Information leaks without memory disclosures: Remote side channel attacks on diversified code

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2014, Pages 54-65

  Seibert, Jeff ^a   Okhravi, Hamed ^a   Söderström, Eric ^b  

^a MIT LINCOLN LABORATORY   (United States)

^b MASSACHUSETTS INSTITUTE OF TECHNOLOGY   (United States)

Author keywords

Address space layout randomization; Code diversity; Information leakage; Memory disclosure; Side channel attacks

Indexed keywords

CODES (SYMBOLS); CRIME;

ADDRESS SPACE LAYOUT RANDOMIZATIONS; CODE DIVERSITY; FAULT ANALYSIS; INFORMATION LEAKAGE; MEMORY CORRUPTION; SIDE-CHANNEL; TIMING SIDE CHANNELS; WITHOUT MEMORY;

SIDE CHANNEL ATTACK;

EID: 84910683130     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2660267.2660309     Document Type: Conference Paper

References (46)

1. ABADI, M., BUDIU, M., ERLINGSSON, U., AND LIGATTI, J. Control-flow integrity. In Computer and Communications Security (CCS) (2005).
2. ACIIÇMEZ, O., BRUMLEY, B. B., AND GRABHER, P. New results on instruction cache attacks. In CHES (2010).
3. AKRITIDIS, P., CADAR, C., RAICIU, C., COSTA, M., AND CASTRO, M. Preventing Memory Error Exploits withWIT. In Security and Privacy (2008).
4. BHATKAR, S., AND SEKAR, R. Data space randomization. In DIMVA (2008).
5. BIHAM, E., AND SHAMIR, A. Differential fault analysis of secret key cryptosystems. In CRYPTO (1997).
6. BITTAU, A., BELAY, A., MASHTIZADEH, A., MAZIERES, D., AND BONEH, D. Hacking blind. In Security and Privacy (2014).
7. BLAZAKIS, D. Leaking addresses with vulnerabilities that can't read good. SummerCon '13. http://www.trapbit.com/talks/Summerc0n2013-GCWoah.pdf.
8. BONNEAU, J., AND MIRONOV, I. Cache-collision timing attacks against AES. In CHES (2006).
9. BRUMLEY, B. B., AND TUVERI, N. Remote timing attacks are still practical. In ESORICS (2011).
10. BRUMLEY, D., AND BONEH, D. Remote timing attacks are practical. In USENIX Security Symposium (2003).
11. CHECKOWAY, S., DAVI, L., DMITRIENKO, A., SADEGHI, A.-R., SHACHAM, H., AND WINANDY, M. Return-oriented programming without returns. In CCS (2010).
12. CROSBY, S. A., WALLACH, D. S., AND RIEDI, R. H. Opportunities and limits of remote timing attacks. ACM Transactions on Information and System Security 12, 3 (Jan. 2009), 17:1-17:29.
13. DURVAUX, F., RENAULD, M., STANDAERT, F.-X., VAN OLDENEEL TOT OLDENZEEL, L., AND VEYRAT-CHARVILLON, N. Efficient removal of random delays from embedded software implementations using hidden markov models. vol. 7771 of Lecture Notes in Computer Science. 2013, pp. 123-140.
14. DUSART, P., LETOURNEUX, G., AND VIVOLO, O. Differential fault analysis on AES. In ACNS (2003).
15. FORREST, S., SOMAYAJI, A., AND ACKLEY, D. Building diverse computer systems. In HotOS (1997).
16. FRANZ, M., BRUNTHALER, S., LARSEN, P., HOMESCU, A., AND NEISIUS, S. Profile-guided automated software diversity. In the 2013 IEEE/ACM International Symposium on Code Generation and Optimization (CGO) (2013).
17. GENKIN, D., SHAMIR, A., AND TROMER, E. RSA key extraction via low-bandwidth acoustic cryptanalysis. Tech. rep., 2013.
18. GIUFFRIDA, C., KUIJSTEN, A., AND TANENBAUM, A. S. Enhanced operating system security through efficient and fine-grained address space randomization. In the 21st USENIX Security Symposium (2012).
19. HISER, J., NGUYEN-TUONG, A., CO, M., HALL, M., AND DAVIDSON, J. W. ILR: Where'd my gadgets go? In Security and Privacy (2012).
20. HOCH, J. J., AND SHAMIR, A. Fault analysis of stream ciphers. In CHES (2004), Springer, pp. 240-253.
21. HOMESCU, A., BRUNTHALER, S., LARSEN, P., AND FRANZ, M. librando: Transparent code randomization for just-in-time compilers. In CCS (2013).
