Principled elimination of microarchitectural timing channels through operating-system enforced time protection
Authors
CSIRO's Data61, Australia
UNSW, Australia
Abstract
Microarchitectural timing channels exploit resource contention on a shared hardware platform to cause information leakage through timing variance. These channels threaten system security by providing unauthorised information flow in violation of the system’s security policy. Present operating systems lack the means for systematic prevention of such channels. To address this problem, we propose time protection as an operating system (OS) abstraction, which provides mandatory temporal isolation analogous to the spatial isolation provided by the established memory protection abstraction.
In order to understand microarchitectural timing channels, we first study all published microarchitectural timing attacks and their countermeasures, and analyse the underlying causes. Then we define two application scenarios, a confinement scenario, and a cloud scenario, which between them represent a large class of security-critical use cases, and aim to develop a solution that supports both.
Our study identifies competition for limited hardware resources as the underlying cause for microarchitectural timing channels. From this we derive the requirement that proper isolation requires that all shared resources must be partitioned, either spatially or temporally (time-shared). We then analyse a number of recent processors across two instruction-set architectures (ISAs), x86 and Arm, for their support for such partitioning. We discover that all examined processors exhibit hardware state that cannot be partitioned by architected means, meaning that they all have uncloseable channels. We define the requirements hardware must satisfy for timing-channel prevention, and propose an augmented ISA as a new, security-oriented hardware-software contract.
Assuming conforming hardware, we then define the requirements that OS-provided time protection must satisfy. We propose a concrete design of time protection, consisting of a set of policy-free mechanisms, and present an implementation in the seL4 microkernel. We evaluate the efficacy and efficiency of the implementation, and show that it is highly effective at closing timing channels, to the degree supported by the underlying hardware. We also find that the performance overheads are small to negligible. We can conclude that principled prevention of timing channels is possible though mandatory, black-box enforcement by the OS, subject to hardware manufacturers providing mechanisms for scrubbing all shared microarchitectural state.
BibTeX Entry
@phdthesis{Ge:phd, address = {Sydney, Australia}, author = {Qian Ge}, month = oct, paperurl = {https://trustworthy.systems/publications/papers/Ge%3Aphd.pdf}, school = {UNSW}, title = {Principled Elimination of Microarchitectural Timing Channels through Operating-System Enforced Time Protection}, year = {2019} }