In this exercise, you will implement and experiment with covert channel communic

Question

In this exercise, you will implement and experiment with covert channel communications using branch predictors. In computer security, a covert channel is a type of security and surveillance evading technique that enables data transfer and digital communications between processes that are not allowed to communicate according to security or access control policy or between processes that are supposed to be isolated without explicit communication channels. The article "Covert channels through branch predictors: a feasibility study" discloses a way of conducting covert channel communications using branch predictors. The article can be downloaded either from https://dl.acm.org/citation.cfm?id=2768571 or the class website. A presentation of the approach can be found here http://caslab.eng.vale.edu/workshops/hasp2015/slides_05_evtyushkin.pdf. In this extra credit assignment, you will implement branch predictor based covert channels on a computer model of your choice (e g., any Intel/AMD based computer). You will receive full credit if you can successfully demonstrate that two processes can communicate using the implemented covert channels. For testing purpose, one process should send a message "deadbeef" and the second process should correctly receive the message. Different from the previous extra credit exercise, for this exercise, each point is added directly on your final grade. To receive full credit, you need to submit a simple write up that briefly describes how your implementation works, demonstrate your implementation, and turn in a copy of your program (electronically, please).

Explanation / Answer

Covert channels through shared processor resources provide secret communication between two malicious processes - the trojan and the spy. Modern computer systems are typically shared by multiple applications which belong to different security domains. To provide security, systems often have to restrict resources that can be accessible by a program.Some classes of applications can be granted access to the network, while others can be restricted from it. However, the applications that are restricted from the network access can still be allowed to access sensitive user data. The branch prediction unit plays a critical role in achieving high performance of today’s CPUs, because every branch misprediction results in significant loss of instruction execution opportunities and incurs overhead to undo the side effects of erroneous speculations. This is especially true for deeply-pipelined processors with high degree of superscalarity. Covert channels described in this paper work with any dynamic branch predictor, because the mechanisms for creating covert communication do not require knowledge of the specific predictor details. While reverse engineering specific predictor configuration can lead to a higher-capacity channel (as the spy and the trojan can precisely target and use specific parts of the prediction table), such advanced explorations are left for future work. For simplicity, we use the gshare predictor.

We have two mechanisms for constructing covert channels through branch predictors, and we demonstrate the code that needs to be executed by the trojan and the spy processes to realize these channels.

Covert channels through shared processor resources provide secret communication between two malicious processes: the trojan and the spy. we classify, analyze, and compare covert channels through dynamic branch prediction units in modern processors. Through experiments on a real hardware platform, we compare contention-based channel and the channel that is based on exploiting the branch predictor’s residual state. We analyze these channels in SMT and single-threaded environments under both clean and noisy conditions. Our results show that the residual state-based channel provides a cleaner signal and is effective even in noisy execution environments with another application sharing the same physical core with the trojan and the spy. We also estimate the capacity of the branch predictor covert channels and describe a software-only mitigation technique that is based on randomizing the state of the predictor tables on context switches. We show that this protection eliminates all covert channels through the branch prediction unit with minimal impact on performance.

We assume that two compromised (or malicious) applications are running in the system a trojan and a spy. We assume that the trojan is a more privileged program that has access to sensitive data that it attempts to transmit to the spy program. No other communication channels (through the network, shared memory, file system, etc.) exist between the trojan and the spy, therefore covert channel represents the only means for these programs to communicate with each other. We assume that the trojan and the spy are co-located on the same core, either on different SMT contexts, or time sharing the use of the core. This assumption is needed because the branch prediction unit is shared on the same physical core, but not across different cores of a multi-core processor.he system software is assumed to be uncompromised, so that it properly enforces the access control and preserves legitimate information flows. The two processes only require normal user-level privileges. The channel does not require access to performance counters, and therefore would work even if these are disabled as is commonly done on cloud systems However, if the access to performance counters is available, then a significantly better signal quality can be achieved. In our evaluations, we consider covert channels through both performance counters and executiontime.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

---

---

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.