22. HUND, R., WILLEMS, C., AND HOLZ, T. Practical timing side channel attacks against kernel space aslr. In Security and Privacy (2013).
23. JACKSON, T., HOMESCU, A., CRANE, S., LARSEN, P., BRUNTHALER, S., AND FRANZ, M. Diversifying the software stack using randomized nop insertion. Moving Target Defense II: Application of Game Theory and Adversarial Modeling 100 (2013), 151-174.
24. JOYE, M., PAILLIER, P., AND SCHOENMAKERS, B. On second-order differential power analysis. In CHES (2005).
25. KC, G. S., KEROMYTIS, A. D., AND PREVELAKIS, V. Countering code-injection attacks with instruction-set randomization. In CCS (2003).
26. KIL, C., JUN, J., BOOKHOLT, C., XU, J., AND NING, P. Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software. In ACSAC (2006).
27. KOCHER, P. C. Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In CRYPTO (1996).
28. KOCHER, P. C., JAFFE, J., AND JUN, B. Differential power analysis. In CRYPTO (1999).
29. ONARLIOGLU, K., BILGE, L., LANZI, A., BALZAROTTI, D., AND KIRDA, E. G-free: Defeating return-oriented programming through gadget-less binaries. In ACSAC'10 (2010).
30. OSWALD, D., RICHTER, B., AND PAAR, C. Side-channel attacks on the Yubikey 2 one-time password generator. In Research in Attacks, Intrusions, and Defenses (RAID). 2013.
31. PAPPAS, V., POLYCHRONAKIS, M., AND KEROMYTIS, A. D. Smashing the gadgets: Hindering return-oriented programming using in-place code randomization. In Security and Privacy (2012).
32. PROUFF, E., RIVAIN, M., AND BÉVAN, R. Statistical analysis of second order differential power analysis. IEEE Transactions on Computers 58, 6 (2009), 799-811.
33. SHACHAM, H. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the ×86). In CCS (2007).
34. SHACHAM, H., PAGE, M., PFAFF, B., GOH, E.-J., MODADUGU, N., AND BONEH, D. On the effectiveness of address-space randomization. In CCS (2004).
35. SKOWYRA, R., CASTEEL, K., OKHRAVI, H., ZELDOVICH, N., AND STREILEIN,W. Systematic analysis of defenses against return-oriented programming. In RAID. 2013.
36. SNOW, K. Z., MONROSE, F., DAVI, L., DMITRIENKO, A., LIEBCHEN, C., AND SADEGHI, A.-R. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In Security and Privacy (2013).
37. SOVAREL, A. N., EVANS, D., AND PAUL, N. Where's the feeb? the effectiveness of instruction set randomization. In the 14th conference on USENIX Security Symposium (2005).
38. STRACKX, R., YOUNAN, Y., PHILIPPAERTS, P., PIESSENS, F., LACHMUND, S., AND WALTER, T. Breaking the memory secrecy assumption. In EUROSEC (2009).
39. SZEKERES, L., PAYER, M., WEI, T., AND SONG, D. Sok: Eternal war in memory. In Security and Privacy (2013).
40. THE PAX TEAM. Address space layout randomization. http://pax.grsecurity.net/docs/aslr.txt.
41. TROMER, E., OSVIK, D. A., AND SHAMIR, A. Efficient cache attacks on AES, and countermeasures. Journal of Cryptology 23, 2 (Jan. 2010), 37-71.
42. TROMER, E., AND SHAMIR, A. Acoustic cryptanalysis: on nosy people and noisy machines. In Eurocrypt Rump Session (2004).
43. TUNSTALL, M., MUKHOPADHYAY, D., AND ALI, S. Differential fault analysis of the advanced encryption standard using a single fault. In the International Conference on Information Security Theory and Practice (WISTP) (2011).
44. WANG, Z., AND LEE, R. B. New cache designs for thwarting software cache-based side channel attacks. In the 34th Annual International Symposium on Computer Architecture (ISCA) (2007).
45. WARTELL, R., MOHAN, V., HAMLEN, K. W., AND LIN, Z. Binary stirring: self-randomizing instruction addresses of legacy x86 binary code. In CCS (2012).
46. ZHANG, Y., JUELS, A., REITER, M. K., AND RISTENPART, T. Cross-vm side channels and their use to extract private keys. In CCS (2012).