Robust covert channels based on DRAM power consumption

Robust covert channels based on DRAM power consumption

Thales Bandiera Paiva¹ Javier Navaridas² Routo Terada¹

1Institute of Mathematics and Statistics University of Sao Paulo, Brazil

2School of Computer Science University of Manchester, U.K.

[email protected] [email protected] [email protected]

22nd Information Security Conference

September 17, 2019

T. B. Paiva, J. Navaridas, R. Terada Covert channels based on DRAM power September 17, 2019 1 / 21

Software-based power measurement

Power consumption is a major concern for computing devices

∙ Small devices have low battery life

∙ Huge clusters can consume a prohibitive amount of power

Some CPUs of major vendors provide interfaces for power management

∙ Intel Running Average Power Limit (RAPL)

∙ AMD Application Power Management (APM)

Unfortunately this potentially comes with two security risks

∙ Covert channels

∙ Side-channel attacks

Covert Channels

∙ Suppose we have two processes that are meant to be isolated

∙ A covert channel enables these two processes to communicate

∙ Are used to exfiltrate secrets from a target system

∙ Critical systems should resist known covert channels

Trojan Secret

key Container 1

Target system

Attacker Container 2

Spy Covert

Channel

T. B. Paiva, J. Navaridas, R. Terada Covert channels based on DRAM power September 17, 2019 3 / 21

Power consumption leaks information: Side-channel attacks

Side-channel attacks

∙ Kocher et al.’99 introduced Simple and Differential Power Analysis

∙ Security against SPA and DPA is required for crypto implementations

∙ Main limitation is that attacker needs physical access

∙ Mantel et al.’18 showed a key distinguishing attack using software-based energy consumption

Kocher, Paul, Joshua Jaffe, and Benjamin Jun. "Differential power analysis." Annual International Cryptology Conference. Springer, Berlin, Heidelberg, 1999.

Mantel, Heiko, et al. "How secure is green IT? The case of software-based energy side channels." European Symposium on Research in Computer Security. Springer, Cham, 2018.

Power consumption leaks information: Covert channels

Covert channels¹

∙ Murdoch’s ’06 used temperature’s effect on clock skew (21bph)

∙ Masti’s et al. ’15 used core temperature (50bps)

∙ Long et al. ’18 improved to 600 bps in 2018

∙ Miedl and Thiele ’18 showed a covert channel based on RAPL

∙ It uses only CPU power

∙ It achieves 1000 bps in their notebook and 200 bps in their server

Murdoch, Steven J. "Hot or not: Revealing hidden services by their clock skew." Proceedings of the 13th ACM conference on Computer and communications security. ACM, 2006.

Masti, Ramya Jayaram, et al. "Thermal covert channels on multi-core platforms." 24th USENIX Security Symposium (USENIX Security 15). 2015.

Long, Zijun, et al. "Improving the efficiency of thermal covert channels in multi-/many-core systems." 2018 Design, Automation and Test in Europe Conference and Exhibition (DATE). IEEE, 2018.

Miedl, Philipp, and Lothar Thiele. "The security risks of power measurements in multicores." Proceedings of the 33rd Annual ACM Symposium on Applied Computing. ACM, 2018.

1Transmission rates for 15% error

T. B. Paiva, J. Navaridas, R. Terada Covert channels based on DRAM power September 17, 2019 5 / 21

Our contribution

We propose the first covert channel based on DRAM power

∙ It uses the RAPL interface for software-based power monitoring

∙ No privileged instruction needed

∙ The channel construction is validated under two platforms

∙ We tested its robustness against CPU and DRAM benchmarks

∙ The results improves upon previous similar proposals with respect to

∙ bandwidth

∙ error rate

∙ robustness against interference

Intel Software-based power measurements

∙ Internal performance registers give power consumption estimates

∙ Modern Intel CPU’s provide the RAPL interface for power monitoring

∙ Sampling rate is around 1000 Hz

∙ In Linux, RAPL estimates can be read using thepowercapmodule

∙ This does not require special privileges!

