A component of computer processors that connects different parts of the chip can be exploited by malicious actors looking to steal secret information from programs running on the computer, MIT researchers have found.
Modern computer processors contain many computing units, called cores, that share the same hardware resources. The on-chip interconnect is the component that allows these cores to talk to each other. But when programs on multiple cores run simultaneously, there is a chance that they may lag each other when they use the interconnect to send data across the chip at the same time.
side channel attack
By monitoring and measuring these delays, a malicious actor could perform what is known as a ‘side channel attack’ and reconstruct secret information stored in a program, such as a cryptographic key or password.
MIT researchers reverse-engineered the on-chip interconnection to study how this type of attack might be possible. Based on their findings, they built an analytical model of how traffic flows between processor cores, which they used to design and launch surprisingly effective side-channel attacks. They then developed two mitigation strategies that allow the user to enhance security without making any physical changes to the computer chip.
a little leak
“A lot of today’s side channel fenders are ad hoc – we see a bit of a leak here and fix it. We hope that our approach with this analytical model will drive more systematic and robust defenses that eliminate entire classes of attacks at the same time,” says co-lead author Miles Dai, MEng ’21.
Dai wrote the article with co-senior author Riccardo Paccagnella, a graduate student at the University of Illinois at Urbana-Champaign; Miguel Gomez-Garcia ’22; John McCalpin, a research scientist at the Texas Center for Advanced Computing; and lead author Mengjia Yan, Homer A. Burnell Career Development Assistant Professor of Electrical Engineering and Computer Science (EECS) and a member of the Computer Science and Artificial Intelligence Laboratory (CSAIL). The research is presented at the USENIX Security Conference.
A modern processor is like a two-dimensional grid, with multiple cores arranged in rows and columns. Each core has its own cache where data is stored, and there is also a larger cache that is shared across the entire processor. When a program located in one core needs to access data in a cache that is in another core or in the shared cache, it must use the on-chip interconnect to send this request and retrieve the data.
Although it is an important component of the processor, the interconnection on the chip remains unstudied because it is difficult to attack, explains Dai. A hacker needs to launch the attack when the traffic from two cores actually interferes with each other, but since the traffic spends so little time in the interconnect, it is difficult to time the attack at the right time. Interconnection is also complex and there are multiple paths that traffic can take between cores.
exchange of locations
To study how traffic flows on the interconnect, MIT researchers created programs that would intentionally access caches located outside of their local kernels.
“By trying different situations, trying different locations, and swapping locations of these programs on the processor, we can understand what the rules are behind the traffic flows on the interconnect,” says Dai.
They discovered that the interconnection is like a highway, with multiple lanes in all directions. When two traffic streams collide, the pipeline uses a priority arbitration policy to decide which traffic stream should go through first. The most “important” requests take precedence, such as those for programs that are critical to a computer’s operations.
Using this information, the researchers built an analytical model of the processor that summarizes how traffic might flow on the interconnect. The model shows which cores would be most vulnerable to a side channel attack. A core would be more vulnerable if it could be accessed through many different lanes. An attacker could use this information to select the best kernel to monitor in order to steal information from a victim program.
“If the attacker understands how the pipeline works, it can be configured so that the execution of some sensitive code is observable through the pipeline’s contention. They can then extract, little by little, some secret information, such as a cryptographic key”, explains Paccagnella.
When the researchers used this model to launch side-channel attacks, they were surprised at how quickly they worked. They were able to recover full cryptographic keys from two different victim programs.
After studying these attacks, they used their analytical model to devise two mitigation mechanisms.
In the first strategy, the system administrator would use the model to identify which kernels are most vulnerable to attack, and then schedule sensitive software to run on less vulnerable kernels. For the second mitigation strategy, the administrator could reserve cores located around a susceptible program and run only trusted software on those cores.
The researchers found that both mitigation strategies were able to significantly reduce the accuracy of side-channel attacks. None require the user to make changes to the physical hardware, so mitigations would be relatively easy to implement, says Dai.
Ultimately, they hope their work will inspire more researchers to study the security of on-chip interconnects, says Paccagnella.
“We hope this paper highlights how on-chip interconnection, which is such a large component of computer processors, remains an overlooked attack surface. In the future, as we build systems that have stronger isolation properties, we must not ignore interconnection,” he adds.
This work was supported, in part, by the National Science Foundation and the Air Force Office of Scientific Research.
#cyberattacker #protect #user #data #Electronic #Products #Technology