Clueless: A Tool Characterising Values Leaking as Addresses
Pages 27 - 34
Abstract
Clueless is a binary instrumentation tool that characterises explicit cache side channel vulnerabilities of programs. It detects the transformation of data values into addresses by tracking dynamic instruction dependencies. Clueless tags data values in memory if it discovers that they are used in address calculations to further access other data.
Clueless can report on the amount of data that are used as addresses at each point during execution. It can also be specifically instructed to track certain data in memory (e.g., a password) to see if they are turned into addresses at any point during execution. It returns a trace on how the tracked data are turned into addresses, if they do.
We demonstrate Clueless on SPEC 2006 and characterise, for the first time, the amount of data values that are turned into addresses in these programs. We further demonstrate Clueless on a micro benchmark and on a case study. The case study is the different implementations of AES in OpenSSL: T-table, Vector Permutation AES (VPAES), and Intel Advanced Encryption Standard New Instructions (AES-NI). Clueless shows how the encryption key is transformed into addresses in the T-table implementation, while explicit cache side channel vulnerabilities are note detected in the other implementations.
References
[1]
[n. d.]. Pin - a dynamic binary instrumentation tool. https://www.intel.com/content/www/us/en/developer/articles/tool/pin-a-dynamic-binary-instrumentation-tool.html
[2]
Onur Acıiçmez, Werner Schindler, and Çetin K Koç. 2007. Cache based remote timing attack on the AES. In Cryptographers’ track at the RSA conference. Springer, 271–286.
[3]
Pavlos Aimoniotis, Christos Sakalis, Magnus Själander, and Stefanos Kaxiras. 2021. Reorder Buffer Contention: A Forward Speculative Interference Attack for Speculation Invariant Instructions. 20 (July 2021), 162–165. Issue 2. https://doi.org/10.1109/LCA.2021.3123408
[4]
Sam Ainsworth. 2021. GhostMinion: A Strictness-Ordered Cache System for Spectre Mitigation. In Proceedings of the IEEE/ACM International Symposium on Microarchitecture. Association for Computing Machinery, 592–606. https://doi.org/10.1145/3466752.3480074
[5]
Atri Bhattacharyya, Alexandra Sandulescu, Matthias Neugschwandtner, Alessandro Sorniotti, Babak Falsafi, Mathias Payer, and Anil Kurmus. 2019. SMoTherSpectre: Exploiting Speculative Execution through Port Contention. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, 785–800. https://doi.org/10.1145/3319535.3363194
[6]
Joseph Bonneau and Ilya Mironov. 2006. Cache-collision timing attacks against AES. In International Workshop on Cryptographic Hardware and Embedded Systems. Springer, 201–215.
[7]
James Clause, Wanchun Li, and Alessandro Orso. 2007. Dytan: a generic dynamic taint analysis framework. In Proceedings of the 2007 international symposium on Software testing and analysis. 196–206.
[8]
Dorothy E. Denning and Peter J. Denning. 1977. Certification of Programs for Secure Information Flow. Commun. ACM 20, 7 (jul 1977), 504–513. https://doi.org/10.1145/359636.359712
[9]
Morris Dworkin, Elaine Barker, James Nechvatal, James Foti, Lawrence Bassham, E. Roback, and James Dray. 2001. Advanced Encryption Standard (AES). https://doi.org/10.6028/NIST.FIPS.197
[10]
Shay Gueron. 2010. Intel advanced encryption standard (AES) new instructions set.
[11]
David Gullasch, Endre Bangerter, and Stephan Krenn. 2011. Cache games–bringing access-based cache attacks on AES to practice. In 2011 IEEE Symposium on Security and Privacy. IEEE, 490–505.
[12]
Vivek Haldar, Deepak Chandra, and Michael Franz. 2005. Dynamic taint propagation for Java. In 21st Annual Computer Security Applications Conference (ACSAC’05). IEEE, 9–pp.
[13]
Mike Hamburg. 2009. Accelerating AES with vector permute instructions. In International Workshop on Cryptographic Hardware and Embedded Systems. Springer, 18–32.
[14]
[email protected]. 2018. Issue 1528: speculative execution, variant 4: speculative store bypass - project-zero. https://bugs.chromium.org/p/project-zero/issues/detail?id=1528
[15]
Vladimir Kiriansky and Carl Waldspurger. 2018. Speculative Buffer Overflows: Attacks and Defenses. arXiv:1807.03757 [cs] (July 2018). http://arxiv.org/abs/1807.03757
[16]
Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom. 2019. Spectre Attacks: Exploiting Speculative Execution. In SP. 1–19. https://doi.org/10.1109/SP.2019.00002
[17]
Jingfei Kong, Cliff C Zou, and Huiyang Zhou. 2006. Improving software security via runtime instruction-level taint checking. In Proceedings of the 1st workshop on Architectural and system support for improving software dependability. 18–24.
