# Distributed Operating Systems Side-Channels

Marcus Hähnel (marcus.haehnel@kernkonzept.com)

2023-07-03





DOS - Side-Channels

Distributed Operating Systems
Side Channels

Marcos Hilmal (marcus habred@harnkonaept.com)

2023-07-03

WORNHONZEPT

TECHNISCHE
DISTRIBUTESTAT

Introduction Internal Attack Vectors

OOOOOO OOOOOOOOOOO

External Attack Vectors

remanence

se

Conclusio

# What is a Side-Channel?





DOS - Side-Channels
Introduction
What is a Side-Channel?



### What is a Side-Channel?





## Visual side-channel

Which call has a positive connotation?

DOS - Side-Channels -Introduction

What is a Side-Channel?



# Definition

### Side-Channel

A side-channel is an unintended information source which enables the extraction of information that is processed through a means of communication or computation.



1. The presence of the side-channel does not depend on the presence of bugs

information that is processed through a means of communication or computation

External Attack Vectors

# Definition

### Side-Channel

A side-channel is an unintended information source which enables the extraction of information that is processed through a means of communication or computation.

### Phone example

Primary source Audio signal

Unintended source Visual information

(e.g. facial expression, lip movement)

DOS - Side-Channels -Introduction ☐ Definition



1. The presence of the side-channel does not depend on the presence of bugs



Data remanence

000

DOS - Side-Channels
Introduction
Covert channels?

A side-channel is an unintended information source which enables the extraction of information that is processed through a means of communication or computation.

### Definition: Side-Channel

A side-channel is an unintended information source which enables the extraction of information that is processed through a means of communication or computation.



## Covert channels?

### Definition: Side-Channel

A side-channel is an unintended information source which enables the extraction of information that is processed through a means of communication or computation.

### Definition: Covert-Channel

A covert-channel is an *unintended* means of communication between two cooperating programs or systems.



6 / 42

Side-Channel usage

Side-Channel usage

## Malicious

Extracting ...

• ... other customers data across virtual machines





# Side-Channel usage

### Malicious

### Extracting ...

- ... other customers data across virtual machines
- ... crypto keys from applications in different address spaces





- data from inaccessible processors

# Side-Channel usage

### Malicious

### Extracting ...

- ... other customers data across virtual machines
- ... crypto keys from applications in different address spaces
- ... data from inaccessible processors



6 / 42

# Side-Channel usage

### Malicious

### Extracting ...

- ... other customers data across virtual machines
- ... crypto keys from applications in different address spaces
- ... data from inaccessible processors

## Benign

• ... detecting rootkits

DOS - Side-Channels -Introduction Side-Channel usage ... crypto keys from applications in different address spaces

# Side-Channel usage

### Malicious

# Extracting ...

- ... other customers data across virtual machines
- ... crypto keys from applications in different address spaces
- ... data from inaccessible processors

## Benign

- ... detecting rootkits
- ... detecting hardware trojans

DOS - Side-Channels -Introduction Side-Channel usage

... other customers data across virtual machines country leave from applications in different address spaces ... detecting rootkits ... detecting hardware trojans

Typical Side-Channels

Introduction ○○○○○●

What is a suitable side-channel



Typical Side-Channels

### What is a suitable side-channel

Any measureable parameter of the system and of its individual operations that changes depending on the processed data.





### What is a suitable side-channel

Any measureable parameter of the system and of its individual operations that changes depending on the processed data.

### Example parameters

Time (Duration)

DOS - Side-Channels -Introduction Typical Side-Channels



# Typical Side-Channels

### What is a suitable side-channel

Any measureable parameter of the system and of its individual operations that changes depending on the processed data.

### Example parameters

- Time (Duration)
- Error behavior (Out of memory? No more file handles?)

### What is a suitable side-channel

Any measureable parameter of the system and of its individual operations that changes depending on the processed data.

### Example parameters

- Time (Duration)
- Error behavior (Out of memory? No more file handles?)
- Microarchitectural state

DOS - Side-Channels -Introduction Typical Side-Channels

. Error behavior (Out of memory? No more file handles?) Microarchitectural state

External Attack Vectors

ence

se 00 onclusion 00

# Typical Side-Channels

### What is a suitable side-channel

Any measureable parameter of the system and of its individual operations that changes depending on the processed data.

### Example parameters

- Time (Duration)
- Error behavior (Out of memory? No more file handles?)
- Microarchitectural state
- Power usage



### What is a suitable side-channel

Any measureable parameter of the system and of its individual operations that changes depending on the processed data.

### Example parameters

- Time (Duration)
- Error behavior (Out of memory? No more file handles?)
- Microarchitectural state
- Power usage
- Radiation (Heat, EM-Radiation)



Typical Side-Channels

. Error behavior (Out of memory? No more file handles?

Microarchitectural state

### What is a suitable side-channel

Any measureable parameter of the system and of its individual operations that changes depending on the processed data.

