网络与信息安全学报 ›› 2022, Vol. 8 ›› Issue (2): 100-111.doi: 10.11959/j.issn.2096-109x.2022014
邹德清1,2,3,4, 张盼1,2,3,4, 刘伟5, 陈维杰1,2,3,4, 陆弈帆1,2,3,4
修回日期:
2021-11-22
出版日期:
2022-04-15
发布日期:
2022-04-01
作者简介:
邹德清(1975− ),男,湖南长沙人,博士,华中科技大学教授、博士生导师,主要研究方向为虚拟化安全与云安全、网络攻防与漏洞检测、大数据安全、容错计算基金资助:
Deqing ZOU1,2,3,4, Pan ZHANG1,2,3,4, Wei LIU5, Weijie CHEN1,2,3,4, Yifan LU1,2,3,4
Revised:
2021-11-22
Online:
2022-04-15
Published:
2022-04-01
Supported by:
摘要:
包含侧信道漏洞的代码在程序被执行时会表现出与输入有关的非功能性行为,攻击者利用微架构的侧信道攻击可获取这些行为,并通过分析行为与输入之间的关联模式恢复应用数据内容,达到窃取用户机密数据的目的。软件层的侧信道漏洞修补方法带给程序的性能损耗较低,并且因为无须修改硬件或系统,可实现快速修补和大范围部署,成为密码算法实现采用的主流策略。现有修补方案与程序的具体实现深度绑定,需要人工介入,存在实现难度大、不通用的问题。针对以上问题,提出了一种结合动态混淆技术和硬件原子事务特性的通用侧信道漏洞修补方法。所提方法向侧信道漏洞代码中插入动态混淆访存操作,以达到隐藏真实访存地址的目的,并将漏洞代码和混淆访存封装为硬件原子事务,保障被封装的代码在运行时连续执行而不被中断,避免攻击者利用细粒度的侧信道攻击区分真实的访存操作和混淆的访存操作。基于LLVM编译器实现了原型系统SC-Patcher,引入了包括安全跳板和原子事务聚合等在内的多种设计,提高了方法的安全性和实用性。安全与性能测试结果表明,使用所提方法完成侧信道漏洞修补的程序,在几乎未增加额外性能开销的同时,能够有效抵抗侧信道攻击,防范攻击者从漏洞处还原有效的机密数据内容。
中图分类号:
邹德清, 张盼, 刘伟, 陈维杰, 陆弈帆. 基于原子混淆的通用侧信道漏洞修补方法[J]. 网络与信息安全学报, 2022, 8(2): 100-111.
Deqing ZOU, Pan ZHANG, Wei LIU, Weijie CHEN, Yifan LU. Universal patching method for side-channel vulnerabilities based on atomic obfuscation[J]. Chinese Journal of Network and Information Security, 2022, 8(2): 100-111.
[1] | ANDRYSCO M , KOHLBRENNER D , MOWERY K ,et al. On subnormal floating point and abnormal timing[C]// Proceedings of IEEE Symposium on Security and Privacy(S&P’15). 2015: 623-639. |
[2] | LEE S , SHIH MW , GERA P ,et al. Inferring fine-grained control flow inside SGX enclaves with branch shadowing[C]// Proceedings of 26th USENIX Security Symposium (USENIX Security’17). 2017: 557-574. |
[3] | LIU F , YAROM Y , GE Q ,et al. Last-level cache side-channel attacks are practical[C]// Proceedings of IEEE Symposium on Security and Privacy(S&P’15). 2015: 605-622. |
[4] | GRUSS D , SPREITZER R , MANGARD S . Cache template attacks:Automating attacks on inclusive last-level caches[C]// Proceedings of 24th USENIX Security Symposium (USENIX Security’15). 2015: 897-912. |
[5] | GRUSS D , MAURICE C , WAGNER K ,et al. Flush+ Flush:a fast and stealthy cache attack[C]// Proceedings of Detection of Intrusions and Malware,and Vulnerability Assessment (DIMVA’ 16). 2016: 279-299. |
[6] | OSVIK DA , SHAMIR A , TROMER E . Cache attacks and countermeasures:the case of AES[C]// Proceedings of Cryptographers’ Track at the RSA Conference (CT-RSA’06). 2006: 1-20. |
[7] | GRAS B , RAZAVI K ,, BOS H , GIUFFRIDA C ,et al. Translation leak-aside buffer:defeating cache side-channel protections with TLB attacks[C]// Proceedings of 27th USENIX Security Symposium (USENIX Security’18). 2018: 955-972. |
[8] | SHINDE S , CHUA ZL , NARAYANAN V ,et al. Preventing page faults from telling your secrets[C]// Proceedings of 11th ACM on Asia Conference on Computer and Communications Security (AsiaCCS’16),Xi'an,China. 2016: 317-328. |
[9] | XU Y , CUI W , PEINADO M . Controlled-channel attacks:Deterministic side channels for untrusted operating systems[C]// Proceedings of IEEE Symposium on Security and Privacy(S&P’15). 2015: 640-656. |
[10] | PESSL P , GRUSS D , MAURICE C ,et al. DRAMA:exploiting DRAM addressing for cross-cpu attacks[C]// Proceedings of 25th USENIX Security Symposium (USENIX Security’16). 2016: 565-581. |
[11] | HE Z , LEE RB . How secure is your cache against side-channel attacks?[C]// Proceedings of Annual IEEE/ACM International Symposium on Microarchitecture (MICRO’17). 2017: 341-353. |
