PH.D DEFENCE - PUBLIC SEMINAR

Defense Against Micro-Architecture Level Transient Execution Based Attacks Via Program Analysis

Speaker
Mr Wang Guanhua
Advisor
Dr Tulika Mitra, Provost'S Chair Professor, School of Computing
Dr Abhik Roychoudhury, Provost'S Chair Professor, School of Computing


04 Jan 2021 Monday, 10:00 AM to 11:30 AM

Zoom presentation

Join Zoom Meeting
https://nus-sg.zoom.us/j/87473503686?pwd=cDBTQWtuMnBTby9pWmpjZGRMa3E0dz09

Meeting ID: 874 7350 3686
Password: 302260

Abstract
Modern processors rely on micro-architectural optimizations predicting or re-ordering the instruction stream to improve performance. These optimizations may introduce security issues in the intermediate state of the execution. Spectre and Meltdown attacks disclosed in early 2018 exposed the data leakage scenario in transient execution of the processor. A key insight into these vulnerabilities is that transient execution in processors can be misused to access secrets. More specifically, the incorrect prediction of an execution path enables the execution of some instructions transiently. Even though transiently executed instructions are finally squashed, the secret may linger in micro-architectural states. The leakage can potentially be accessed by an attacker via side-channels. Transient execution attacks threaten almost all computer systems since transient executions such as branch prediction and out-of-order execution are widely adopted by high-performance processors. One kind of transient execution attack is the Spectre-type attack, which leverages speculative execution to explore data leakage when a branch is mispredicted. Most Spectre attacks rely on vulnerable codes in the victim program and the vulnerable code can be accessed on speculative execution paths, which expose security issues such as data leakage. Theoretically, program analysis can verify whether a program is vulnerable to transient execution based attacks. However, the traditional program analysis does not consider this hardware mechanism. To address this issue, in this dissertation, we focus on novel program analysis methods to explore the potential vulnerabilities related to transient execution.

In the first step, we propose a static analysis to check whether a given program binary is vulnerable to Spectre attack, and if so, our tool automatically patches the program to mitigate the Spectre vulnerability with minimal performance overhead. We present a comprehensive and scalable solution, called oo7, based on static program analysis. We have successfully introduced accurate modelling of speculative execution in oo7.

Once vulnerable code snippets are detected by oo7, we introduce fence instructions at selected program points to prevent speculative execution and thereby protect the code from Spectre attack. The programs fixed by oo7 introduce negligible performance overhead compared with the existing solutions.

Furthermore, oo7 introduces false positives because its underlying technique is static program analysis that does not take the accurate execution context into account during analysis. Thus, the vulnerabilities detected by oo7 may not leak data when running on the hardware. Besides, oo7 does not model the cache that it assumes all leakage in the speculative path can be observed by the attacker. Therefore, a more accurate program analysis tool that integrates speculative execution and cache modelling can significantly reduce false positives. Symbolic execution is a well-known accurate program testing method. To engage the speculative execution and cache modelling into the traditional symbolic execution, we propose KLEESpectre. KLEESpectre, built on top of KLEE symbolic execution engine, can thus provide a reliable testing engine to detect and verify data leakage during speculative execution.

Finally, we present a tool called Efuzz to prevent the timing-driven cache side-channel attacks by using fuzzing while considering the transient execution. We introduced Shannon's entropy as a metric in fuzzing technique to make fuzzing more efficient. Efuzz achieves better efficiency than state-of-the-art fuzzing engines in detecting timingdriven cache side-channel leakage.

The goal of this dissertation is to explore program analysis to mitigate the latest transient execution attacks. The works proposed in this dissertation introduce novel methods to bring hardware features into the program analysis and detect the program vulnerability
caused by the hardware security weakness before the program runs on the hardware.