### Example parameters

- Time (Duration)
- Error behavior (Out of memory? No more file handles?)
- Microarchitectural state
- Power usage
- Radiation (Heat, EM-Radiation)
- Unexpected persistence of data (Cold-boot, memory re-use)



. Error behavior (Out of memory? No more file handles?

Typical Side-Channels

- Radiation (Heat FM-Radiation)

Typical Side-Channels

. Unexpected persistence of data (Cold-boot, memory re-use

7 / 42

# Timing Channels



### Attack vector

The duration of an attacker observable operation depends on the data processed by the victim



-07

# Timing Channels



### Attack vector

The duration of an attacker observable operation depends on the data processed by the victim

## Example - Graphics Processing

Holidays Day 1

DOS - Side-Channels -Internal Attack Vectors —Timing Channels ☐ Timing Channels



# Timing Channels



### Attack vector

The duration of an attacker observable operation depends on the data processed by the victim

### Example - Graphics Processing

Holidays Day 1



DOS - Side-Channels -Internal Attack Vectors —Timing Channels ☐ Timing Channels



# Timing Channels



### Attack vector

The duration of an attacker observable operation depends on the data processed by the victim

### Example - Graphics Processing

Holidays Day 1



Convert to png: 1 s vs. 17 s

DOS - Side-Channels -Internal Attack Vectors —Timing Channels ☐ Timing Channels



# Cache Side-Channel







## Cache Side-Channel



| Level | Size    | Cycles |
|-------|---------|--------|
| L1D   | 32 KiB  | 4      |
| L1I   | 32 KiB  | 4      |
| L2    | 256 KiB | 12     |
| L3    | 3 MiB   | 36     |
| DRAM  | large   | 250    |

DOS - Side-Channels -Internal Attack Vectors 2023-07-—Timing Channels Cache Side-Channel



## Prime & Probe

### Concept

- Fill cache with known data (Prime)
- Repeatedly measure how long it takes to access this data
- Longer duration means cache-line was "stolen"

DOS - Side-Channels -Internal Attack Vectors └─Timing Channels Prime & Probe

· Repeatedly measure how long it takes to access this data . Longer duration means cache-line was "stolen"

```
Example (Victim)
struct Person {
  char name[56];
  double account;
  Alice, Bob;
void transact(Person& p) {
  p.account += 4000;
transact (Alice);
```

| L1D 8-way set cache |               |            |  |
|---------------------|---------------|------------|--|
| Tag (20)            | Set Index (6) | Offset (6) |  |
| (Alice)             | 0             | 56         |  |
| (Bob)               | 1             | 56         |  |





2023-07-04

# Prime & Probe

# Example (Victim)

|         | Person { name[56]; |  |
|---------|--------------------|--|
| doubl   | e account;         |  |
| } Alice | , Bob;             |  |
|         |                    |  |

| L1D 8-way set cache |               |            |  |
|---------------------|---------------|------------|--|
| Tag (20)            | Set Index (6) | Offset (6) |  |
| (Alice)             | 0             | 56         |  |
| (Bob)               | 1             | 56         |  |

### Attacker



DOS - Side-Channels -Internal Attack Vectors Timing Channels
Prime & Probe



2023-07-04

# Prime & Probe

# Example (Victim)

```
struct Person
 char name[56];
 double account;
 Alice, Bob;
```

### L1D 8-way set cache Tag (20) Set Index (6) Offset (6) (Alice) 56 (Bob) 56

### Attacker

Prime



Set Index

DOS - Side-Channels -Internal Attack Vectors —Timing Channels Prime & Probe



al Attack Vectors

nce

se

Conclu 000

2023-07-04

# Prime & Probe

double account;
Alice , Bob;

# Example (Victim) struct Person { char name[56];

| L1D 8-way set cache |               |            |  |
|---------------------|---------------|------------|--|
| Tag (20)            | Set Index (6) | Offset (6) |  |
| (Alice)             | 0             | 56         |  |
| (Bob)               | 1             | 56         |  |

### Attacker

Prime, Probe



Set Index

DOS - Side-Channels
Internal Attack Vectors
Timing Channels
Prime & Probe



2023-07-04

## Prime & Probe

Alice, Bob;

### Example (Victim) struct Person { char name[56]; double account;

| L1D 8-way set cache |            |  |  |
|---------------------|------------|--|--|
| Set Index (6)       | Offset (6) |  |  |
| 0                   | 56         |  |  |
| 1                   | 56         |  |  |
|                     |            |  |  |

### Attacker

Prime, Probe, Detect



Set Index

DOS - Side-Channels -Internal Attack Vectors \_\_Timing Channels Prime & Probe

struct Person {
 char name[56];
 double account;
} Alice, Bob;

Cache Fingerprint





Results of prime-probe observations for 20 distinct processed text words (rows). Darker fields indicate more evicted ways within an 8-way associativity set. Vertical lines identify cache addresses evicted in every observation.

