-
How Much is Performance Worth to Users? A Quantitative Approach
Authors:
Adam Hastings,
Lydia B. Chilton,
Simha Sethumadhavan
Abstract:
Architects and systems designers artfully balance multiple competing design constraints during the design process but are unable to translate between system metrics and end user experience. This work presents three methodologies to fill in this gap. The first is an incentive-compatible methodology that determines a "ground truth" measurement of users' value of speed in terms of US dollars, and fin…
▽ More
Architects and systems designers artfully balance multiple competing design constraints during the design process but are unable to translate between system metrics and end user experience. This work presents three methodologies to fill in this gap. The first is an incentive-compatible methodology that determines a "ground truth" measurement of users' value of speed in terms of US dollars, and find that users would accept a performance losses of 10%, 20%, and 30% to their personal computer in exchange for \$2.27, \$4.07, and \$4.43 per day, respectively. However, while highly accurate the methodology is a painstaking process and does not scale with large numbers of participants. To allow for scalability, we introduce a second methodology -- a lab-based simulation experiment -- which finds that users would accept a permanent performance loss of 10%, 20%, and 30% to their personal computer in exchange for \$127, \$169, and \$823, respectively. Finally, to allow for even greater scalability, we introduce a third methodology -- a survey -- and observe that the lack of incentive compatibility and the lack of hands-on experience with throttled device performance skews the results significantly, thus demonstrating the need for lab-based or incentive compatible study designs. By quantifying the tradeoff between user satisfaction and performance, we enable architects and systems designers to make more nuanced tradeoffs between design requirements.
△ Less
Submitted 27 April, 2022;
originally announced April 2022.
-
Timeloops: Automatic System Call Policy Learning for Containerized Microservices
Authors:
Meghna Pancholi,
Andreas D. Kellas,
Vasileios P. Kemerlis,
Simha Sethumadhavan
Abstract:
In this paper we introduce Timeloops a novel technique for automatically learning system call filtering policies for containerized microservices applications. At run-time, Timeloops automatically learns which system calls a program should be allowed to invoke while rejecting attempts to call spurious system calls. Further, Timeloops addresses many of the shortcomings of state-of-the-art static ana…
▽ More
In this paper we introduce Timeloops a novel technique for automatically learning system call filtering policies for containerized microservices applications. At run-time, Timeloops automatically learns which system calls a program should be allowed to invoke while rejecting attempts to call spurious system calls. Further, Timeloops addresses many of the shortcomings of state-of-the-art static analysis-based techniques, such as the ability to generate tight filters for programs written in interpreted languages such as PHP, Python, and JavaScript. Timeloops has a simple and robust implementation because it is mainly built out of commodity, and proven, technologies such as seccomp-BPF, systemd, and Podman containers, with fewer than 500 lines of code. We demonstrate the utility of Timeloops by learning system calls for individual services and two microservices benchmark applications, which utilize popular technologies like Python Flask, Nginx (with PHP and Lua modules), Apache Thrift, Memcached, Redis, and MongoDB. Further, the amortized performance of Timeloops is similar to that of an unhardened system while producing a smaller system call filter than state-of-the-art static analysis-based techniques.
△ Less
Submitted 26 September, 2022; v1 submitted 12 April, 2022;
originally announced April 2022.
