Trustworthy Systems

Time Protection: Principled prevention of timing channels


Gernot Heiser

    School of Computer Science and Engineering
    Sydney 2052, Australia


Invited Talk at the Enabling Trust through OS Proofs (ENTROPY) Workshop


Timing channels provide information flow through timing of events, in violation of a system’s security policy. Their existence has been known for decades, but the dangers they pose were largely ignored, except in military-type systems. The Spectre exploits disclosed last year use timing channels to exfiltrate secret information exposed through speculative executions, and demonstrate that timing-channels are a first-order security concern.

In this talk I will report on our experience with developing principled, OS-enforced mandatory prevention of timing-channel leakage, through a set of mechanisms we collectively call time protection, in analogy to the well-established memory protection. I will present the design and implementation of time protection in the formally verified seL4 microkernel, as well as an evaluation of its efficacy and performance cost. We find that time protection is generally effective on simpler or somewhat older processors, but that latest-generation high-performance processors of both x86 and Arm instruction-set architectures (ISAs) hold state that is not accessible to software but exploitable as timing channels. We conclude that present processors are inherently insecure, as they cannot prevent timing channels, and that industry must agree to a new, security-oriented hardware-software contract that goes beyond the ISA. We define the properties such a contract must prescribe, and outline how time protection, and the absence of timing-channel leakage, can be verified with such a contract in place.

BibTeX Entry

    author           = {Gernot Heiser},
    howpublished     = {Invited Talk at the Enabling Trust through OS Proofs ({ENTROPY}) Workshop},
    location         = {Stockholm, SE},
    month            = jun,
    title            = {Time {Protection}: Principled Prevention of Timing Channels},
    year             = {2019}