2023-07-04

# Prime & Probe shortcomings

Hard with smart caches

DOS - Side-Channels -Internal Attack Vectors ☐ Timing Channels Evict & Time

Prime & Probe shortcomings

Hard with smart caches

2023-07-04

# Evict & Time

### Prime & Probe shortcomings

- Hard with smart caches
- Probing is prone to many false positives

DOS - Side-Channels -Internal Attack Vectors └─Timing Channels Evict & Time

. Hard with smart caches · Probing is prone to many false positives

### Prime & Probe shortcomings

- Hard with smart caches
- Probing is prone to many false positives

### Alternative: Evict & Time

Possible if execution of victim code is under attacker control

DOS - Side-Channels -Internal Attack Vectors └─Timing Channels Evict & Time

. Hard with smart raches · Probing is prone to many false positives

### Prime & Probe shortcomings

- Hard with smart caches
- Probing is prone to many false positives

### Alternative: Evict & Time

- Possible if execution of victim code is under attacker control
- Evict cache (by filling with known data)

DOS - Side-Channels -Internal Attack Vectors —Timing Channels Evict & Time

. Hard with smart caches · Probing is prone to many false positives . Evict cache (by filling with known data)

### Prime & Probe shortcomings

- Hard with smart caches
- Probing is prone to many false positives

#### Alternative: Evict & Time

- Possible if execution of victim code is under attacker control
- Evict cache (by filling with known data)
- Run victim and measure runtime

DOS - Side-Channels -Internal Attack Vectors —Timing Channels Evict & Time

. Hard with smart caches · Probing is prone to many false positives . Evict cache (by filling with known data)

### Prime & Probe shortcomings

- Hard with smart caches
- Probing is prone to many false positives

#### Alternative: Evict & Time

- Possible if execution of victim code is under attacker control
- Evict cache (by filling with known data)
- Run victim and measure runtime
- Evict most of the cache





### Prime & Probe shortcomings

- Hard with smart caches
- Probing is prone to many false positives

#### Alternative: Evict & Time

- Possible if execution of victim code is under attacker control
- Evict cache (by filling with known data)
- Run victim and measure runtime
- Evict most of the cache
- Run victim again and measure time

DOS - Side-Channels -Internal Attack Vectors —Timing Channels Evict & Time

. Hard with smart caches · Probing is prone to many false positives

• Evict most of the cache » Run victim again and measure time

### Prime & Probe shortcomings

- Hard with smart caches
- Probing is prone to many false positives

#### Alternative: Evict & Time

- Possible if execution of victim code is under attacker control
- Evict cache (by filling with known data)
- Run victim and measure runtime
- Evict most of the cache
- Run victim again and measure time
- Time difference tells if victim used non-evicted cache-line

DOS - Side-Channels Internal Attack Vectors —Timing Channels Evict & Time

. Hard with smart caches

· Probing is prone to many false positives

. Evict cache (by filling with known data)

. Run victim again and measure time

. Time difference tells if victim used non-evicted cache-line

#### Smart Caches

Smart Caches "reserve" parts of the L3 cache for individual cores. This makes priming hard.



Smart Caches "reserve" parts of the L3 cache for individual cores. This makes priming

#### Smart Caches

Smart Caches "reserve" parts of the L3 cache for individual cores. This makes priming hard.

#### Prefetchers

Detect access patterns. Probing may cause prefetch of evicted line leading to false-negative.

#### Smart Caches

Smart Caches "reserve" parts of the L3 cache for individual cores. This makes priming hard.

#### Prefetchers

Detect access patterns. Probing may cause prefetch of evicted line leading to false-negative.



Set Index



#### Smart Caches

Smart Caches "reserve" parts of the L3 cache for individual cores. This makes priming hard.

#### Prefetchers

Detect access patterns. Probing may cause prefetch of evicted line leading to false-negative.



Set Index



#### Caral Carlan

#### Smart Caches

Smart Caches "reserve" parts of the L3 cache for individual cores. This makes priming hard.

#### Prefetchers

Detect access patterns. Probing may cause prefetch of evicted line leading to false-negative.



Set Index



#### Smart Caches

Smart Caches "reserve" parts of the L3 cache for individual cores. This makes priming hard.

#### Prefetchers

Detect access patterns. Probing may cause prefetch of evicted line leading to false-negative.



Set Index



#### Smart Caches

Smart Caches "reserve" parts of the L3 cache for individual cores. This makes priming hard.

#### Prefetchers

Detect access patterns. Probing may cause prefetch of evicted line leading to false-negative.

