Side and Covert Channels: Attacks and Defenses
A tutorial at ISCA 2019 on Saturday June 22nd Phoenix, AZ, USA
About The Tutorial:
With the rise of cloud computing and internet services, microarchitectural side and covert channel attacks have emerged as a central threat to computer systems. These attacks are based on the idea that two programs can communicate with each other---intentionally or unintentionally---through side-effects that are observable through microarchitectural structures such as caches or execution units. With this capability, research has shown how attackers can exfiltrate sensitive data from cryptographic keys to outlines of images to all of application virtual memory (e.g., using Spectre/Meltdown attacks).
The goal of the tutorial is to bring together researchers from industry and academia that want to learn about the state-of-the-art in side channel attacks and (potentially) engage in related defensive/offensive research. The tutorial will include three main components:
Theory: Breadth-Depth Talks and Discussion
A series of talks by the organizers covering from basic to advanced concepts in microarchitectural side/covert channel attacks and defenses.
Practice: Covert Channel "Hello World" Hands-on Hacking Session
The organizers will host a hands-on hacking session where participants get access to working covert channel code and be able to modify it & see the effects of those changes on channel bandwidth, etc. So please bring a laptop!
"Hello world" is a notorious challenge for researchers new to side and covert channels. The goal with the hacking session be for participants to leave the tutorial with working code that they can build from in their research. We have tested this code and will provide AWS instances for the participants to see some covert-channel action in person.
Intel Research will give a keynote to provide an Industry perspective in the Post-Spectre/Meltdown world.
Schedule and Slides:
- 09:00-09:45 AM: Introduction to side/covert channels [ slides ]
- 0945:-10:00 AM: Introduction to hacking session code base [ slides ]
- 10:00-11:00 AM: Hands-on hacking session
- 11:00-11:30 AM: Coffee break
- 11:30-12:30 PM: Keynote by Frank McKeen (Intel) + Discussion [ slides ]
- 12:30-02:00 PM: Lunch break
- 02:00-03:00 PM: Formal definitions & framework (slides will be posted on 6/24)
- 03:00-03:30 PM: Non-transient execution side/covert channels, Part 1 [ slides ]
- 03:30-04:00 PM: Coffee break
- 04:00-04:30 PM: Non-transient execution side/covert channels, Part 2 (see part 1)
- 04:30-05:30 PM: Speculative (transient) execution attacks [ slides ]
- 05:30 PM: Closing
- Potpourri (time permitting)
Intended Audience & Prerequisite Knowledge:
The tutorial is targeted at Architects that want to learn about the state-of-the-art in side channel attacks and (potentially) engage in related defensive/offensive research. No prior background in security is needed. We will minimize required knowledge of Computer Architecture to the extent possible to appeal to the broader FCRC community.
The breadth-depth talks will cover a range of material, including but not limited to the following:
Basics/Crash Course in microarchitectural side and covert channels
If the audience does not have a background in side/covert channel research, they should be able to attend only this module and walk away with a working knowledge of how basic side channel attacks work.
Assumptions and Formal Definitions
The audience will understand what assumptions and formal definitions underpin side channel attacks. We will also cover relevant architecture background that will be used in later modules.
Non-Speculative Side Channel Attacks
The audience will gain a state-of-the-art understanding for the attacker’s toolkit, i.e., what he/she will exploit at the algorithm-level, what microarchitectural channels leak bits, and how signal post-processing techniques can amplify leakage.
Speculative (Transient) Covert Channel Attacks
The audience will understand from the basics to the state-of-the-art of speculative (transient) execution attacks, starting with Spectre/Meltdown/Foreshadow and generalizing to the different mechanisms needed to create an attack.
The audience will gain state-of-the-art understanding of data oblivious/constant time programming, the circuit programming abstraction and cryptographic blinding. This constitutes the toolkit developers and cryptographers use today to block side channels on commercially available machines.
The audience will learn about a sampling of hardware proposals out of the architecture community for blocking side channels. The focus will be on holistic techniques blocking broad classes of side channels with provable guarantees.
Hacking Session material
- Source Code Repo: https://github.com/yshalabi/covert-channel-tutorial
- This repo has source code for three covert-channel chat clients. Play around with the channels and tweak the code to get a feel for the construction and properties of the covert-channel protocols.
- This repo pulls three different covert-channel implementations:
- A synchronous flush+reload protocol (https://github.com/moehajj/Flush-Reload)
- A synchronous LLC prime+probe protocol (https://github.com/0x161e-swei/covert-channel-101)
- An asynchronous L1D prime+probe (https://github.com/yshalabi/covert-channel-toolkit)
- Docker Image: https://hub.docker.com/r/yshalabi/covert-channel-tutorial
- Server Login Info: https://docs.google.com/document/d/1hIdM6tTT_1VxsZZUDyXmYGM-OmG6kRbABx6pAYZJrc4/edit?usp=sharing
- the Mastik library, which we used as a backend to implement some of the channels: https://cs.adelaide.edu.au/~yval/Mastik/
- the dead drop implementation by Riccardo Paccagnella: https://github.com/ricpacca/deaddrop
- Chris Fletcher (UIUC; http://cwfletcher.net/)
- Mohit Tiwari (UT Austin; https://users.ece.utexas.edu/~tiwari/)
- Mengjia Yan (UIUC/MIT; http://myan8.web.engr.illinois.edu/)
- Mohamad El Hajj (UIUC; https://github.com/moehajj)
- Shijia Wei (UT Austin; https://0x161e-swei.github.io/)
- Yasser Shalabi (UIUC; https://github.com/yshalabi)