





























### **Covert Channels**

- A covert channel is a path for an illegal flow of information within a system
- Any communication channel that can be exploited by a process to transfer information in a manner that violates the system's security policy
  - National Institute of Standards and Technology

16

### STAM Center

ASU Engineering

### Covert Channels

- A covert channel is a path for an illegal flow of information within a system
- Any communication channel that can be exploited by a process to transfer information in a manner that violates the system's security policy

  National Institute of Standards and Technology
- National Institute of Standards and Technology
  There are many types of covert channels within a computing system:
  Timing covert channels
  Methods to extract how much time a computation or a computational task takes?
  Termination covert channels
  Methods to detect if a computation terminates?

  - Probability covert channel

  - Methods to determine what the distribution of certain system events is? What control path does the program take?
    Resource utilization covert channels
     Approaches to establish some resource utilization level or if the resource is depleted?

  - Power covert channels

     Method to determine the amount energy consumed or required by a computational task?

17

### **STAM** Center

ASU Engineering

### **Covert Channels**

- There are many usage of covert channels to both improve and undermine the security of a computing system
  - Exfiltrate data from an otherwise secure system
  - Avoid detection of unauthorized access
  - Install, spread, or control malware on compromised systems
  - Circumvent content or resource filters
  - Bypass firewalls for unrestricted access
  - Malware authors use timing to detect analysis sandboxes

| STAM Center SCUIL, HUNTED, AND ASSYMED INCHOLECTROMOS                                                                                  | Engineering Arizona State University |
|----------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------|
| Covert Channels                                                                                                                        |                                      |
| <ul> <li>Important characteristics of a covert channel</li> <li>Existence</li> <li>Is a channel present?</li> <li>Bandwidth</li> </ul> |                                      |
| How much information can be transmitted?  Neiscloss/paigy                                                                              |                                      |

- Can the information be transmitted without loss or distortion? • Main example of covert channels

  - Covert storage channel
  - Covert timing channel



20



### Covert Channels It is usually infeasible for realistic systems to eliminate every potential covert channel Mitigation techniques for covert channels Eliminate or minimize it by modifying or refining the system implementation Reduce potential covert channel bandwidth through noise injection into the channel Monitor it for patterns of usage that indicate potential exploitation

22

E.g., Intrusion detection



23



### **STAM** Center

ASU Engineering

M. Backes, M. Dürmuth, S. Gerling, M. Pinkal, and C. Sporleder, "Acoustic side-channel attacks on printers." in USENIX Security sym- posium, 2010, pp. 307–322

M. Hutter and J.-M. Schmidt, "The temperature side channel and heating fault attacks," in International Conference on Smart Card Research and Advanced Applications. Springer, 2013, pp. 219–235

25

### **STAM** Center

ASU Engineering

### Side Channels

• Side-channel attacks are current and real threats

Security flaw lets attackers recover private keys from Qualcomm chips



[1] https://www.businesswire.com/news/home/20180808005464/en/Strategy-Analytics-Q1-2018-Smartphone-Apps-Processor

26

### **STAM** Center

ASU Engineering

### Side Channels

- Circumvent security measures
  - Qualcomm Secure Execution Environment (QSEE)
    - Hardware-isolated execution
    - Leaks private data, encryption keys, etc.
  - A cache side-channel is used to retrieve sensitive information

### Intel CPUs impacted by new Zombieload side-channel attack

Researchers, academics detail new Microarchitectural Data Sampling (MDS) attack











| Physical access required                             | Physical access not required        |        |
|------------------------------------------------------|-------------------------------------|--------|
| Power analysis                                       | Timing side-channels                |        |
| Electromagnetic side-channels                        | Traffic analysis                    |        |
| Optical side-channels                                |                                     |        |
| Acoustic side-channels                               |                                     |        |
| Thermal side-channels                                |                                     |        |
| e-channel attacks require<br>le-channels are based o | e physical access to the son timing | system |





















# Cache Side-Channel Attacks "Consider securing a smart card is harder than securing the hardware of an offsite server against side-channel attacks" Threat model Given: F: K X M -> D Where K is a finite set of key M is a finite set of messages D is an arbitrary set of ciphertext The attacker is assumed to have no access to the values of k and F (k,m) but he can measure/observe the characteristics of the physical implementation of F



### Cache Side-Channel Attacks Caches used as the covert channel in many microarchitectural attacks (Spectre, Meltdown, Foreshadow, etc.) Cache side-channel attacks exploit intrinsic cache characteristics Caches are shared among processes Hit/miss latency Cache way and set organization Coherence invalidations

 Can circumvent security measures such as privilege checks, browser sandboxing, Address Space Layout Randomization, etc.

46



47









| STAM Center SCUIL, TRUSTIO, AND A SOURCE MICROFILETRONICS                                                                                                     | ASJ Inglineering Arizona State University                                  |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------|
| Cloud/FPGA Side-C                                                                                                                                             | Channel Attacks                                                            |
| Ring Oscillator Temperature     Sensor     Ring Oscillator (RO) is a temperature-to-frequency transducer suitable for thermal monitoring on FPGAs             | enable                                                                     |
| Comparing RO counts (affected by<br>temperature) to reference clock<br>counts (not affected by temperature)<br>allows one to measure relative RO<br>frequency | Cloud +                                                                    |
| Eduardo Boemo and Sergio López-Buedo. 1997. Thermal monitoring on FPGAs usin<br>and Applications. Springer, 69–78.                                            | ng ring-oscillators. In International Workshop on Field Programmable Logic |

## Side Channel Defenses Defense Leakage Reduction Noise Injection Key Update Side channel resistant PUFs Secure scan chains Metrics The amount of secret information that is vulnerable The number of samples from side channels needed to extract the secret information

53

# Process Isolation Isolating a process is not trivial, and requires architectural, OS, compiler/runtime, and software support Isolating processes (e.g., using SGX) sacrifices hardware utilization Currently there is no simple way of using multi-core systems for secure computation Users have to choose between multiple powerful but unsecure cores, and slow, secure enclaves The tradeoff is coarse-grained and at design-time













| STAM Center SICURE, TRUSTED, AND ASSURED MICROELECTRONICS |                   | Arizona State University |
|-----------------------------------------------------------|-------------------|--------------------------|
|                                                           | Upcoming Lectures |                          |
| <ul> <li>Hardware Root-o</li> </ul>                       | of-Trust Design   |                          |
|                                                           |                   |                          |
|                                                           |                   |                          |
|                                                           |                   |                          |
|                                                           |                   |                          |
|                                                           |                   |                          |
|                                                           |                   |                          |