### Scheduling

May evict primed data leading to 'blind times'

2023-07-04

# Pagefault Side-Channel

### Assumption

Removing the OS from the TCB

DOS - Side-Channels -Internal Attack Vectors —Fault Channels Pagefault Side-Channel



### Pagefault Side-Channel

#### Assumption

Removing the OS from the TCB

#### Scenario: Shielding Systems

• InkTag: Hypervisor / paging based isolation between OS and Application

DOS - Side-Channels

Internal Attack Vectors

Fault Channels
Pagefault Side-Channel



## |Pagefault Side-Channel

#### Assumption

Removing the OS from the TCB

#### Scenario: Shielding Systems

- InkTag: Hypervisor / paging based isolation between OS and Application
- Intel SGX: Hardware-based isolation through read-protected memory

DOS - Side-Channels -Internal Attack Vectors —Fault Channels Pagefault Side-Channel Pagefault Side-Channel Removing the OS from the TCB

### Pagefault Side-Channel

#### Assumption

Removing the OS from the TCB

#### Scenario: Shielding Systems

- InkTag: Hypervisor / paging based isolation between OS and Application
- Intel SGX: Hardware-based isolation through read-protected memory

#### **Vulnerability**

- These systems don't trust OS but use it to configure hardware
- OS makes a powerful adversary

DOS - Side-Channels -Internal Attack Vectors Fault Channels Pagefault Side-Channel Pagefault Side-Channel NS makes a nowerful arbersary External Attack Vectors

manence

nse 000 clusion

# Controlled Channel Attacks

### First attack vector against Intel SGX

Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems

Yuanzhong Xu, Weidong Cui, and Marcus Peinado, MSR

#### System Model

- OS cannot directly observe memory or registers of application
- OS controls virtual memory



### Example (Source, simplified) //str on heap int strlen(char\* str) { int len = 0; //Stackwhile (\*(str++) != '\0') len++: return len;

Heap not present





```
Example (Source, simplified)
//str on heap
int strlen(char* str) {
  int len = 0; //Stack
  while (*(str++) != '\0')
    len++:
  return len;
```

- Heap not present
- Stack not present





```
Example (Source, simplified)
//str on heap
int strlen(char* str) {
  int len = 0; //Stack
  while (*(str++) != '\0')
    len++:
  return len:
```

- Heap not present
- Stack not present

|       | Phys-Addr | other Flags | Р |
|-------|-----------|-------------|---|
| Неар  |           |             | 0 |
| Stack |           |             | 0 |

#### Attackers Knowledge





```
Example (Source, simplified)

//str on heap
int strlen(char* str) {
  int len = 0; //Stack
  while (*(str++)!= '\0')
    len++;
  return len;
}
```

- Heap not present
- Stack not present

|        | Phys-Addr | other Flags | Р |
|--------|-----------|-------------|---|
| ! Heap |           |             | 0 |
| Stack  |           |             | 0 |

#### Attackers Knowledge





```
Example (Source, simplified)
//str on heap
int strlen(char* str) {
  int len = 0; //Stack
  while (*(str++) != ' \setminus 0')
     len++:
  return len:
```

- Heap not present
- Stack not present

|       | Phys-Addr | other Flags | Р |
|-------|-----------|-------------|---|
| Неар  |           |             | 1 |
| Stack |           |             | 0 |

#### Attackers Knowledge





```
Example (Source, simplified)
//str on heap
int strlen(char* str) {
  int len = 0; //Stack
  while (*(str++) != '\0')
    len++:
  return len;
```

- Heap not present
- Stack not present

|         | Phys-Addr | other Flags | Р |
|---------|-----------|-------------|---|
| Неар    |           |             | 1 |
| ! Stack |           |             | 0 |

#### Attackers Knowledge





```
Example (Source, simplified)

//str on heap
int strlen(char* str) {
  int len = 0; //Stack
  while (*(str++)!= '\0')
  len++;
  return len;
}
```

- Heap not present
- Stack not present

|       | Phys-Addr | other Flags | Р |
|-------|-----------|-------------|---|
| Неар  |           |             | 0 |
| Stack |           |             | 1 |

#### Attackers Knowledge

```
Example (Source, simplified)
//str on heap
int strlen(char* str) {
  int len = 0; //Stack
  while (*(str++) != ' \setminus 0')
     len++:
  return len:
```

- Heap not present
- Stack not present

|        | Phys-Addr | other Flags | Р |
|--------|-----------|-------------|---|
| ! Heap |           |             | 0 |
| Stack  |           |             | 1 |

#### Attackers Knowledge

Length = 1

DOS - Side-Channels -Internal Attack Vectors Fault Channels Example: string length



```
Example (Source, simplified)

//str on heap
int strlen(char* str) {
  int len = 0; //Stack
  while (*(str++) != '\0')
    len++;
  return len;
}
```

- Heap not present
- Stack not present

|       | Phys-Addr | other Flags | Р |
|-------|-----------|-------------|---|
| Неар  |           |             | 1 |
| Stack |           |             | 0 |

