IEEE Symposium on Security and Privacy 2020
IEEE S&P 2020 conference (also known as Oakland) was held virtually due to the restrictions for COVID-19. This page will be the notes that I took during my virtual attendance, which includes attending virtual talks as well as question sessions. Wherever possible I included a link for papers that are openly accessible, otherwise you will need to access them through IEEE. For the complete program, please see the official IEEE security website. You can also find all their videos online (this link is to Invidious an alternative front-end to YouTube).
Sessions that I attended:
- Opening Remarks
- Microarchitectural Security
- Sensors and Emanations
- Memory Safety
- Cryptanalysis and Side Channels
- TEEs and Attestation
- Hardware Security
Opening Remarks (18 May)
Gabriela Ciocarlie was the general chair and gave the opening statement on how the virtual conference will work. All talks are pre-recorded and available via the on24 platform. Each session will be followed by question and answer sessions via Zoom. Alina Oprea and Hovav Shacham are the program chairs and talked about the rolling deadline that they have been experimenting with over the last two years. Acceptance rate has been around 12% for every year, but the conference has been growing year on year. They announced that they will move to a quarterly submission model.
Best paper award was given to TRRespass: Exploiting the Many Sides of Target Row Refresh. Best practical paper award was given to An Analysis of Pre-installed Android Software. Best student paper award was given to Can Voters Detect Malicious Manipulation of Ballot Marking Devices? Test-of-Time awards are given to papers that are of continued value and impact the world and research. The awards for the 1995-2006 era are available on this page along with the other award winners. The awards for the 2008-2010 era are given to: Experimental Security Analysis of a Modern Automobile (2010) and Outside the Closed World: On Using Machine Learning For Network Intrusion Detection (2010).
Microarchitectural Security (18 May)
They introduce speculative semantics for program execution, which if it is the same with non-speculative execution shows that your program has the same behavior running on a speculative CPU as on one that does not speculate. To formalize speculation, they introduce an oracle, which always mispredicts branch instructions. Speculative non-interference means that given an oracle O, for all program states s ans s':
(P_nonspec(s) = P_nonspec(s')) => (P_spec(s, O) = P_spec(s', O))
They introduce Spectector which is a tool that automatically finds counter-examples to the speculative non-interference. They use this tool to evaluate the mitigations that three different compilers provide.
This work introduces a cache attack on the last level cache of a remote machine. They use DDIO (Data Direct I/O Technology), which allows a PCI/e device to store things directly to caches as opposed to having to store it to memory. They also use RDMA (Remote Direct Memory Access), which uses the DDIO as an optimization and you can detect whether the request is being serviced from the LLC or the DRAM. One limitation is that DDIO only gives access to 10% of the cache lines. They use this attack to time SSH packets and find out what words people are typing. At the moment they think the only way to mitigate this attack at the moment is to disable DDIO. Intel assigned the following code to it: CVE-2019-11184.
Previous mitigations to speculative execution attacks include: inserting memory fences, flushing the predictor on domain change and closing side channel attacks. This paper looks at Spectre Variant 2, which involves poisoning the branch target buffer. They require an extension to the ISA (instruction set architecture), which adds a label to the branch targets so that branches can only jump to addresses from the same domain. If a branch target is poisoned this will be detected and a fence will be inserted. To implement this they modified LLVM to insert a label for each branch target. For performance they compare their system with no modification and retpoline mitigation.
They introduce a new class of speculative execution attacks. The first parallel they draw is branch prediction can be influenced, but it becomes more powerful if you can inject branch targets. Meltdown and its variants rely on address dependencies, where you can read from other addresses that share parts of the address you are using. LVI uses meltdown and then adds the idea of injection. They target SGX enclaves as a victim, because you can trivially cause page faults in enclaves. The basic idea is to fill a micro-architectural buffer with attacker controlled data and then trick the victim in using this data. Flushing micro architectural buffers do not mitigate this attack, you really need to fence after every load instruction.
Sensors and Emanations (18 May)
Sensors are an interface between the physical world and the electronic world. To stop the attacker from man in the middle attack they randomly turn the sensor on and off. It only works for measurements that are sampled so frequently that it is considered to be constant or if it is predictably periodic. They encode this signal over Manchester encoding with the secret value. Assuming the attacker does not know the sequence of secret bits, they cannot guess what to insert on the wire. Their attacker model is an attacker that is physically far away and they are injecting values via electromagnetic radiation for example.