-
COMMAND: Certifiable Open Measurable Mandates
Authors:
Adam Hastings,
Ryan Piersma,
Simha Sethumadhavan
Abstract:
Security mandates today are often in the form of checklists and are generally inflexible and slow to adapt to changing threats. This paper introduces an alternate approach called open mandates, which mandate that vendors must dedicate some amount of resources (e.g. system speed, energy, design cost, etc.) towards security but unlike checklist security does not prescribe specific controls that must…
▽ More
Security mandates today are often in the form of checklists and are generally inflexible and slow to adapt to changing threats. This paper introduces an alternate approach called open mandates, which mandate that vendors must dedicate some amount of resources (e.g. system speed, energy, design cost, etc.) towards security but unlike checklist security does not prescribe specific controls that must be implemented. The goal of open mandates is to provide flexibility to vendors in implementing security controls that they see fit while requiring all vendors to commit to a certain level of security. In this paper, we first demonstrate the usefulness of open security mandates: for instance, we show that mandating 10% of resources towards security reduces defenders losses by 8% and forestalls attackers by 10%. We then show how open mandates can be implemented in practice. Specifically, we solve the problem of identifying a system's overhead due to security, a key problem towards making such an open mandate enforceable in practice. As examples we demonstrate our open mandate system -- COMMAND -- for two contemporary software hardening techniques and show that our methodology can predict security overheads to a very high degree of accuracy (<1% mean and median error) with low resource requirements. We also present experiments that quantify, in terms of dollars, how much end users value the performance lost to security, which help determine the costs of such a program. Taken together -- the usefulness of mandates, their enforceability, and their quantifiable costs -- make the case for an alternate resource-based mandate.
△ Less
Submitted 9 March, 2022;
originally announced March 2022.
-
Revisiting Residue Codes for Modern Memories
Authors:
Evgeny Manzhosov,
Adam Hastings,
Meghna Pancholi,
Ryan Piersma,
Mohamed Tarek Ibn Ziad,
Simha Sethumadhavan
Abstract:
Residue codes have been traditionally used for compute error correction rather than storage error correction. In this paper, we use these codes for storage error correction with surprising results. We find that adapting residue codes to modern memory systems offers a level of error correction comparable to traditional schemes such as Reed-Solomon with fewer bits of storage. For instance, our adapt…
▽ More
Residue codes have been traditionally used for compute error correction rather than storage error correction. In this paper, we use these codes for storage error correction with surprising results. We find that adapting residue codes to modern memory systems offers a level of error correction comparable to traditional schemes such as Reed-Solomon with fewer bits of storage. For instance, our adaptation of residue code -- MUSE ECC -- can offer ChipKill protection using approximately 30% fewer bits. We show that the storage gains can be used to hold metadata needed for emerging security functionality such as memory tagging or to provide better detection capabilities against Rowhammer attacks. Our evaluation shows that memory tagging in a MUSE-enabled system shows a 12% reduction in memory bandwidth utilization while providing the same level of error correction as a traditional ECC baseline without a noticeable loss of performance. Thus, our work demonstrates a new, flexible primitive for co-designing reliability with security and performance.
△ Less
Submitted 19 December, 2022; v1 submitted 19 July, 2021;
originally announced July 2021.
-
SPAM: Stateless Permutation of Application Memory
Authors:
Mohamed Tarek Ibn Ziad,
Miguel A. Arroyo,
Simha Sethumadhavan
Abstract:
In this paper, we propose the Stateless Permutation of Application Memory (SPAM), a software defense that enables fine-grained data permutation for C programs. The key benefits include resilience against attacks that directly exploit software errors (i.e., spatial and temporal memory safety violations) in addition to attacks that exploit hardware vulnerabilities such as ColdBoot, RowHammer or hard…
▽ More
In this paper, we propose the Stateless Permutation of Application Memory (SPAM), a software defense that enables fine-grained data permutation for C programs. The key benefits include resilience against attacks that directly exploit software errors (i.e., spatial and temporal memory safety violations) in addition to attacks that exploit hardware vulnerabilities such as ColdBoot, RowHammer or hardware side-channels to disclose or corrupt memory using a single cohesive technique. Unlike prior work, SPAM is stateless by design making it automatically applicable to multi-threaded applications.