#### Attackers Knowledge

Length = 1

DOS - Side-Channels

Internal Attack Vectors

Fault Channels

Example: string length



```
Example (Source, simplified)
//str on heap
int strlen(char* str) {
  int len = 0; //Stack
  while (*(str++) != '\0')
    len++:
  return len;
```

- Heap not present
- Stack not present

|         | Phys-Addr | other Flags | Р |
|---------|-----------|-------------|---|
| Неар    |           |             | 1 |
| ! Stack |           |             | 0 |

#### Attackers Knowledge





```
Example (Source, simplified)
//str on heap
int strlen(char* str) {
  int len = 0; //Stack
  while (*(str++) != '\0')
    len++:
  return len;
```

- Heap not present
- Stack not present

|       | Phys-Addr | other Flags | Р |
|-------|-----------|-------------|---|
| Неар  |           |             | 0 |
| Stack |           |             | 1 |

#### Attackers Knowledge





### Example Results (PF vs. Cache Channel)







- 1. IDCT (inverse discrete cosine transformation)
- 2. Index in array ≈8 kB big



DOS - Side-Channels -Internal Attack Vectors 2023-07-Fault Channels Example Results (PF vs. Cache Channel)



- 1. IDCT (inverse discrete cosine transformation)
- 2. Index in array ≈8 kB big

 Introduction
 Internal Attack Vectors
 External Attack Vectors
 Data remanence
 Defense

 000000
 000000
 000000
 000000
 000000

### Example Results (PF vs. Cache Channel)



DOS - Side-Channels

Internal Attack Vectors

Fault Channels

Example Results (PF vs. Cache Channel)



- 1. IDCT (inverse discrete cosine transformation)
- 2. Index in array ≈8 kB big

07.

### Microarchitectural Channels



Leaking speculative CPU-state to attackers

Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, Mike Hamburg

Examples and figures taken from the Meltdown paper



Spectre

### DOS - Side-Channels Internal Attack Vectors -Microarchitectural Channels Microarchitectural Channels

## Toy Example

```
raise_exception();
// the line below is never reached
access (probe_array [data *4096]);
```





Side-Effects of Out-of-Order execution

## Side-Effects of Out-of-Order execution

## Toy Example raise\_exception(); // the line below is never reached access (probe\_array [data \*4096]);







07.

## Toy Example

raise\_exception();
// the line below is never reached
access(probe\_array[data\*4096]);



#### Constraints

- Raising the exception should be slow
- Accessing the array should be fast

DOS - Side-Channels

Internal Attack Vectors

Microarchitectural Channels

Side-Effects of Out-of-Order execution



2023-07-04

```
; rcx = kernel address
; rbx = probe array
retry:
   MOV AL, byte [RCX]
   SHL RAX, 12
   JZ retry
```

MOV RBX, qword [RBX + RAX]

- 1. Retry needed because execption handling zeroes registers
- 2. No evicted cache line is considered zero
- 3. Exception can be prevented (amongst others) using TSX

a Hard to detect

a In theory usable remotely

#### Features

- Requires no capability to run code
- Hard to detect
- In theory usable remotely



## Power channels

#### Features

- Requires no capability to run code
- Hard to detect
- In theory usable remotely

#### Requirements

- (very) high-resolution power measurement
- physical access to power supply
- detailed knowledge about exact processor used





```
Example (Square-And-Multiply)
int exp(int base, int e) {
  int res = 1;
  while (e != 0) {
   res *= res; //square
    if (e & 1) res *= base; //multiply
    e >>= 1;
  return res;
```





# Example

#### Example (Square-And-Multiply) int exp(int base, int e) { int res = 1; while $(e != 0) {$ res \*= res; //square if (e & 1) res \*= base; //multiply e >>= 1; return res;



Source: https://commons.wikimedia.org/wiki/File:Power\_attack.png





External Attack Vectors

emanence

se 000 nclusion O

2023-07-04

# Acoustic channels

#### Features

- Requires no capability to run code
- Hard to detect
- Usable remotely, bugs

DOS - Side-Channels

External Attack Vectors

Acoustic and Radiation

Acoustic channels

Tections of the Control of

07.

## Acoustic channels

#### Features

- Requires no capability to run code
- Hard to detect
- Usable remotely, bugs

#### Requirements

- Good audio equipment
- Reliable audio filters
- Knowledge about typing style
- Knowledge about hardware used

DOS - Side-Channels -External Attack Vectors Acoustic and Radiation Acoustic channels

. Hard to detect ▶ Usable remotely, bues Reliable audio filters Knowledge about typing style Knowledge about hardware used

# Example

## Password typing attack

Keyboard Acoustic Emanations Revisited Li Zhuang, Feng Zhou, J. D. Tygar University of California, Berkeley



External Attack Vectors

ence

0

onclusion OO

07.