WaveSpy: Remote and Through-wall Screen Attack via mmWave Sensing
This paper is about sensitive information leakage from screens. Screen contents is leaked because of liquid crystal states in screens. Their attack uses a saw signal from a transmitter and measure the response as those waves pass through (or reflect from) the screen. They can detect what type of application is running on a screen and test this setup on a Dell monitor, a Samsung phone and an Apple watch. They also prototype an attack to read the security pin from a phone's screen and how barriers of different types of material affect the detection. Protections include shielding your screen and having software inject noise onto the screen.
Sensor safety is very important since people have shown lasers to affect voice assistants and Lidar's on cars being fooled. Different sensors use different words to describe attacks and their goal is to unite all of these fields. Attackers can add malicious inputs to any part of the sensor: the transducer, amplifier, filter and ADC. Usually signal injection uses 2 steps: injecting signal and then measuring the output to fine-tune the injection. They've made a taxonomy of all known signal injection attacks and defenses. This taxonomy allows two attacks to be combined to discover new attacks and find how defenses for one attack can be translated to another.
Memory Safety (19 May)
This work introduces a protection against data-oriented attacks. They partition memory regions in domains, enforce fine-grained memory protection and protect integrity of pointers to xMP domains. They allow this directly in Linux without relying on a hypervisor. They use Xen altp2m to create disjoint domains. Page permissions are added for each page in host memory and a dedicated address-tranlation table exists for each domain. They provide integrity for pointers by using a 16-bit HMAC, which cannot be brute-forced because on each failure the system shuts down and keys are regenerated. They encode the xMP domain in some flag bits of the guest physical memory. To know which xMP domain an application belongs to they put it in immutable data structure like mm_struct.
Their defense protects against memory corruption attacks. Their goal is to create a user-mode hardware feature that protects user memory and is fast. SEIMI can prevent access to user pages in supervisor mode more efficiently than MPK does. To avoid kernel memory corruption they create a parallel non-root ring-0 for the user to call into (using virtualization). They show that their solution is more efficient than Intel MPX and MPK for different benchmarks.
Memory frees are placed in quarantine. They go through the stack and follow any references through the heap to see which references are allowed to be freed and not. Allocations that are on page level can be freed without quarantining and instead just unmapping the virtual page. They have much lower overhead than other marking systems. There's a trade-off between quarantine size and slowdown, because the larger the quarantine will mean less marking.
Previously, CHERI protecte pointer integrity and spatial safety, but does not protect temporal safety. CHERIvoke adds temporal safety by creating a quarantine buffer to free memory and then do a revocation sweep once in a while. CHERI tags allow for architectural speed up of revocation sweeps. For example, skipping pages that do not contain any capabilities can be done by loading a whole cache line of tags and checking whether they are all zero. Their solution uses these architectural features and sees how they work on a real system.
Rowhammer (19 May)
Cells from different security domains can be located next to each other on a physical memory module. Previous work showed that writing to a row can cause bit flips in adjacent rows. RAMBleed uses this concept by observing a row and deducing what has been written to adjacent rows. They produce an attack that forces Linux to get 2MB of sequential physical memory. The attack uses the page frame cache to trick the victim to place its victims in the correct row. The attacker has control over the page frame cache by freeing memory at the correct time. The attacker can cause accesses to rows with the secret by having a row split in two and have one part of the row still being accessible by the attacker. Their attack can extract OpenSSH keys from user space. ECC memory does not stop RAMBleed, because when an error occurs it takes a longer time to read the row, which causes a timing side-channel. This work shows that Rowhammer not only breaks integrity but also confidentiality.
Industry claimed that DDR4 was Rowhammer free, but this is a false claim. They create an end-to-end methodology to test whether any cloud server is susceptible to Rowhammer. They test this in a worst-case scenario using the highest rate of row activation. Traditional Rowhammer instruction sequences include: two memory reads, flush these rows and a memory barrier. They found that two clflushopt instructions in a loop was optimal for generating highest rate of activation. The internal mapping of DRAM chips is hard to find and changes per vendor. To show that their attack works they create hardware that filters out refresh commands from the CPU. They used this setup to reverse engineer the adjacency map of DRAMs and found that some rows are only partially adjacent to other rows, so Rowhammer might require hammering of more than 2 rows.