[12] | ZHANG D , ASKAROV A , MYERS AC . Language-based control and mitigation of timing channels[C]// Proceedings of 33rd ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’12). 2012: 99-110. |
[13] | WANG Y , FERRAIUOLO A , ZHANG D ,et al. SecDCP:secure dynamic cache partitioning for efficient timing channel protection[C]// Proceedings of 53nd ACM/EDAC/IEEE Design Automation Conference (DAC’16). 2016: 1-6. |
[14] | KIRIANSKY V , LEBEDEV I , AMARASINGHE S ,et al. DAWG:a defense against cache timing attacks in speculative execution processors[C]// Proceedings of 51st Annual IEEE/ACM International Symposium on Microarchitecture (MICRO’18). 2018: 974-987. |
[15] | DENG S , XIONG W , SZEFER J . Secure tlbs[C]// Proceedings of 46th Annual International Symposium on Computer Architecture (ISCA’19). 2019: 346-359. |
[16] | SHI J , SONG X , CHEN H ,et al. Limiting cache-based side-channel in multi-tenant cloud using dynamic page coloring[C]// Proceedings of 41st International Conference on Dependable Systems and Networks Workshops (DSN-W’11). 2011: 194-199. |
[17] | KIM T , PEINADO M , MAINAR-RUIZ G , . STEALTHMEM:system-level protection against cache-based side channel attacks in the cloud[C]// Proceedings of 21st USENIX Security Symposium (USENIX Security’12). 2012: 189-204. |
[18] | ZHANG Y , REITER MK . Du?Ppel:retrofitting commodity operating systems to mitigate cache side channels in the cloud[C]// Proceedings of 2013 ACM SIGSAC Conference on Computer & Communications Security (CCS’13). 2013: 827-838. |
[19] | VATTIKONDA BC , DAS S , SHACHAM H . Eliminating fine grained timers in xen[C]// Proceedings of 3rd ACM Workshop on Cloud Computing Security Workshop. 2011: 41-46. |
[20] | LI P , GAO D , REITER MK . StopWatch:A Cloud Architecture for Timing Channel Mitigation[J]. ACM Transaction Information System Security, 2014(17): 1-28. |
[21] | MARTIN R , DEMME J , SETHUMADHAVAN S . TimeWarp:rethinking timekeeping and performance monitoring mechanisms to mitigate side-channel attacks[C]// Proceedings of 39th Annual International Symposium on Computer Architecture (ISCA’12). 2012: 118-129. |
[22] | ZHANG T , ZHANG Y , LEE R B . Cloudradar:a real-time side-channel attack detection system in clouds[C]// Proceedings of Research in Attacks,Intrusions,and Defenses (RAID’16). 2016: 118-140. |
[23] | CHEN S , ZHANG X , REITER MK ,et al. Detecting privileged side-channel attacks in shielded execution with Déjá Vu[C]// Proceedings of 2017 ACM on Asia Conference on Computer and Communications Security (AsiaCCS’17). 2017: 7-18. |
[24] | SHIH MW , LEE S , KIM T ,et al. T-SGX:eradicating controlled-channel attacks against enclave programs[C]// Proceedings of 24th Network and Distributed System Security Symposium (NDSS’17). USA, 2017. |
[25] | DOYCHEV G , K?PF B , MAUBORGNE L ,et al. CacheAudit:a tool for the static analysis of cache side channels[J]. ACM Transactions on Information and System Security. 2015(18): 1-32. |
[26] | ALMEIDA JB , BARBOSA M , BARTHE G ,et al. Verifying constant-time implementations[C]// Proceedings of 25th USENIX Security Symposium (USENIX Security’16). 2016: 53-70. |
[27] | BARTHE G , BETARTE G , CAMPO J ,et al. System-level non-interference for constant-time cryptography[C]// Proceedings of 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS’14). 2014: 1267-1279. |
[28] | REPARAZ O , BALASCH J , VERBAUWHEDE I . Dude,is my code constant time[C]// Proceedings of the Conference on Design,Automation & Test in Europe (DATE’17). 2017: 1701-1706. |
