Welcome > OS > L4 > seL4 > 2019 Time Protection

2019 Time Protection

References:

The last mile
Time Protection: The Missing OS Abstraction, Qian Ge, Yuval Yarom, Tom Chothia, and Gernot Heiser. 2019. In Proceedings of the Fourteenth EuroSys Conference 2019 (Dresden, Germany) (EuroSys ’19). ACM, New York, NY, USA, Article 1, 17 pages. https://doi.org/10.1145/3302424.3303976;
- paper site
“No security without time protection: We need a new hardware-software contract.”, Ge, Qian, Yuval Yarom, and Gernot Heiser. In Proceedings of the 9th Asia-Pacific Workshop on Systems, pp. 1-9. 2018.
- paper site, pdf

Problem

“Microarchitectural timing channels result from competition for hardware resources that are functionally transparent to software.”

“The instruction-set architecture(ISA), i.e. the hardware-software contract, abstracts these resources away, as they are irrelevant for functional correctness. However, the abstraction leaks, as it affects observable execution speed, leading to timing channels.”

These hardware resources under competition include two categories:

Microarchitectural state. Leverages temporal and spatial locality to improve average-case performance.
- data and instruction caches
- TLBs
- branch predictors
- instruction- and data- prefetcher state machines
- DRAM row buffers
- core-local resources
  - with hyperthreading: these are cocurrently accessed like shared caches;
  - without hyperthreading: these are time-shared.
Stateless interconnects: Time sharing cannot produce interference on these, while concurrent access can be observed as a reduction of available bandwith.
- buses
- on-chip networks

Current Status

Partition support for spatially/concurrently sharing

Resetting support for temporal/non-partitionable sharing

x86:
- limited support for resetting microarchitectural state;
- no way of resetting only on-core state
- cache flush: wbinvd instruction: flushes the complete cache hierachy;
- overkill for time protection;
  - should be partitioned rather than reset;
- worst-case cost measured at 12ms on an Intel Sandy Bridge system(including the indirect cost of subsequent misses).
- TLB flush: invpcid in 64-bit mode (reload CR3 and CR0 in 32-bit mode, to invalidate both non-global and global mappings)
- disable data prefetcher: updating MSR 0x1A4 [Viswanathan 2014]
- instruction prefetcher: no way to control instruction prefetcher
- indirect branch control (IBC): ???
Arm
- Cache: a selective flush of the L1 cache, without affecting lower levels in the cache hierarchy;
  - DCCISW
  - ICIALLU
- TLB:
  - TLBIALL: flush the TLB;
- Branch predictor:
  - BPIALL: flush the branch predictor;
- data prefetcher:
- platform-dependent
  - Hikey platform: CPU auxiliary control register
- instruction prefetcher: no way to disable.

Attack evaluation

Channels that cannot be closed making full use of any reset mechanisms provided the architecture.

Channels exploiting L1 I-cache, Branch target buffer, and Branch history buffer.

Prime+Probe –> communication between Trojan and spy.

Channels:

L1 D-cache
L1 I-cache, refer to [Acıiçmez 2007; Acıiçmez et al. 2010] and [Yarom 2016]
BTB, refer to d [Milenkovic et al. 2004] and [Godbolt 2016]
BHB, as in [Evtyushkin et al. 2016]

Countermeasures

(Partition or Reset)

On stateful resources: partitioning spatially or temporally

Spatial partitioning:
- page colouring
  - OS control the access to physically indexed caches (L2…LLC)
  - set selector bits in the address overlap with the page number.
  - sets <–> colour.
  - Page size of P, cache size of S, associativity w:
    - num of colours: S/wP.
- no L1 colour: L1 usually indexed by virtual address, which is not under OS control. Same applies to other on-core state: TLB, BP.
  - These on-core caches must be flused on a domain switch.
- ARM cache partition:
Temporal partitioning: by time slices
- flushing all history-dependent state between time slices
- not possible where domains access a resource concurrently (instead of time sharing). Such as core-shared-caches.

Hardware-software contract

Augmented ISA: aISA.

For all shared hardware state, they should be able to be reset or partitioned:

security-enforcement: either partitionable or resettable;
secure concurrent sharing: must be partitionable;
secure virtually indexed state: must be resettable and not concurrently accessed;
- this implies cannot share HW threads across security domains!
specified mechanisms allowing OS to partition or reset:
- a complete spec/contract;
- constant time or bounded worst-case latency;
state provenance for resettable state: aISA must specify whether a rest operation acts on state derived from data, instructions, data addresses or instruction addresses;
- OS must know if resettable state is derived from data, isntructions, data addresses or instruction addresses;
- for a more detailed reset operation to improve performance;
- a more abstract/general are legal: e.g., a single reset operation to reset all virtually-addressed microarchitectural state (caches, TLB, branch predictor ,and prefetcher);

OS mechanisms for time protection

Cache Colouring
Kernel Cloning and Colouring
- private kernel image + a small amount of shared static data

If you could revise
the fundmental principles of
computer system design
to improve security...

... what would you change?