We implement SPAM as an LLVM compiler pass with an extension to the compiler-rt runtime. We evaluate it on the C subset of the SPEC2017 benchmark suite and three real-world applications: the Nginx web server, the Duktape Javascript interpreter, and the WolfSSL cryptographic library. We further show SPAM's scalability by running a multi-threaded benchmark suite. SPAM has greater security coverage and comparable performance overheads to state-of-the-art software techniques for memory safety on contemporary x86_64 processors. Our security evaluation confirms SPAM's effectiveness in preventing intra/inter spatial/temporal memory violations by making the attacker success chances as low as 1/16!.
△ Less
Submitted 21 September, 2020; v1 submitted 27 July, 2020;
originally announced July 2020.
-
A New Doctrine for Hardware Security
Authors:
Adam Hastings,
Simha Sethumadhavan
Abstract:
In this paper, we promote the idea that recent woes in hardware security are not because of a lack of technical solutions but rather because market forces and incentives prevent those with the ability to fix problems from doing so. At the root of the problem is the fact that hardware security comes at a cost; Present issues in hardware security can be seen as the result of the players in the game…
▽ More
In this paper, we promote the idea that recent woes in hardware security are not because of a lack of technical solutions but rather because market forces and incentives prevent those with the ability to fix problems from doing so. At the root of the problem is the fact that hardware security comes at a cost; Present issues in hardware security can be seen as the result of the players in the game of hardware security finding ways of avoiding paying this cost. We formulate this idea into a doctrine of security, namely the Doctrine of Shared Burdens. Three cases studies---Rowhammer, Spectre, and Meltdown---are interpreted though the lens of this doctrine. Our doctrine illuminates why these problems and exist and what can be done about them.
△ Less
Submitted 18 July, 2020;
originally announced July 2020.
-
CRYLOGGER: Detecting Crypto Misuses Dynamically
Authors:
Luca Piccolboni,
Giuseppe Di Guglielmo,
Luca P. Carloni,
Simha Sethumadhavan
Abstract:
Cryptographic (crypto) algorithms are the essential ingredients of all secure systems: crypto hash functions and encryption algorithms, for example, can guarantee properties such as integrity and confidentiality. Developers, however, can misuse the application programming interfaces (API) of such algorithms by using constant keys and weak passwords. This paper presents CRYLOGGER, the first open-so…
▽ More
Cryptographic (crypto) algorithms are the essential ingredients of all secure systems: crypto hash functions and encryption algorithms, for example, can guarantee properties such as integrity and confidentiality. Developers, however, can misuse the application programming interfaces (API) of such algorithms by using constant keys and weak passwords. This paper presents CRYLOGGER, the first open-source tool to detect crypto misuses dynamically. CRYLOGGER logs the parameters that are passed to the crypto APIs during the execution and checks their legitimacy offline by using a list of crypto rules. We compare CRYLOGGER with CryptoGuard, one of the most effective static tools to detect crypto misuses. We show that our tool complements the results of CryptoGuard, making the case for combining static and dynamic approaches. We analyze 1780 popular Android apps downloaded from the Google Play Store to show that CRYLOGGER can detect crypto misuses on thousands of apps dynamically and automatically. We reverse-engineer 28 Android apps and confirm the issues flagged by CRYLOGGER. We also disclose the most critical vulnerabilities to app developers and collect their feedback.
△ Less
Submitted 2 July, 2020;
originally announced July 2020.
-
Using Name Confusion to Enhance Security
Authors:
Mohamed Tarek Ibn Ziad,
Miguel A. Arroyo,
Evgeny Manzhosov,
Vasileios P. Kemerlis,
Simha Sethumadhavan
Abstract:
We introduce a novel concept, called Name Confusion, and demonstrate how it can be employed to thwart multiple classes of code-reuse attacks. By building upon Name Confusion, we derive Phantom Name System (PNS): a security protocol that provides multiple names (addresses) to program instructions. Unlike the conventional model of virtual memory with a one-to-one mapping between instructions and vir…
▽ More
We introduce a novel concept, called Name Confusion, and demonstrate how it can be employed to thwart multiple classes of code-reuse attacks. By building upon Name Confusion, we derive Phantom Name System (PNS): a security protocol that provides multiple names (addresses) to program instructions. Unlike the conventional model of virtual memory with a one-to-one mapping between instructions and virtual memory addresses, PNS creates N mappings for the same instruction, and randomly switches between them at runtime. PNS achieves fast randomization, at the granularity of basic blocks, which mitigates a class of attacks known as (just-in-time) code-reuse.
