Learning secrets and models from execution time

• Autores: José Vila Bausili
• Directores de la Tesis: Boris Köpf (dir. tes.)
• Lectura: En la Universidad Politécnica de Madrid ( España ) en 2020
• Idioma: español
• Tribunal Calificador de la Tesis: Frank Piessens (presid.), Juan Caballero Bayerri (secret.), Yuval Yaron (voc.), Jan Reineke (voc.), Clémentine Maurice (voc.)
• Programa de doctorado: Programa de Doctorado en Software, Sistemas y Computación por la Universidad Politécnica de Madrid
• Materias:
  • Matemáticas
    • Ciencia de los ordenadores
      • Logicales de ordenadores
      • Informática
• Enlaces
  • Tesis en acceso abierto en: Archivo Digital UPM
• Resumen

  • In this dissertation we study some of the problems arising on computer systems that leak information through execution time. We study several instances of how these leaks can be used to both learn secrets---of a confidential computation---and models---of an underlying component---, and we provide examples that violate previous assumptions about systems' security or about the attackers' capabilities.

    In particular, we study time leakage under three different scenarios, providing multiple independent contributions in each of them:

    First, we show that event-driven software systems are susceptible to side-channel attacks. The key observation is that event loops form a resource that can be shared between mutually distrusting programs. Hence, contention of this resource by one program can be observed by the others through variations in the time the latter processes take for dispatching their events. We exploit two different shared event loops in the Chrome web browser, and use the information obtained in three different attacks: for web page fingerprinting, for keystroke detection, and for a cross-origin covert channel.

    Then, we show that our contributions are both theoretical and practical. On the theoretical side, we formalize the problem of finding minimal eviction sets, a key primitive for several microarchitectural attacks, and devise novel algorithms that improve the state-of-the-art from quadratic to linear. On the practical side, we perform a rigorous empirical analysis that exhibits the conditions under which our algorithms succeed or fail.

    Finally, we present a practical end-to-end solution for inferring deterministic cache replacement policies using off-the-shelf techniques for automata learning and program synthesis. The enabling contribution is a chain of two abstractions: a clean interface to the hardware cache replacement policies based on timing measurements on a silicon CPU; and a mapper that exposes a membership oracle to the cache replacement policy abstracting away the details regarding cache content management.

    The results of this thesis constitute an evidence that better models and quantification methods, for both software and hardware systems, are required in order to reason about the soundness and trade-offs of security countermeasures. And provide a basis for principled countermeasures against, or paths for further improving the efficiency, several side channel attacks.