Quantitative Mitigation of Timing Side Channels

06/21/2019
by   Saeid Tizpaz-Niari, et al.
0

Timing side channels pose a significant threat to the security and privacy of software applications. We propose an approach for mitigating this problem by decreasing the strength of the side channels as measured by entropy-based objectives, such as min-guess entropy. Our goal is to minimize the information leaks while guaranteeing a user-specified maximal acceptable performance overhead. We dub the decision version of this problem Shannon mitigation, and consider two variants, deterministic and stochastic. First, we show the deterministic variant is NP-hard. However, we give a polynomial algorithm that finds an optimal solution from a restricted set. Second, for the stochastic variant, we develop an algorithm that uses optimization techniques specific to the entropy-based objective used. For instance, for min-guess entropy, we used mixed integer-linear programming. We apply the algorithm to a threat model where the attacker gets to make functional observations, that is, where she observes the running time of the program for the same secret value combined with different public input values. Existing mitigation approaches do not give confidentiality or performance guarantees for this threat model. We evaluate our tool SCHMIT on a number of micro-benchmarks and real-world applications with different entropy-based objectives. In contrast to the existing mitigation approaches, we show that in the functional-observation threat model, SCHMIT is scalable and able to maximize confidentiality under the performance overhead bound.

READ FULL TEXT

page 1

page 2

page 3

page 4

research
06/07/2021

QFuzz: Quantitative Fuzzing for Side Channels

Side channels pose a significant threat to the confidentiality of softwa...
research
08/30/2018

Data-Driven Debugging for Functional Side Channels

Functional side channels arise when an attacker knows that the secret va...
research
04/27/2015

Deterministically Deterring Timing Attacks in Deterland

The massive parallelism and resource sharing embodying today's cloud bus...
research
07/23/2019

Efficient Detection and Quantification of Timing Leaks with Neural Networks

Detection and quantification of information leaks through timing side ch...
research
10/17/2018

When Human cognitive modeling meets PINs: User-independent inter-keystroke timing attacks

This paper proposes the first user-independent inter-keystroke timing at...
research
08/30/2019

Pacer: Network Side-Channel Mitigation in the Cloud

An important concern for many Cloud customers is data confidentiality. O...
research
05/15/2017

Simulated Penetration Testing and Mitigation Analysis

Penetration testing is a well-established practical concept for the iden...

Please sign up or login with your details

Forgot password? Click here to reset