# Example \_\_\_\_

# Password typing attack

Keyboard Acoustic Emanations Revisited Li Zhuang, Feng Zhou, J. D. Tygar University of California, Berkeley







## Example

## Password typing attack

Keyboard Acoustic Emanations Revisited Li Zhuang, Feng Zhou, J. D. Tygar University of California, Berkeley









External Attack Vectors

anence

nse 000 clusion

## Results







## Results





07.

07-04

## Electro Magnetic (EM) Radiation

#### Features

- Requires no capability to run code
- Hard to detect
- No "wire-cutting" needed

DOS - Side-Channels -External Attack Vectors —Acoustic and Radiation Electro Magnetic (EM) Radiation Electro Magnetic (EM) Radiation Requires no canability to run code • Hard to detect . No "wire-cutting" needed

07.

## Electro Magnetic (EM) Radiation

#### Features

- Requires no capability to run code
- Hard to detect
- No "wire-cutting" needed

#### Requirements

- Expensive detection equipment (antenna, scope)
- Detailed knowledge about hardware used

DOS - Side-Channels -External Attack Vectors Acoustic and Radiation Electro Magnetic (EM) Radiation



rnal Attack Vectors

Data remanence ●○○○○

00

onclusion 00

# Data Remanence

# Warning

- NOT a classical side-channel
- ullet no indirect observance of data o direct





NoT a classical side-channel
 no indirect observance of data → direct
 is still interesting

## Data Remanence

## Warning

- NOT a classical side-channel
- ullet no indirect observance of data o direct
- is still interesting

# Data Remanence

#### Warning

- Not a classical side-channel
- no indirect observance of data  $\rightarrow$  direct
- is still interesting

#### Features

- Access to data you thought is gone
- Usually if you get data it is pretty good

DOS - Side-Channels -Data remanence └─Data Remanence



## Examples / Software

```
Example (Your friend, the compiler)
  void secret() {
    char* buf = (char*) malloc (1024);
    // put sth. secret into buf
    free(buf);
```





2023-07-04

## Examples / Software

```
Example (Your friend, the compiler)
   void secret() {
     char* buf = (char*) malloc(1024);
// put sth. secret into buf
     free(buf);
```

# Problem

DOS - Side-Channels -Data remanence └─Software Examples / Software



## Examples / Software

```
Example (Your friend, the compiler)
  void secret() {
    char* buf = (char*) malloc(1024);
    // put sth. secret into buf
    memset (buf, '\0',1024);
    free (buf);
```

#### Problem

What if someone gets the same memory?





Problem

# void secret() { char\* buf = (char\*)malloc(1024); // put sth. secret into buf memset(buf,'\0',1024); free(buf); }

```
DOS - Side-Channels
Data remanence
Software
Examples / Software
```



# void secret() { char\* buf = (char\*) malloc(1024); // put sth. secret into buf memset(buf,'\0',1024); free(buf); }

#### Problem

The compiler could optimize the memset out





#### Cold Boot

#### Lest We Remember: Cold Boot Attacks on Encryption Keys

J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino , Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten Princeton University, Electronic Frontier Foundation, Wind River Systems







DOS - Side-Channels -Data remanence —Hardware Cold Boot



## Performance

|   | Seconds   | Error % at      | Error %     |
|---|-----------|-----------------|-------------|
|   | w/o power | operating temp. | at -50 °C   |
| Α | 60        | 41              | (no errors) |
|   | 300       | 50              | 0.000095    |
| В | 360       | 50              | (no errors) |
|   | 600       | 50              | 0.000036    |
| С | 120       | 41              | 0.00105     |
|   | 360       | 42              | 0.00144     |
| D | 40        | 50              | 0.025       |
|   | 80        | 50              | 0.18        |



| econds<br>o power | Error % at operating temp. | Error %<br>at -50 °C |
|-------------------|----------------------------|----------------------|
| 500               | 41                         | (no errors)          |
| 3000              | 50                         | 0.000095             |
| 360               | 50                         | (no errors)          |
| 600               | 50                         | 0.000036             |
| 120<br>360        | 41<br>42                   | 0.00005              |
| 40                | 50                         | 0.025                |
| 80                | 50                         | 0.18                 |

## Performance

|   | Seconds   | Error % at      | Error %     |
|---|-----------|-----------------|-------------|
|   | w/o power | operating temp. | at -50 °C   |
| Α | 60        | 41              | (no errors) |
|   | 300       | 50              | 0.000095    |
| В | 360       | 50              | (no errors) |
|   | 600       | 50              | 0.000036    |
| С | 120       | 41              | 0.00105     |
|   | 360       | 42              | 0.00144     |
| D | 40        | 50              | 0.025       |
|   | 80        | 50              | 0.18        |







## Results



Image after 5, 30, 60 and 300 seconds





Defense mechanisms

# Approach

Make all behavior that is observable independent of the input data





# Defense mechanisms

#### Approach

Make all behavior that is observable independent of the input data

#### Caveat

Complete independence is not always achievable (Algorithmic requirements, some channels hard to control)