If an attacker uses a memory safety-related vulnerability to cause any of the instruction addresses to be different from the one chosen during a fetch, the exploited program will crash. We quantitatively evaluate how PNS mitigates real-world code-reuse attacks by reducing the success probability of typical exploits to approximately $10^{-12}$. We implement PNS and validate it by running SPEC CPU2017 benchmark suite. We further verify its practicality by adding it to a RISC-V core on an FPGA. Lastly, PNS is mainly designed for resource constrained (wimpy) devices and has negligible performance overhead, compared to commercially-available, state-of-the-art, hardware-based protections.
△ Less
Submitted 26 August, 2020; v1 submitted 5 November, 2019;
originally announced November 2019.
-
Practical Byte-Granular Memory Blacklisting using Califorms
Authors:
Hiroshi Sasaki,
Miguel A. Arroyo,
M. Tarek Ibn Ziad,
Koustubha Bhat,
Kanad Sinha,
Simha Sethumadhavan
Abstract:
Recent rapid strides in memory safety tools and hardware have improved software quality and security. While coarse-grained memory safety has improved, achieving memory safety at the granularity of individual objects remains a challenge due to high performance overheads which can be between ~1.7x-2.2x. In this paper, we present a novel idea called Califorms, and associated program observations, to…
▽ More
Recent rapid strides in memory safety tools and hardware have improved software quality and security. While coarse-grained memory safety has improved, achieving memory safety at the granularity of individual objects remains a challenge due to high performance overheads which can be between ~1.7x-2.2x. In this paper, we present a novel idea called Califorms, and associated program observations, to obtain a low overhead security solution for practical, byte-granular memory safety.
The idea we build on is called memory blacklisting, which prohibits a program from accessing certain memory regions based on program semantics. State of the art hardware-supported memory blacklisting while much faster than software blacklisting creates memory fragmentation (of the order of few bytes) for each use of the blacklisted location. In this paper, we observe that metadata used for blacklisting can be stored in dead spaces in a program's data memory and that this metadata can be integrated into microarchitecture by changing the cache line format. Using these observations, Califorms based system proposed in this paper reduces the performance overheads of memory safety to ~1.02x-1.16x while providing byte-granular protection and maintaining very low hardware overheads.
The low overhead offered by Califorms enables always on, memory safety for small and large objects alike, and the fundamental idea of storing metadata in empty spaces, and microarchitecture can be used for other security and performance applications.
△ Less
Submitted 10 June, 2019; v1 submitted 5 June, 2019;
originally announced June 2019.
-
FIRED: Frequent Inertial Resets with Diversification for Emerging Commodity Cyber-Physical Systems
Authors:
Miguel Arroyo,
Hidenori Kobayashi,
Simha Sethumadhavan,
Junfeng Yang
Abstract:
A Cyber-Physical System (CPS) is defined by its unique characteristics involving both the cyber and physical domains. Their hybrid nature introduces new attack vectors, but also provides an opportunity to design new security defenses. In this paper, we present a new domain-specific security mechanism, FIRED, that leverages physical properties such as inertia of the CPS to improve security.
FIRED…
▽ More
A Cyber-Physical System (CPS) is defined by its unique characteristics involving both the cyber and physical domains. Their hybrid nature introduces new attack vectors, but also provides an opportunity to design new security defenses. In this paper, we present a new domain-specific security mechanism, FIRED, that leverages physical properties such as inertia of the CPS to improve security.