RAPL domains available in our notebook’s CPU

Core 1 Graphics

Core 1

Shared L3 cache PP0 Package

DRAM PP1

Memory

controller DRAM

T. B. Paiva, J. Navaridas, R. Terada Covert channels based on DRAM power September 17, 2019 7 / 21

Modulating power consumption

We can modulate power consumption by

∙ Doing CPU-intensive task with some number of threads

∙ Doing Memory-intensive task (memset)

Power consumption modulation in the Notebook setup (4 hyperthreads)

0.0 2.5 5.0 7.5 10.0 12.5 15.0 17.5 20.0

0 2 4 6 8 10

Power(W) ^{1 thread}

2 threads

3 threads 4 threads 5 threads

PP0 DRAM

0 1 2 3 4 5 6 7

Time (seconds) 0

2 4 6

Power(W)

10L3 20L3 50L3

100L3 200L3 500L3

PP0 DRAM

Our covert channel

Shared parameters

∙ Lett_s be the transmission starting time

∙ Lett be some fixed modulation time interval in seconds Encoding (Trojan)

∙ 1 ⇒memset and sleep untilt seconds have passed

∙ 0 ⇒do nothing fort seconds Decoding (spy)

∙ Start recording power consumption at instant ts

∙ To decode the i-th bit do

∙ Let P be the average power between(ts + (i−1)t)and(ts+it)

∙ IfPis above some threshold, decode as 1

∙ Otherwise decode as 0

T. B. Paiva, J. Navaridas, R. Terada Covert channels based on DRAM power September 17, 2019 9 / 21

Our covert channel

Example of the covert channel transmitting at 100 bps

∙ Using only CPU power modulation (top)

∙ Using only DRAM power modulation (bottom)

0 5 10 15

Power(Watts)

PP0 Threshold

0.0 0.01 0.02 0.03 0.04 0.05 0.06 0.07 0.08 0.09 0.1 0.11 0.12 0.13 0.14 0.15 0.16 0.17 0.18 0.19 0.2

Time aftert_s(seconds) 0

2 4 6

Power(Watts)

DRAM Threshold

Technical problems

Sync: It is not reasonable to expect Trojan and spy to share a clock

∙ Trojan can start transmission by sending a predefined message

∙ Spy usest_c as the point that better decodes to the syncing message Length: The spy needs to know the message length

∙ Messages of fixed size may be too restrictive

∙ Can use a number of the first bits to encode the message length Threshold: Choose a decoding threshold

∙ When message bits are balanced, use the average power as threshold

∙ Trojan sends initial known message for spy to learn the best threshold

T. B. Paiva, J. Navaridas, R. Terada Covert channels based on DRAM power September 17, 2019 11 / 21

Evaluating the covert channels

Three main targets

∙ Transmission rate

∙ Error rate

∙ Robustness against application interference Experiments

∙ memsetwith memory chunks of different sizes

∙ Transmission rates between 300 and 600 bps

∙ Two environments

∙ Notebook: Intel i5-4210U (dual-core), L3 of L3N=3MB

∙ Desktop: Intel i7-8700 (hexa-core), L3 of L3D =12MB

∙ 10 messages generated at random for each set of parameters

∙ Messages of 1000 bits: 100 for syncing and 900 for payload

Power consumption profiles of the benchmarks

We considered the power consumption of 3 benchmarks

∙ MRBench and Terasort are similar

∙ LINPACK appears to impact power consumption the most Power consumption profiles of the benchmarks in the Notebook setup

0 5 10 15

PP0power(W)

Idle MRBench Terasort LINPACK

0 10 20 30

0 1 2 3

DRAMpower(W)

0 10 20 30 0 10 20 30 0 10 20 30

Time (seconds)