DOS - Side-Channels -Defense Defense mechanisms

## Defense mechanisms

## Approach

Make all behavior that is observable independent of the input data

#### Caveat

Complete independence is not always achievable (Algorithmic requirements, some channels hard to control)

#### Alternative

Remove ability to observe the given aspect

## Timing channels

#### Blinding

- Modify data computed on in such a way that operation always takes equal time
- Requires inverse unblinding that can be performed after the operation
- Noise injection



Requires inverse unblinding that can be performed after the operation Noise injection

#### example: Move different data processed in different branch targets to same cacheling

Timing channels

## Blinding

- Modify data computed on in such a way that operation always takes equal time
- Requires inverse unblinding that can be performed after the operation
- Noise injection

#### Branch elimination/equalisation

Removes changes in runtime due to different operations depending on data Example: Move different data processed in different branch targets to same cacheline



DOS - Side-Channels -Defense

\_\_Timing channels

External Attack Vectors

Defense o ● o o o o

# Timing channels

#### Blinding

- Modify data computed on in such a way that operation always takes equal time
- Requires inverse unblinding that can be performed after the operation
- Noise injection

#### Branch elimination/equalisation

Removes changes in runtime due to different operations depending on data Example: Move different data processed in different branch targets to same cacheline

#### Prevent statistical analysis

Challenge-response is prone to this!

Avoid running the same algorithm on attacker observable data multiple times.

DOS - Side-Channels -Defense

☐ Timing channels

rample: Move different data processed in different branch targets to same cachelin

hallenge-response is prone to this!

DOS - Side-Channels

-Defense

## Page-Fault Channel / Fault channels

#### Detection

- Given a reliable time-source constant page-faults can be detected as unusually long program runtime
- SGX v2 can notify the protected program of page-faults. It may chose not to compute on secret data if such page-faults come unexpected

# Page-Fault Channel / Fault channels

#### Detection

- Given a reliable time-source constant page-faults can be detected as unusually long program runtime
- SGX v2 can notify the protected program of page-faults. It may chose not to compute on secret data if such page-faults come unexpected

### Prevention

- Don't use paging. Require all memory to be mapped
- Avoid dynamic allocation of shared resources



### Meltdown

- KPTI Kernel Page Table Isolation
- HW: Don't speculate across protection boundarys





07-04

### Meltdown

- KPTI Kernel Page Table Isolation
- HW: Don't speculate across protection boundarys

### Spectre

Speculation fences





#### Acoustic / EM Power /

### Power Channel

- Use internal power source or high-capacitance in power path for sensitive instructions (low pass effect)
- Use same-complexity instructions for input-dependent code (mul instead of shift)

DOS - Side-Channels 07-04 -Defense Power / Acoustic / EM

instructions (low pass effect) . Use same complexity instructions for input dependent code (mul instead of shift)

### Power Channel

- Use internal power source or high-capacitance in power path for sensitive instructions (low pass effect)
- Use same-complexity instructions for input-dependent code (mul instead of shift)

### Acoustic

- Counter-noise to mask real typing
- Avoid typing sensitive information (on-screen keyboard)





Power / Acoustic / EM

### Power Channel

- Use internal power source or high-capacitance in power path for sensitive instructions (low pass effect)
- Use same-complexity instructions for input-dependent code (mul instead of shift)

### Acoustic

- Counter-noise to mask real typing
- Avoid typing sensitive information (on-screen keyboard)

## Electro Magnetic Radiatiom

- Use EM shielding on chips
- Use EM shielding for case

DOS - Side-Channels -Defense Power / Acoustic / EM . Use FM shielding for rase

☐ Data remanence

# Data remanence

### Zero memory

• Like really zero it! (memset\_s for C11, SecureZeroMemory for Windows)



### Data remanence

### Zero memory

- Like really zero it! (memset\_s for C11, SecureZeroMemory for Windows)
- Remember copies of the data! (Stack? Heap?)





# Data remanence

### Zero memory

- Like really zero it! (memset\_s for C11, SecureZeroMemory for Windows)
- Remember copies of the data! (Stack? Heap?)
- Not all copies are immediately obvious! Compilers may create additional ones



Remember copies of the data! (Stack? Heap?)

. Not all copies are immediately obvious! Compilers may create additional ones

## Zero memory

- Like really zero it! (memset\_s for C11, SecureZeroMemory for Windows)
- Remember copies of the data! (Stack? Heap?)
- Not all copies are immediately obvious! Compilers may create additional ones
- And of course you remembered the XMM registers, right?



- Like really zero it! (memset.s for C11. SecureZeroMemory for Windows) » Remember copies of the data! (Stack? Heap?)
- » Not all copies are immediately obvious! Compilers may create additional ones
- And of course you remembered the XMM registers, right?