They exploit electromagnetic (EM) signals as a Rowhammer detection mechanism. All Rowhammer attacks use the memory bus, the memory controller and DRAM. EM emanation from DRAM clock is greater than 400MHz and observable at a distance and the clock carries signal based on how much activity of the DRAM. In a frequency diagram you can see how frequently the DRAM is being activated. However, there might be false positives. Spread Spectrum Clocking (SSC) is because there are EMC limits, which add noise to the EM emanation of the clock. To overcome this they reverse engineer SSC and correct for it in the measurements. This de-spreading actually helps suppress noise and improves the channel. They've also shown that this EM channel can be used as a covert channel in a different paper.
Target row refresh (TRR) is advertised as a Rowhammer mitigation, but this work challenges that. TRR keeps track of each row activation and refreshes victim rows whenever needed. This paper focuses on TRR that is performed in-DRAM (not from memory controller or CPU). They exploit the fact that they can overflow the sampler, which means TRR cannot track all of the row activations anymore. Instead of reverse engineering all TRR implementations they use fuzzing. Even with double refresh rate they can still cause bit flips. They actually show that DDR4 is more vulnerable to Rowhammer than DDR3. The author said that to mitigate this attack DRAM vendors should standardize mapping functions and find a way to make memory refreshes secure.
Cryptanalysis and Side Channels (20 May)
This side channel arises due to observable difference across program executions. JIT compilers introduce side channels to code that seems not to leak timing information. This is because JIT optimize for typical behavior and therefore it is possible to detect when atypical behavior happens. Slowdown is experienced in the typical case for a while after an atypical event has occurred. They show this attack to work on the Apache Shiro authentication library, which can use timing of low-privileged user logins to detect whether a high-privileged login has occurred. One mitigation could be to stop using optimistic compilation, adding noise to run-time and marking security-sensitive sections of code.
Their work looks at clients that make encrypted queries to a server. Search pattern leakage means that servers can figure out if the same query is asked multiple times. Previous attacks have many assumptions like the assumption that the query distribution is uniform. They create an attack that is agnostic to query distribution and without introducing extra assumptions. Overview of attack: there are different entries in the database with distance in keys, the attacker can observe the frequency of keys and which entries are returned, they use these frequencies to estimate the distance between the plaintext entries. Their attack uses the observation of access patterns to an encrypted database to deduce the plaintext values in the database.
Attacks on random number generators break crypto systems. CTR_DRBG is a standard way to create random number generators, but it has two main problems: there is no key rotation and adding entropy is optional. This means that disclosing the key in the RNG discloses the state and compromises it for all future random numbers. Some cryptographic libraries use side-channel secure AES for encryption but not for random number generation. Their attack requires 2000 Bytes of randomly generated output and they use the padding for 16K RSA to get this data. Their main advice is to use HASH_DRBG instead, because they have done some formal proofs on this which have not been done on other DRBG standards.
Flaw Label: Exploiting IPv6 Flow Label
The IPv4 address pool has run out and so computers have moved to using IPv6, which has 128-bit addresses. The flow label is included in the header of IPv6. These labels are generated by a random number generator or a hash function to guarantee uniform distribution. The keys for these hash functions are only regenerated on reboot for most systems. This means that the flow label can be used to track users. Once the key is revealed (by active or passive attacks) they can create a device id to track users.
TEEs and Attestation (20 May)
They classified all known vulnerabilities in TrustZone. All major parts of TrustZone have been affected and no major TEE manufacturer is excluded. The first class of attacks exploit architectural issues: wide interfaces in TEE components (e.g. Widevine implememtns 70 commands, 69 system calls in Qualcomm secure world), excessively large trusted computing base (much larger than SEL4), ability to map normal-world physical memory allows trusted applications to escalate privilege via the normal world, lackluster memory protection in TEE (no ASLR) and trusted application revocation is not possible which allows downgrade attacks. The second class of attacks exploit implementation issues: validation bugs, bugs within the secure monitor (buffer overflow attacks), functional bugs (bugs in memory protection) and extrinsic bugs (concurrency issues running to trusted applications in parallel). The third class of attacks exploit hardware issues: energy management mechanisms (normal-world performs energy management) and leakage through caches (normal and secure world contend for same cache lines). They also summarize defenses proposed for all of these attacks.