[29] | WANG S , WANG P , LIU X ,et al. Cached:Identifying cache-based timing channels in production software[C]// Proceedings of 26th USENIX Security Symposium (USENIX Security’17). 2017: 235-252. |
[30] | WICHELMANN J , MOGHIMI A , EISENBARTH T ,et al. Microwalk:a framework for finding side channels in binaries[C]// Proceedings of 34th Annual Computer Security Applications Conference (ACSAC’18). 2018: 161-173. |
[31] | WU M , GUO S , SCHAUMONT P ,et al. Eliminating timing side-channel leaks using program repair[C]// Proceedings of 27th ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA’18). 2018: 15-26. |
[32] | CORON J S , . Resistance against differential power analysis for elliptic curve cryptosystems[C]// Proceedings of 1th International Workshop on Cryptographic Hardware and Embedded Systems (CHES’99). 1999: 292-302. |
[33] | VAN B J , PIESSENS F , STRACKX R . SGX-Step:A practical attack framework for precise enclave execution control[C]// Proceedings of 2nd Workshop on System Software for Trusted Execution (SysTEX'17). 2017: 1-6. |
[34] | WEISER S , ZANKL A , SPREITZER R ,et al. DATA-differential address trace analysis:finding address-based side-channels in binaries[C]// Proceedings of 27th USENIX Security Symposium (USENIX Security’18). 2018: 603-620. |
[35] | GENKIN D , PIPMAN I , TROMER E . Get your hands off my laptop:Physical side-channelkey-extraction attacks on PCs[C]// Proceedings of International Workshop on Cryptographic Hardware and Embedded Systems (CHES’14),Busan,South Korea. 2014: 242-260. |
[36] | LIPP M , SCHWARZ M , GRUSS D ,et al. Meltdown:reading kernel memory from user space[C]// Proceedings of 27th USENIX Security Symposium (USENIX Security’18). 2018: 973-990. |
[37] | KOCHER P , HORN J , FOGH A ,et al. Spectre attacks:exploiting speculative execution[C]// Proceedings of 2019 IEEE Symposium on Security and Privacy (S&P’19). 2019: 1-19. |
[38] | VAN BULCK J , MINKIN M , WEISSE O ,et al. Foreshadow:extracting the keys to the intel SGX kingdom with transient out-of-order execution[C]// Proceedings of 27th USENIX Security Symposium (USENIX Security’18). 2018: 991-1008. |
[39] | Mastik:a micro-architectural side-channel toolkit[EB]. |
[1] | 陈先意, 顾军, 颜凯, 江栋, 许林峰, 付章杰. 针对车牌识别系统的双重对抗攻击[J]. 网络与信息安全学报, 2023, 9(3): 16-27. |
[2] | 叶天鹏, 林祥, 李建华, 张轩凯, 许力文. 面向雾计算的个性化轻量级分布式网络入侵检测系统[J]. 网络与信息安全学报, 2023, 9(3): 28-37. |
[3] | 祖立军, 曹雅琳, 门小骅, 吕智慧, 叶家炜, 李泓一, 张亮. 基于隐私风险评估的脱敏算法自适应方法[J]. 网络与信息安全学报, 2023, 9(3): 49-59. |
[4] | 夏锐琪, 李曼曼, 陈少真. 基于机器学习的分组密码结构识别[J]. 网络与信息安全学报, 2023, 9(3): 79-89. |
[5] | 袁静怡, 李子川, 彭国军. EN-Bypass:针对邮件代发提醒机制的安全评估方法[J]. 网络与信息安全学报, 2023, 9(3): 90-101. |
[6] | 余锋, 林庆新, 林晖, 汪晓丁. 基于生成对抗网络的隐私增强联邦学习方案[J]. 网络与信息安全学报, 2023, 9(3): 113-122. |
[7] | 朱春陶, 尹承禧, 张博林, 殷琪林, 卢伟. 基于多域时序特征挖掘的伪造人脸检测方法[J]. 网络与信息安全学报, 2023, 9(3): 123-134. |
[8] | 李晓萌, 郭玳豆, 卓训方, 姚恒, 秦川. 载体独立的抗屏摄信息膜叠加水印算法[J]. 网络与信息安全学报, 2023, 9(3): 135-149. |
[9] | 蔡召, 荆涛, 任爽. 以太坊钓鱼诈骗检测技术综述[J]. 网络与信息安全学报, 2023, 9(2): 21-32. |
[10] | 潘雁, 林伟, 祝跃飞. 渐进式的协议状态机主动推断方法[J]. 网络与信息安全学报, 2023, 9(2): 81-93. |
[11] | 杨盼, 康绯, 舒辉, 黄宇垚, 吕小少. 基于函数摘要的二进制程序污点分析优化方法[J]. 网络与信息安全学报, 2023, 9(2): 115-131. |
[12] | 肖天, 江智昊, 唐鹏, 黄征, 郭捷, 邱卫东. 基于深度强化学习的高性能导向性模糊测试方案[J]. 网络与信息安全学报, 2023, 9(2): 132-142. |
[13] | 袁承昊, 李勇, 任爽. 多关键词动态可搜索加密方案[J]. 网络与信息安全学报, 2023, 9(2): 143-153. |
[14] | 侯泽洲, 任炯炯, 陈少真. 基于神经网络区分器的SIMON-like算法参数安全性评估[J]. 网络与信息安全学报, 2023, 9(2): 154-163. |
[15] | 郭学镜, 方毅翔, 赵怡, 张天助, 曾文超, 王俊祥. 基于传统引导机制的深度鲁棒水印算法[J]. 网络与信息安全学报, 2023, 9(2): 175-183. |
阅读次数 | ||||||
全文 |
|
|||||
摘要 |
|
|||||
|