KIPS Transactions on Computer and Communication Systems (정보처리학회논문지:컴퓨터 및 통신 시스템)

Korea Information Processing Society (한국정보처리학회)
권호 표지
DOI QR코드

DOI QR Code

JMP+RAND: Mitigating Memory Sharing-Based Side-Channel Attack by Embedding Random Values in Binaries

JMP+RAND: 바이너리 난수 삽입을 통한 메모리 공유 기반 부채널 공격 방어 기법

  • 김태훈 (광운대학교 컴퓨터정보공학부) ;
  • 신영주 (광운대학교 컴퓨터정보공학부)
  • Received : 2019.12.20
  • Accepted : 2020.02.18
  • Published : 2020.05.31
Download PDF
⟨ Previous Next ⟩

Abstract

Since computer became available, much effort has been made to achieve information security. Even though memory protection defense mechanisms were studied the most among of them, the problems of existing memory protection defense mechanisms were found due to improved performance of computer and new defense mechanisms were needed due to the advent of the side-channel attacks. In this paper, we propose JMP+RAND that embedding random values of 5 to 8 bytes per page to defend against memory sharing based side-channel attacks and bridging the gap of existing memory protection defense mechanism. Unlike the defense mechanism of the existing side-channel attacks, JMP+RAND uses static binary rewriting and continuous jmp instruction and random values to defend against the side-channel attacks in advance. We numerically calculated the time it takes for a memory sharing-based side-channel attack to binary adopted JMP+RAND technique and verified that the attacks are impossible in a realistic time. Modern architectures have very low overhead for JMP+RAND because of the very fast and accurate branching of jmp instruction using branch prediction. Since random value can be embedded only in specific programs using JMP+RAND, it is expected to be highly efficient when used with memory deduplication technique, especially in a cloud computing environment.

컴퓨터가 보급된 이래로 정보보안을 달성하기 위해 많은 노력이 이루어졌다. 그중 메모리 보호 기법에 대한 연구가 가장 많이 이루어졌지만, 컴퓨터의 성능 향상으로 기존 메모리 보호 기법의 문제들이 발견되었고 부채널 공격의 등장으로 새로운 방어기법이 필요하게 되었다. 본 논문에서는 JMP+RAND 기법을 이용해 페이지(Page)마다 5-8byte의 난수를 삽입하여 메모리 공유 기반 부채널 공격을 방어하고 기존 메모리 보호 기법도 보완하는 방법을 제안한다. 기존 부채널 공격들의 방어기법과 달리 JMP+RAND 기법은 정적 바이너리 재작성 기법(Static binary rewriting)과 연속된 jmp 명령어, 난수 값을 이용해 사전에 부채널 공격을 방어한다. 우리는 메모리 공유 기반 부채널 공격이 JMP+RAND 기법이 적용된 바이너리를 공격하는 데 걸리는 시간을 정량적으로 계산하였고 현실적인 시간 내에 공격할 수 없다는 것을 보여주었다. 최근 아키텍처는 분기 예측(Branch prediction)을 이용해 jmp 명령어의 분기처리가 매우 빠르고 정확하므로 JMP+RAND 기법의 오버헤드가 매우 낮다. 특히 특정 프로그램에만 난수 삽입이 가능하므로 클라우드 컴퓨팅 환경에서 메모리 중복제거 기능과 함께 사용하면 높은 효율성을 보일 수 있을 것으로 기대한다.

Keywords

References

  1. Kernel Address Space Layout Randomization [Online], https://lwn.net/Articles/569635/
  2. Yarom Yuval, and Katrina E. Falkner, Flush+ Reload: a High Resolution, Low Noise, L3 Cache Side-Channel Attack. USENIX Security, 2014.
  3. D. Gruss, C. Maurice, K. Wagner, and S. Mangard, "Flush+ Flush: A Fast and Stealthy Cache Attack," in DIMVA, 2016.
  4. D. Gruss, D. Bidner, and S. Mangard, "Practical Memory Deduplication Attacks in Sandboxed Javascript," In: Pernul G., Y A Ryan P., Weippl E. (eds) Computer Security ESORICS 2015.
  5. Kyniyasu Suzaki, Kengo lijima, Toshiki Yagi, and Cyrille Artho. Memory Deduplication as a Threat to the Guset OS, EUROSYS11, 2011.
  6. K. Suzaki, K. Iijima, Y. Toshiki, and C. Artho, “Implementation of a Memory Disclosure Attack on Memory Deduplication of Virtual Machines,” IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences, Vol. 96, No. 1, pp. 215-224, 2013.
  7. Antonio Barresi, Kaveh Razavi, Mathias Payer, and Thomas R. Gross. "CAIN: Silently Breaking ASLR in the Cloud," 9th USENIX WOOT'15.
  8. Taehyun Kim, Taehun Kim, and Youngjoo Shin, "Breaking KASLR by using Memory Deduplication in Virtualized Environments," CISC-W'19.
  9. M. Lipp, M. Schwarz, D. Gruss, T. Prescher, W. Haas, A. Fogh, J. Horn, S. Mangard, P. Kocher, D. Genkin, Y. Yarom, and M. Hamburg, "Meltdown: Reading Kernel Memory from User Space," in USENIX Security Symposium (to appear), 2018.
  10. P. Kocher, J. Horn, A. Fogh, D. Genkin, G. Gruss, W. Haas, M. Hamburg, M. Lipp, S. Mangard, T. Prescher, M. Schwarz, and Y. Yarom, "Spectre attacks: Exploiting speculative execution," In S&P, 2019.
  11. Michael Schwarz, Moritz Lipp, Daniel Moghimi, Jo Van Bulck, Julian Stecklina, Thomas Prescher, and Daniel Gruss. 2019. "ZombieLoad: Cross-PrivilegeBoundary Data Sampling," arXiv:1905.05726, 2019.
  12. B. Gulmezoglu, A. Moghimi, T. Eisenbarth, and B. Sunar, "FortuneTeller: Predicting Microarchitectural Attacks via Unsupervised Deep Learning, Cryptography and Security," 8 Jul. 2019.
  13. M. Chiappetta, E. Savas, and C. Yilmaz, "Real time detection of cache-based side-channel attacks using hardware performance counters," Cryptology ePrint Archive, 2015.
  14. M. Mushtaq, A. Akram, K. B. Muhammad. N. B. R. Rao, V. Lapotre, and G. Gogniat, "Run-time Detection of Prime+ Probe Side-Channel Attack on AES Encryption Algorithm," 2018 Global Information Infrastructure and Networking Symposium, 23-25 Oct. 2018.
  15. Shuai Wang, Pei Wang, and Dinghao Wu. "Reassembleable disassembling. USENIX Security," 2015.
  16. Shuai Wang, Pei Wang, and Dinghao Wu. "UROBOROS: Instrumenting stripped binaries with static reassembling," IEEE 23rd SANER, 2016.
  17. Erick Bauman, Zhiqiang Lin, and Kevin W. Hamlen. Superset Disassembly: Statically Rewriting x86 Binaries Without Heuristics, NDSS, 2019.
  18. Guanhua Wang, Sudipta Chattopadhyay, Ivan Gotovchits, Tulika Mitra and Abhik Roychoudhury, "oo7: Low-overhead Defense against Spectre Attacks via Program Analysis," IEEE Transactions on Software Engineering, 2020. https://doi.org/10.1109/tse.2001.908956
  19. G. Irazoqui, M. S. Inci, T. Eisenbarth, and B. Sunar, "Wait a minute! a fast, cross-VM attack on AES," in RAID, Gothenburg, SE, pp. 299-319. Sep. 2014.