FIRED is simple to describe and implement. It goes through two operations: Reset and Diversify, as frequently as possible -- typically in the order of seconds or milliseconds. The combined effect of these operations is that attackers are unable to gain persistent control of the system. The CPS stays safe and stable even under frequent resets because of the inertia present. Further, resets simplify certain diversification mechanisms and makes them feasible to implement in CPSs with limited computing resources.
We evaluate our idea on two real-world systems: an engine management unit of a car and a flight controller of a quadcopter. Roughly speaking, these two systems provide typical and extreme operational requirements for evaluating FIRED in terms of stability, algorithmic complexity, and safety requirements. We show that FIRED provides robust security guarantees against hijacking attacks and persistent CPS threats. We find that our defense is suitable for emerging CPS such as commodity unmanned vehicles that are currently unregulated and cost sensitive.
△ Less
Submitted 21 February, 2017;
originally announced February 2017.
-
The Spy in the Sandbox -- Practical Cache Attacks in Javascript
Authors:
Yossef Oren,
Vasileios P. Kemerlis,
Simha Sethumadhavan,
Angelos D. Keromytis
Abstract:
We present the first micro-architectural side-channel attack which runs entirely in the browser. In contrast to other works in this genre, this attack does not require the attacker to install any software on the victim's machine -- to facilitate the attack, the victim needs only to browse to an untrusted webpage with attacker-controlled content. This makes the attack model highly scalable and extr…
▽ More
We present the first micro-architectural side-channel attack which runs entirely in the browser. In contrast to other works in this genre, this attack does not require the attacker to install any software on the victim's machine -- to facilitate the attack, the victim needs only to browse to an untrusted webpage with attacker-controlled content. This makes the attack model highly scalable and extremely relevant and practical to today's web, especially since most desktop browsers currently accessing the Internet are vulnerable to this attack. Our attack, which is an extension of the last-level cache attacks of Yarom et al., allows a remote adversary recover information belonging to other processes, other users and even other virtual machines running on the same physical host as the victim web browser. We describe the fundamentals behind our attack, evaluate its performance using a high bandwidth covert channel and finally use it to construct a system-wide mouse/network activity logger. Defending against this attack is possible, but the required countermeasures can exact an impractical cost on other benign uses of the web browser and of the computer.
△ Less
Submitted 1 March, 2015; v1 submitted 25 February, 2015;
originally announced February 2015.
-
Unsupervised Anomaly-based Malware Detection using Hardware Features
Authors:
Adrian Tang,
Simha Sethumadhavan,
Salvatore Stolfo
Abstract:
Recent works have shown promise in using microarchitectural execution patterns to detect malware programs. These detectors belong to a class of detectors known as signature-based detectors as they catch malware by comparing a program's execution pattern (signature) to execution patterns of known malware programs. In this work, we propose a new class of detectors - anomaly-based hardware malware de…
▽ More
Recent works have shown promise in using microarchitectural execution patterns to detect malware programs. These detectors belong to a class of detectors known as signature-based detectors as they catch malware by comparing a program's execution pattern (signature) to execution patterns of known malware programs. In this work, we propose a new class of detectors - anomaly-based hardware malware detectors - that do not require signatures for malware detection, and thus can catch a wider range of malware including potentially novel ones. We use unsupervised machine learning to build profiles of normal program execution based on data from performance counters, and use these profiles to detect significant deviations in program behavior that occur as a result of malware exploitation. We show that real-world exploitation of popular programs such as IE and Adobe PDF Reader on a Windows/x86 platform can be detected with nearly perfect certainty. We also examine the limits and challenges in implementing this approach in face of a sophisticated adversary attempting to evade anomaly-based detection. The proposed detector is complementary to previously proposed signature-based detectors and can be used together to improve security.
△ Less
Submitted 28 March, 2014; v1 submitted 6 March, 2014;
originally announced March 2014.
