Know Thy Neighbor: Crypto Library Detection in Cloud

Open access

Abstract

Software updates and security patches have become a standard method to fix known and recently discovered security vulnerabilities in deployed software. In server applications, outdated cryptographic libraries allow adversaries to exploit weaknesses and launch attacks with significant security results. The proposed technique exploits leakages at the hardware level to first, determine if a specific cryptographic library is running inside (or not) a co-located virtual machine (VM) and second to discover the IP of the co-located target. To this end, we use a Flush+Reload cache side-channel technique to measure the time it takes to call (load) a cryptographic library function. Shorter loading times are indicative of the library already residing in memory and shared by the VM manager through deduplication. We demonstrate the viability of the proposed technique by detecting and distinguishing various cryptographic libraries, including MatrixSSL, PolarSSL, GnuTLS, OpenSSL and CyaSSL along with the IP of the VM running these libraries. In addition, we show how to differentiate between various versions of libraries to better select an attack target as well as the applicable exploit. Our experiments show a complete attack setup scenario with single-trial success rates of up to 90% under light load and up to 50% under heavy load for libraries running in KVM.

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • [1] Amazon AWS: 3.8 billion revenue in 2013. https:// readwrite.com/2013/01/14/amazon-web-services-can-itwin- the-enterprise.

  • [2] Analyzing shared memory opportunities in different workloads. http://os.itec.kit.edu/downloads/sa_2011_ groeninger-thorsten_shared-memory-opportunities.pdf.

  • [3] The dropbox blog. https://blog.dropbox.com/2013/07/ dbx/.

  • [4] Heartbleed bug. http://heartbleed.com/.

  • [5] Kernel samepage merging. http:// kernelnewbies.org/Linux_2_6_32#headd3f32e41df508090810388a57efce73f52660ccb/.

  • [6] OpenSSL vulnerabilities. https://www.openssl.org/news/ vulnerabilities.html.

  • [7] CyaSSL: Embedded SSL library wolfSSL. http://www. wolfssl.com/yaSSL/Home.html May 2014.

  • [8] GnuTLS client examples. http://www.gnutls.org/manual/ html_node/Client-examples.html April 2014.

  • [9] GnuTLS server examples. http://www.gnutls.org/manual/ html_node/Server-examples.html April 2014.

  • [10] Kernel based virtual machine. http://www.linux-kvm.org/ page/Main_Page April 2014.

  • [11] MatrixSSL: Open source embedded SSL. http://www. matrixssl.org/ May 2014.

  • [12] AcıIçmez O. Yet another microarchitectural attack:: Exploiting i-cache. In Proceedings of the 2007 ACM Workshop on Computer Security Architecture (New York NY USA 2007) CSAW ’07 ACM pp. 11-18.

  • [13] AcıIçmez O. Gueron S. and Seifert J.-P. New branch prediction vulnerabilities in OpenSSL and necessary software countermeasures. Cryptology ePrint Archive Report 2007/039 2007. http://eprint.iacr.org/2006/351.pdf.

  • [14] AcıIçmez O. Koç C. K. and Seifert J.-P. On the power of simple branch prediction analysis. IACR Cryptology ePrint Archive 2006 (2006) 351.

  • [15] AcıIçmez O. Koç C. K. and Seifert J.-P. Predicting secret keys via branch prediction. In CT-RSA (2007) M. Abe Ed. vol. 4377 of Lecture Notes in Computer Science Springer pp. 225-242.

  • [16] Arcangeli A. Eidus I. and Wright C. Increasing memory density by using KSM. In Proceedings of the linux symposium (2009) pp. 19-28.

  • [17] Bernstein D. J. Cache-timing attacks on AES 2004. URL: http://cr.yp.to/papers.html#cachetiming.

  • [18] Bleichenbacher D. Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS1. Springer-Verlag pp. 1-12.

  • [19] Bonneau J. Robust final-round cache-trace attacks against AES.

  • [20] Bonneau J. and Mironov I. Cache-collision timing attacks against AES. In Cryptographic Hardware and Embedded Systems-CHES 2006 (2006) vol. 4249 of Springer LNCS Springer pp. 201-215.

  • [21] Brumley B. B. and Tuveri N. Remote timing attacks are still practical. In Computer Security-ESORICS 2011. Springer 2011 pp. 355-371.

  • [22] Brumley D. and Boneh D. Remote timing attacks are practical. Computer Networks 48 5 (2005) 701-716.

  • [23] CBC news. Heartbleed bug: 900 SINs stolen from Revenue Canada. http://www.cbc.ca/news/business/heartbleed-bugrcmp- asked-revenue-canada-to-delay-news-of-sin-thefts-1.2609192l April 2014.

  • [24] Crane S. Homescu A. Brunthaler S. Larsen P. and Franz M. Thwarting cache side-channel attacks through dynamic software diversity.

  • [25] Dan Goodin. Hackers break SSL encryption used by millions of sites. http://www.theregister.co.uk/2011/09/19/ beast_exploits_paypal_ssl/ 2011.

  • [26] Duong T. and Rizzo J. Here come the XOR ninjas.

  • [27] Fardan N. J. A. and Paterson K. G. Lucky Thirteen: Breaking the TLS and DTLS record protocols. In Security and Privacy (SP) 2013 IEEE Symposium on (May 2013) pp. 526-540.

  • [28] Gullasch D. Bangerter E. and Krenn S. Cache games - bringing access-based cache attacks on AES to practice. IEEE Symposium on Security and Privacy 0 (2011) 490-505.

