100 → 2

Dec + auth

Access (88, Fetch)

Introduction to Invisipage/OPAM

9

D

692 100

468 D 250 605

Leaf = 0 Leaf = 1 Leaf = 2 Leaf = 3

Updated Position map

ORAM Path Write/Shuffle

Metadata Tree Data TreeD

692 100

468 D 250 605

Leaf = 0 Leaf = 1 Leaf = 2 Leaf = 3

All

ecn

+ au

th a

nd s

ent

468 → 0, … 88→ 0, 250→ 2, 100 → 2

Access (88, Fetch)

Vulnerability in OPAM (Invisipage)● On every page fault or ORAM access exactly one page gets transferred.

● The adversary is able to observe which page got exchanged

● Transferred page is the page of interest and is definitely NOT a dummy page.

● Adversary can calculate number of intervening ORAM accesses

● This in fact leaks information and makes OPAM access not oblivious.10

● Reuse Distance:- # of faults between the time a page gets evicted and when the page is brought back to the enclave (i.e, reused).

● This sequence of reuse distances will be different for different types of memory accesses/applications.

● We use this fact to distinguish and predict/identify the secret applications running inside the enclave.

Introducing Reuse Distance Attack

11

Example of Reuse Distance Attack

● Enclave has 2 physical pages available and LRU is used.

● In Figure (a) every page is reused after 2 page faults and

● In Figure (b), the reuse distance of the root is 2 because the root node is accessed in every iteration and for non-root pages are multiples of 2 because non-root pages may or may not be accessed in successive iterations.

12

0 1 2 3

2 2 2 2

0 1 3 7

2k 2k 2k 2k

0 2 5 12

2k 2k 2k 2k...

Iteration 1 Iteration 2

Figure (b) Repeated Binary Tree TraversalFigure (a) Linear scan over an array

Attack MethodologyTraining

● Collect trace of reuse distances for many apps on many inputs

● Train CNN sequence classifier on these● Classes are the different applications

Testing

● Run app on a new input never seen before● Measure classification accuracy

13

Enclave app

Runtime

Invisipage Interface

OS

1

2

3 (ocalls)Access (88, Evict)

5

6

7

Trusted world inside the enclave (Invisipage Client)

Untrusted world outside of enclave (Invisipage Client)

4Record (88, evict) ocall

(ocalls) Access (88,Fetch)

Record (88, Read) ocall

.

.

.Records other faults

Methodology

● Execute with many (~100-200) inputs and collecte reuse distances traces● Data divided into training and test in 3:1 ratio and evaluation repeated 10 times● Reuse distance trace is used as the input feature● Random splits of the data into training and test datasets

Secret Application Classification Accuracy (OPAM)

14

Covert Channels Using Reuse Distances

15

Basic Idea● Reuse distance leakage of provides

a covert channel to leak secret information (e.g. an input genome data).

● Engineering the access patterns to cause a particular sequence of page faults and associated reuse distances

● Interpret the reuse distances to leak the bits 16

Enclave App(colluding)

Host OS(colluding)

Untrusted Memory

Message Passing

Page exchanges (paging)

Trace faults to receive bits

Reuse distance Covert Channel Model

Threat Model

● Standard enclave threat model corresponding to a software attacker

● Enclave RT and the hardware platform are trusted and we do not use microarchitectural side-channels and/or HW access to DRAM

● Enclave app colludes with host OS to leak sensitive input data

● Host OS is aware of the encoding used by the enclave application

17

Example of an Encoding With Reuse Distance

● Application wants to transmit a message 1001, n = 4 and k = 2

● Page replacement policy is FIFO and enclave has P = 4 pages

● To transmit a bit 1, reuse distance in range [8, 16) (Pages 1-8)

● To transmit a bit 0, reuse distance in the range [0, 8)(Pages 9-16)

● Generate reuse distance sequence (12, 5, 5, 14) corresponding to message 1001

18

A1

A2

A3

A4

A5

A6

A7

A8

A9

A10

A11

A12

A13

A14

A15

A16

A1

A9

A10

A2

E1

E2

E3

E4

E5

E6

E7

E8

E9

E10

E11

E12

E13

E14

E15

E16

RU = 12RU = 14

RU = 5

RU = 5

Bit Leakage Bandwidth Analysis

● We see a peak bandwidth with arity 4

● As we increase k, more data is transmitted with each page fault, but the number of page-faults required to setup the algorithm also increases and the overheads associated with increased number of initial page faults dominate and we see a steady decline in transmission bandwidth.

19

Conclusions● Introduction of a new side channel attack, The Reuse Distance attack, which

is able to infer confidential information about an enclave’s execution

● Introduction of a new covert channel using reuse distances

● Found and systematically exploited a vulnerability in state-of-the-art approach

to secure demand paging enclave (Invisipage/OPAM)

20

21

In Memory of Dr. Pramod Subramanyan

8th June 1984 - 8th July 2020

22

Thank you