[18]
Esmaeil Mohammadian Koruyeh, Khaled N Khasawneh, Chengyu Song, and Nael Abu-Ghazaleh. 2018. speculation attacks using the return stack buffer. In 12th USENIX Workshop on Offensive Technologies (WOOT 18).
[19]
Lap Chung Lam and Tzi-cker Chiueh. 2006. A general dynamic information flow tracking framework for security applications. In 2006 22nd Annual Computer Security Applications Conference (ACSAC’06). IEEE, 463–472.
[20]
Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, 2018. Meltdown: Reading kernel memory from user space. In 27th USENIX Security Symposium (USENIX Security 18). 973–990.
[21]
Fangfei Liu, Yuval Yarom, Qian Ge, Gernot Heiser, and Ruby B. Lee. 2015. Last-Level Cache Side-Channel Attacks are Practical. In 2015 IEEE Symposium on Security and Privacy. 605–622. https://doi.org/10.1109/SP.2015.43
[22]
Giorgi Maisuradze and Christian Rossow. 2018. ret2spec: Speculative execution using return stack buffers. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 2109–2122.
[23]
Dag Arne Osvik, Adi Shamir, and Eran Tromer. 2006. Cache attacks and countermeasures: the case of AES. In Cryptographers’ track at the RSA conference. Springer, 1–20.
[24]
Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan Zhou, and Youfeng Wu. 2006. Lift: A low-overhead practical information flow tracking system for detecting security attacks. In 2006 39th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO’06). IEEE, 135–148.
[25]
Christos Sakalis, Stefanos Kaxiras, Alberto Ros, Alexandra Jimborean, and Magnus Själander. 2019. Efficient Invisible Speculative Execution through Selective Delay and Value Prediction. In Proceedings of the International Symposium on Computer Architecture. 723–735.
[26]
G Edward Suh, Jae W Lee, David Zhang, and Srinivas Devadas. 2004. Secure program execution via dynamic information flow tracking. ACM Sigplan Notices 39, 11 (2004), 85–96.
[27]
Mengjia Yan, Jiho Choi, Dimitrios Skarlatos, Adam Morrison, Christopher Fletcher, and Josep Torrellas. 2018. InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy. In Proceedings of the IEEE/ACM International Symposium on Microarchitecture. 428–441. https://doi.org/10.1109/MICRO.2018.00042
[28]
Yuval Yarom and Katrina Falkner. 2014. Flush+Reload: A High Resolution, Low Noise, L3 Cache Side-Channel Attack. In 23rd USENIX security symposium (USENIX security 14). 719–732.
[29]
Jiyong Yu, Mengjia Yan, Artem Khyzha, Adam Morrison, Josep Torrellas, and Christopher W. Fletcher. 2019. Speculative Taint Tracking (STT): A Comprehensive Protection for Speculatively Accessed Data. In Proceedings of the IEEE/ACM International Symposium on Microarchitecture. Association for Computing Machinery, 954–968. https://doi.org/10.1145/3352460.3358274
Index Terms
- Clueless: A Tool Characterising Values Leaking as Addresses
Recommendations
Improving Performance of Large Physically Indexed Caches by Decoupling Memory Addresses from Cache Addresses
Modern CPUs often use large physically indexed caches that are direct-mapped or have low associativities. Such caches do not interact well with virtual memory systems. An improperly placed physical page will end up in a wrong place in the cache, causing ...
Characterizing Ethereum Address Poisoning Attack
CCS '24: Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications SecurityThis paper presents the first comprehensive analysis of the address poisoning attack surged on the Ethereum blockchain. This phishing attack typically exploits the address shortening feature of Ethereum explorers and digital wallets (e.g., Etherscan and ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
October 2022
58 pages
ISBN:9781450398718
DOI:10.1145/3569562
Copyright © 2022 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 21 September 2023
Check for updates
Qualifiers
- Research-article
- Research
- Refereed limited
Funding Sources
- Swedish Research Council
- Microsoft Research EMEA PhD Scholarship Programme
- VINNOVA
- Swedish Foundation for Strategic Research
Conference
HASP '22
HASP '22: Hardware and Architectural Support for Security and Privacy
October 1, 2022
IL, Chicago, USA
Acceptance Rates
Overall Acceptance Rate 9 of 13 submissions, 69%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 276Total Downloads
- Downloads (Last 12 months)211
- Downloads (Last 6 weeks)29
Reflects downloads up to 01 Mar 2025
Other Metrics
Citations
View Options
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML FormatLogin options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in