T. B. Paiva, J. Navaridas, R. Terada Covert channels based on DRAM power September 17, 2019 13 / 21

Experimental results

0.0 0.1 0.2 0.3 0.4 0.5

Errorrate

300bps

Idle MRBench Terasort LINPACK

0.0 0.1 0.2 0.3 0.4 0.5

Errorrate

400bps

0.0 0.1 0.2 0.3 0.4 0.5

Errorrate

500bps

0.8L3 D

1L3 D

1.5L3 D

2L3 N

5L3 N

10L3 N

0.0 0.1 0.2 0.3 0.4 0.5

Errorrate

600bps

0.8L3 D

1L3 D

1.5L3 D

2L3 N

5L3 N

10L3 N

0.8L3 D

1L3 D

1.5L3 D

2L3 N

5L3 N

10L3 N

0.8L3 D

1L3 D

1.5L3 D

2L3 N

5L3 N

10L3 N

Size of the memory chunk used bymemset

Desktop Notebook

Experimental results

∙ Intermediatememsetparameters are better

∙ Easily distinguishable

∙ Do not cause synchronization issues

∙ The notebook is more robust than the Desktop

∙ Desktop’s larger number of cores work too much under high load

∙ LINPACK is the benchmark which affects the channel the most

T. B. Paiva, J. Navaridas, R. Terada Covert channels based on DRAM power September 17, 2019 15 / 21

Achieving higher transmission rates

Recall: size of the memsetargument is correlated with power consumption

Symbol a b c d

(Notebook)memset 0L3 1.5L3 3L3 6L3 (Desktop)memset 0L3 0.8L3 1.2L3 1.4L3

1 2 3

DRAM power (W) 4.5

5.0 5.5 6.0

PP0power(W)

Notebook

0.5 1.0 1.5 2.0 2.5

DRAM power (W) 6

8 10 12 14

PP0power(W)

Desktop

a b c d

Caveat: more complex decoder

Better decoders with clustering algorithms

The simple binary decoder procedure does not make sense anymore

∙ We propose the use of the Random Forests Classifier

∙ This classifier needs a training set with correct labels Trojan and spy now use two predefined messages

∙ First a syncing message as before

∙ Then a message for the spy to train its classifier To analyze the performance, we considered

∙ A training message of size 5000

∙ 10 independent messages of size 1000

∙ Spy used the same trained classifier for all 10 messages

T. B. Paiva, J. Navaridas, R. Terada Covert channels based on DRAM power September 17, 2019 17 / 21

Experimental results

200 400 600 800 1000 0.0

0.1 0.2 0.3 0.4 0.5

Errorrate

1bitper symbol

Idle

200 400 600 800 1000 MRBench

200 400 600 800 1000 Terasort

200 400 600 800 1000 LINPACK

400 800 120016002000 0.0

0.1 0.2 0.3 0.4 0.5

Errorrate

2bitsper symbol

400 800 120016002000 400 800 120016002000 400 800 120016002000

600 1200180024003000 0.0

0.1 0.2 0.3 0.4 0.5

Errorrate

3bitsper symbol

600 1200180024003000 600 1200180024003000 600 1200180024003000

800 1600240032004000 0.0

0.1 0.2 0.3 0.4 0.5

Errorrate

4bitsper symbol

800 1600240032004000 800 1600240032004000 800 1600240032004000 Transmission rate (bits per second)

Desktop Notebook

Experimental results

∙ Results are much better than with the simple decoder

∙ Notebook still more robust than Desktop

∙ It is more difficult for the Desktop to transmit at high rates

∙ Its L3 is too big, andmemsetstarts causing synchronization problems

∙ Results can be significantly improved if specific parameters are chosen

T. B. Paiva, J. Navaridas, R. Terada Covert channels based on DRAM power September 17, 2019 19 / 21

Comparison with a similar proposal

DRAM and CPU power modulation results in a considerable improvement

Miedl and Thiele[MT08] Our work

Processor Transfer rate Error rate Processor Transfer rate Error rate Intel Xeon

E5-2690 (octa-core)

200 bps ≈15%

Intel Core i7-8700 (hexa-core)

2400 bps ≈15%

Intel Core i7-4710MQ (quad-core)

1000 bps ≈15%

Intel Core i5-4210U (dual-core)

1800 bps ≈10%

Conclusion

∙ We presented the first covert channel based on DRAM power

∙ It uses simple algorithms for encoding and decoding

∙ It can can transmit at high rates with low error rates

∙ It is robust against application interference

∙ The channel does not use privileged instructions

∙ It poses a real threat to critical systems Future work

∙ Use software-based power measurement for side-channel attacks

∙ Improve bandwidth with better distinguishers for memory power states Code available at www.ime.usp.br/~tpaiva

T. B. Paiva, J. Navaridas, R. Terada Covert channels based on DRAM power September 17, 2019 21 / 21