Defense against microarchitecture side-channel attacks through runtime detection, isolation and prevention

Javeed, Arsalan (2022) Defense against microarchitecture side-channel attacks through runtime detection, isolation and prevention. [Thesis]

Full text not available from this repository. (Request a copy)

Abstract

Over the course of recent years, microarchitectural side-channel attacks emerged as one of the most novel and thought-provoking attacks to exfiltrate information from a computing hardware. They leverage the unintended artefacts produced as side-effects to computation, under certain architectural design choices and they prove difficult to be effectively mitigated without incurring significant performance penalties. Moreover, such attacks could operate across isolated processes, containers and virtual machines. In this thesis, we focus on countermeasuring microarchitectural side-channel attacks on computing systems. We investigate the origins of such attacks, effectiveness of existing countermeasure approaches, and lessons that can be learned to build secure systems of future against these attacks. To this end, we perform a systematic mapping of existing literature from recent years under a classification scheme that we developed for this purpose, and provide sought-after answers from the curated set of primary studies through systematic mapping. Furthermore, we present a novel approach called Detector+ to detect, isolate and prevent microarchitecture timing-attacks at runtime. We observe that time measurement behavior of timing attacks differ from benign processes, as these attacks need to measure the execution times of typically quite short-running operations. Upon presence of suspicious time measurements, noise is introduced into the returned measurements to prevent the attacker from extracting meaningful information. Subsequently, the timing measurements are analyzed at runtime to pinpoint malicious processes. We demonstrate the effectiveness of our approach and its incurred negligible performance overhead both in the standalone server environment as well as virtualized cloud environment. Lastly, we discuss some potential avenues for future research in this area of computer and cybersecurity.
Item Type: Thesis
Uncontrolled Keywords: side-channel. -- microarchitecture. -- timing. -- attacks. -- systematic-mapping. -- defense. -- countermeasures. -- yan kanal. -- mikromimari. -- zamanlama. -- saldırılar. -- sistematik haritalama. -- savunma. -- karşı önlemler.
Subjects: T Technology > TK Electrical engineering. Electronics Nuclear engineering > TK7800-8360 Electronics > TK7885-7895 Computer engineering. Computer hardware
Divisions: Faculty of Engineering and Natural Sciences > Academic programs > Computer Science & Eng.
Faculty of Engineering and Natural Sciences
Depositing User: Dila Günay
Date Deposited: 27 Apr 2023 14:22
Last Modified: 10 Jul 2023 10:11
URI: https://research.sabanciuniv.edu/id/eprint/47189

Actions (login required)

View Item
View Item