  • [29] Hu W.-M. Lattice scheduling and covert channels. In Proceedings of the 1992 IEEE Symposium on Security and Privacy (Washington DC USA 1992) SP ’92 IEEE Computer Society pp. 52-.

  • [30] Irazoqui G. Eisenbarth T. and Sunar B. Jackpot stealing information from large caches via huge pages. Cryptology ePrint Archive Report 2014/970 2014. http: //eprint.iacr.org/.

  • [31] Irazoqui G. IncI M. S. Eisenbarth T. and Sunar B. Wait a Minute! A fast Cross-VM Attack on AES. In Research in Attacks Intrusions and Defenses A. Stavrou H. Bos and G. Portokalidis Eds. vol. 8688 of Lecture Notes in Computer Science. Springer International Publishing 2014 pp. 299-319.

  • [32] Jones M. T. Anatomy of Linux kernel shared memory. http://www.ibm.com/developerworks/linux/library/l-kernelshared- memory/l-kernel-shared-memory-pdf.pdf/ April 2010.

  • [33] Kelsey J. Schneier B. Wagner D. and Hall C. Side Channel Cryptanalysis of Product Ciphers. J. Comput. Secur. 8 23 (Aug. 2000) 141-158.

  • [34] Klíma V. Pokorny O. and Rosa T. Attacking RSAbased sessions in SSL/TLS. In in Proc. of Cryptographic Hardware and Embedded Systems (CHES) 2003 (2003) Springer pp. 426-440.

  • [35] Nikos Mavrogiannopoulos and Simon Josefsson. GnuTLS: The GnuTLS transport layer security library. May 2014.

  • [36] Osvik D. A. Shamir A. and Tromer E. Cache attacks and countermeasures: The case of AES. In Proceedings of the 2006 The Cryptographers’ Track at the RSA Conference on Topics in Cryptology (Berlin Heidelberg 2006) CT-RSA’06 Springer-Verlag pp. 1-20.

  • [37] Page D. Theoretical use of cache memory as a cryptanalytic side-channel 2002.

  • [38] PolarSSL. PolarSSL: Straightforwardsecure communication. www.polarssl.org.

  • [39] Ristenpart T. Tromer E. Shacham H. and Savage S. Hey you get off of my cloud: Exploring information leakage in third-party compute clouds. In Proceedings of the 16th ACM Conference on Computer and Communications Security (New York NY USA 2009) CCS ’09 ACM pp. 199-212.

  • [40] Suzaki K. Iijima K. Yagi T. and Artho C. Memory deduplication as a threat to the guest OS. In Proceedings of the Fourth European Workshop on System Security (2011) ACM p. 1.

  • [41] Suzaki K. Iijima K. Yagi T. and Artho C. Software side channel attack on memory deduplication. SOSP POSTER (2011).

  • [42] Suzaki K. Iijima K. Yagi T. and Artho C. Effects of memory randomization sanitization and page cache on memory deduplication.

  • [43] The Guardian. More than 300k systems ’still vulnerable’ to Heartbleed attacks. http://www.theguardian.com/ technology/2014/jun/23/heartbleed-attacks-vulnerableopenssl July 2014.

  • [44] The OpenSSL Project. OpenSSL: The open source toolkit for SSL/TLS. www.openssl.org April 2003.

  • [45] Tsunoo Y. Saito T. Suzaki T. and Shigeri M. Cryptanalysis of DES implemented on computers with cache. In Proc. of CHES 2003 Springer LNCS (2003) Springer-Verlag pp. 62-76.

  • [46] Vattikonda B. C. Das S. and Shacham H. Eliminating fine grained timers in xen.

  • [47] Vaudenay S. Security flaws induced by CBC padding - applications to SSL IPSEC WTLS. In Proceedings of In Advances in Cryptology - EUROCRYPT’02 (2002) Springer- Verlag pp. 534-546.

  • [48] Waldspurger C. A. Memory resource management in VMware ESX server. ACM SIGOPS Operating Systems Review 36 SI (2002) 181-194.

  • [49] Wang Z. and Lee R. B. New cache designs for thwarting software cache-based side channel attacks. In Proceedings of the 34th Annual International Symposium on Computer Architecture (New York NY USA 2007) ISCA ’07 ACM pp. 494-505.

  • [50] Yarom Y. and Benger N. Recovering OpenSSL ECDSA nonces using the flush+reload cache side-channel attack. Cryptology ePrint Archive Report 2014/140 2014. https: //eprint.iacr.org/2014/140.pdf.

  • [51] Yarom Y. and Falkner K. E. Flush+reload: a high resolution low noise L3 cache side-channel attack. IACR Cryptology ePrint Archive 2013 (2013) 448.

  • [52] Zhang Y. Juels A. Oprea A. and Reiter M. K. Homealone: Co-residency detection in the cloud via sidechannel analysis. In Proceedings of the 2011 IEEE Symposium on Security and Privacy (Washington DC USA 2011) SP ’11 IEEE Computer Society pp. 313-328.

  • [53] Zhang Y. Juels A. Reiter M. K. and Ristenpart T. Cross-VM side channels and their use to extract private keys. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (New York NY USA 2012) CCS ’12 ACM pp. 305-316.

  • [54] Zhang Y. Juels A. Reiter M. K. and Ristenpart T. Cross-tenant side-channel attacks in paas clouds. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (New York NY USA 2014) CCS ’14 ACM pp. 990-1003.

Search
Journal information
Cited By
Metrics
All Time Past Year Past 30 Days
Abstract Views 0 0 0
Full Text Views 477 159 12
PDF Downloads 243 120 11