## Zero memory

- Like really zero it! (memset\_s for C11, SecureZeroMemory for Windows)
- Remember copies of the data! (Stack? Heap?)
- Not all copies are immediately obvious! Compilers may create additional ones
- And of course you remembered the XMM registers, right?



- Like really zero it! (memset.s for C11. SecureZeroMemory for Windows) » Remember copies of the data! (Stack? Heap?)
- » Not all copies are immediately obvious! Compilers may create additional ones
- And of course you remembered the XMM registers, right?

### Data remanence

### Zero memory

- Like really zero it! (memset\_s for C11, SecureZeroMemory for Windows)
- Remember copies of the data! (Stack? Heap?)
- Not all copies are immediately obvious! Compilers may create additional ones
- And of course you remembered the XMM registers, right?

### Cold Boot

- Combined with the above very hard! Use shut down and not hybernate / suspend. After a few seconds you should be fine.
- Idea: Write secret data to physical 0x7c00 0x7dFF! MBR is loaded there :)

DOS - Side-Channels

Defense

Data remanence

anence

b Like really zero it! (memset,s for C11, SecureZeroMemory for Wine

Not all copies are immediately obvious? Compilers may create additional ones
 And of course you remembered the XMM registers, right?

 Combined with the above very hard! Use shut down and not hybernate / suspend After a few seconds you should be fine.
 Idea: Write secret data to physical 0x7c00 - 0x7dFFI MBR is loaded there:)

Conclusion •••

### Sidechannels

Summary

... are unintended information sources for extracting secret data



2023-07-04



40 / 42

few methods! Your imagination is the limit.

are unintended information sources for extracting secret data

There are a plethora of side-channels in every normal system! We only touched on a

# Summary

### Sidechannels

... are unintended information sources for extracting secret data

### Attacks

There are a plethora of side-channels in every normal system! We only touched on a few methods! Your imagination is the limit.

# Summary

#### Sidechannels

... are unintended information sources for extracting secret data

#### Attacks

There are a plethora of side-channels in every normal system! We only touched on a few methods! Your imagination is the limit.

### Defense

... is very hard. The best way is to design algorithms from the ground up with side-channels in mind!





#### Overview

• http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-3/physec/papers/physecpaper19.pdf

#### Cache Side-Channels

• https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-yarom.pdf

#### Page-fault Channel

- http://www.ieee-security.org/TC/SP2015/papers-archived/6949a640.pdf
- https://www.usenix.org/system/files/conference/atc17/atc17-hahnel.pdf

### Microarchitectural Channels

- https://meltdownattack.com/meltdown.pdf
- https://spectreattack.com/spectre.pdf

### Acoustic Channels

• http://people.eecs.berkeley.edu/ tygar/papers/Keyboard\_Acoustic\_Emanations\_Revisited/ccs.pdf

DOS - Side-Channels
Conclusion
References and Related Work

b Tay, Francisco and an activative profit and interest fraginal following interesting polymorphisms and pull and the following and the following fraginal following fraginal following polymorphisms and profit fraginal following polymorphisms and profit fraginal following polymorphisms and profit fraginal following polymorphisms and polymorphisms are polymorphisms and polymorphisms and polymorphisms and polymorphisms and polymorphisms are polymorphisms and polymorphisms and polymorphisms are polymorphisms and polymorphisms and polymorphisms are polymorphisms. The polymorphisms are polymorphisms and polymorphisms are polymorphisms and polymorphisms and polymorphisms are polymorphisms. The polymorphisms are polymorphisms are polymorphisms and polymorphisms are polymorphisms and polymorphisms a

-04

07

-04

07

000

#### Cold Boot

• https://www.usenix.org/event/sec08/tech/full\_papers/halderman/halderman.pdf

#### Remanence

- http://www.daemonology.net/blog/2014-09-04-how-to-zero-a-buffer.html
- http://www.daemonology.net/blog/2014-09-06-zeroing-buffers-is-insufficient.html

#### Defense

- https://www.blackhat.com/presentations/bh-usa-08/McGregor/BH\_US\_08\_McGregor\_Cold\_Boot\_ Attacks.pdf
- http://fc16.ifca.ai/preproceedings/21\_Anand.pdf
- https://www.semanticscholar.org/paper/ Software-mitigations-to-hedge-AES-against-cache-Brickell-Graunke/ 11c6fddeff9e2f95c8cf238ea9f12f8ffae7cf8c/pdf
- https://www.cc.gatech.edu/~slee3036/papers/shih:tsgx.pdf

DOS - Side-Channels -Conclusion References and Related Work

# http://gvv.damonologv.net/blog/2014-09-06-persing-buffers-is-insufficient.ht bttps://www.semanticachalar.org/paper/ Seftware-mitigations-to-bedge-MES-against-cache-Srickell-Graunke/ 10060068f90078660f200608f128ffae0v1802/orf bttps://www.cc.gatech.edu/-alesbibs/papers/shih:tagx.pdf