How can a server verify work done by an embedded device? Existing solutions sign code and firmware, but cannot detect dynamic attacks. They introduce operation execution integrity (OEI) which includes control flow integrity and the values of critical variables. OAT stands for OEI Attestation Framework. To find out what the critical control flow and variables are is done by the compiler. Their system is a hybrid scheme between hashing the state and verifying an execution trace. They trace conditional branches, jump targets and hash return addresses. The verifier must simulate the trace to check the control flow. Critical variables are those that influence control flow and those tagged by the programmer as important. The checks for control flow and critical variables are instrumented by the compiler, which causes code size increase. They improve on previous work by reducing trace size and reducing code instrumentation sites.
Enabling Rack-scale Confidential Computing using Heterogeneous Trusted Execution Environment
TEEs are not possible for heterogeneous platforms like GPU and TPU. Their solution does not require hardware changes (unlike previous work), has small a small trusted computing base and has support for server heterogeneous computing. Side channels are included in threat model. HETEE is a box that can be added to a server rack. In this box all requests go through the security controller. All enclave memory is encrypted and allows enclave code to be run on any type of hardware (e.g. GPU and TPU). They also claim to protect against physical attacks due to the box being sealed. Their solution pretty much creates an air-gap between enclaves and untrusted systems, but they have not done any measurements to see the performance degradation of this.
They found an undocumented register for controlling voltage, which can be used to undervolt and cause bit faults. They use this attack to cause faults in SGX that are not detected by integrity check. They did their experiments using multiplications and found that only certain operands faulted. They use the faults caused in multiplication to do Lenstra Attack on RSA running inside SGX. They also found that undervolting can make the AES-NI instructions fault, which revealed keys. Lastly, they could induce memory corruption in enclaves and cause secrets to be written to untrusted memory.
SEVurity: No Security Without Integrity - Breaking Integrity-Free Memory Encryption with Minimal Assumptions
SEV protects virtual machines from malicious hypervisors. They build an encryption oracle for SEV-ES. To do this they look at the tweak function, which is used to vary the encryption from one block to another. Their work reverse engineers the tweak function and finds a way to create valid encryption values for different addresses. They then do some work showing how changing one byte in memory can give full control in the VM. SEV-SNP stops this attack by disallowing the write, but is not as strong as using cryptographic integrity.
Hardware Security (20 May)
Transys: Leveraging Common Security Properties Across Hardware Designs
Assertion based verification is a common way to do hardware security, but deciding the set of security properties is hard. This work tries to take a set of security properties from one design and translates it to a new design. Transys takes two Verilog files and a set of security properties for one and produces the set of security properties for the other. They use statistical analysis, names and structural features to find which variables correspond to which in the two designs. They add extra constraints to security properties for the second design to make sure that there are no mistakes in the security properties. Their tool has a success rate of about 50% and shows that it is possible to translate security properties from one design to another.
This work creates a covert-channel between a device and an FPGA on a single-tenant. Their covert channel only requires a shared power supply by using different numbers of ring oscillators on an FPGA to cause changes in the power supply voltage. The receiver can use ring oscillators to measure small changes in power supply voltage. Transmitting can also be done by stressing different CPU or GPU cores to change the supply voltage. They show that they can create a reliable communication channel and that they can circumvent restrictions set by cloud FPGA providers.
ICAS: An Extensible Framework for Estimating the Susceptibility of IC Layouts to Additive Trojans
Flaws in hardware can undermine all security guarantees in software. How do we know if our hardware isn't modified at the foundry level? Previous work has not been practical in stopping hardware Trojans. Their tool looks at integrated circuit layouts and shows where Trojans are likely to be inserted. They mostly focus on additive Trojans, which depend on the following metrics: trigger-space, net blockage and route distance. In essence they calculate how hard it would be to place a Trojan in a free spot and route it to security critical wires (annotated by designer). ICAS is also extensible so future metrics can be added. The can use this tool to create defenses by densely populating areas near security critical structures (especially in the metal layers).