Logs and side channels

Lee, Hyun Bin

Permalink

https://hdl.handle.net/2142/121444 Copy

Description

Title

Logs and side channels

Author(s)

Lee, Hyun Bin

Issue Date

2023-07-05

Director of Research (if dissertation) or Advisor (if thesis)

• Gunter, Carl A
• Fletcher, Chris W

Doctoral Committee Chair(s)

• Gunter, Carl A
• Fletcher, Chris W

Committee Member(s)

• Bates, Adam
• Borisov, Nikita
• Pierson, Timothy J

Department of Study

Computer Science

Discipline

Computer Science

Degree Granting Institution

University of Illinois at Urbana-Champaign

Degree Name

Ph.D.

Degree Level

Dissertation

Keyword(s)

• system logs
• microarchitectural side channels
• data-oblivious computation
• trusted execution environments

Abstract

While system administrators would prefer to configure their systems so that their loggers capture as much details as possible, such details may include sensitive information. In particular, system audit logs aim to record information about system events that are triggered during any incident. Hence they inevitably contain sensitive information that needs to be kept secret. Redacting and obfuscating such information may help when such information is written explicitly on logs, but implicit information, content that is seemingly not secret but indirectly leaks secret information, cannot be handled with such measures. Unfortunately, researchers have overlooked risks of leaking implicit secret content. This thesis first introduces Termite attacks, a new class of side channel attack that exploits such implicit content to learn secret information. We demonstrate how logs can be used to create both membership inference attacks and keystroke timing attacks, and show practical exploits against a common setup: a LEMP (Linux, ENginx, MySQL, PHP) webserver with SSH daemon that is audited by the Linux Audit System (LAS). Then we demonstrate how to launch a concurrency-based timing side channel attack. Contrary to the belief that log information is too coarse-grained to be exploited against modern microarchitectural side channel attacks, we demonstrate how adversaries can craft timing side channels that are as fine as 100s of nanoseconds through system audit logs. To address such vulnerabilities associated with logs leaking sensitive information via microarchitectural side channels, we propose two different countermeasure schemes. First scheme involves data-oblivious computation and Trusted Execution Environments (TEEs) against adversarial systems. We demonstrate how to produce a side-channel resistant log by instrumenting a complex programming environment (like R) to produce a Data-Oblivious Transcript (DOT). The DOT is designed so that any sensitive data from computation is decoupled from the transcript. Such transcript is later evaluated on a TEE containing the sensitive data using a small trusted computing base called the Data-Oblivious Virtual Environment (DOVE). While DOVE allows us to protect logs, deploying DOVE requires several prerequisites. In particular, another countermeasure is needed when one cannot completely decouple timing information from logs. As we have shown how to exploit such timing information to steal secrets from Termite attacks, our last study investigates how to mitigate such attack vector against aforementioned system audit logs stored on honest system that adversaries temporarily break-in. This study observes tradeoffs between the number of timestamps in logs versus the utility of audit logs. We analyze existing utility functions associated with audit logs and choose a reachability function as a utility standard for this study. We use DARPA's Trusted Computing Dataset for this study to conduct experiments. In order to guarantee complete security against timing side channels, the logs must not contain any timing information such that no timestamp exists and the ordering of all log entries are randomized. We call such logs Timeless Logs. Unfortunately our reachability analysis showed such extreme measures lead to very poor utility according to our experiments against the dataset. Hence, we introduce an alternative method, Batched Timeless Logs. This method divides logs into n batches and make each batch timeless. We preserve ordering among batches, so there are n different time information stored in the logs. The size of each batch is randomized to augment security against clock-edge attacks between batches. Our experimentation on a public dataset shows that when batches are sufficiently small (batch size of around 1,000 entries or smaller), there is only an 1.47 percent increase in the number of false positive reachable nodes from randomly picked source nodes on average. We argue that side-channel attacks against logs can leak very fine-grained information across any vulnerable application but such threats have been overlooked. Our study on such attacks and proposed countermeasures highlights some future work that should to be addressed.

Graduation Semester

2023-08

Type of Resource

Thesis

Copyright and License Information

Copyright 2023 Hyun Bin Lee

Owning Collections