Suman Jana and Vitaly Shmatikov The University of Texas at Austin Memento: Learning Secrets from...

Suman Jana and Vitaly Shmatikov

The University of Texas at Austin

Memento: Learning Secrets from

Process Footprints

33rd Security & Privacy (May, 2012) Best student paper award

This slide is modified fromhttp://www.cs.utexas.edu/~suman/publications/oakland12/Memento.pptx

Outline

2012/05/28A Seminar at Advanced Defense Lab2

IntroductionSide channels through /procMementoImplementationEvaluationVariations of the attackSolutions?Summary

Introduction


Implementing whole security mechanism at user mode is very difficult.

Trends in software design

Applications rely on OS abstractions to improve their safety and reliability“Process”“User”

Case study: Web browsers

www.xbank.com www.quickdate.com

Fork a new process

OS isolation

Fork a new process

4 2012/05/28

Unintended consequences

GoodBetter isolationBetter reliability

Others not affected if one process crashes

Better safety

Bad

Leaks more info to concurrent processes

Topic of this talk

5 2012/05/28A Seminar at Advanced Defense Lab

ProcFS: Process info in multi-user OS

ps

top –p 1

introduced in the 1980s

Tom Killian"Processes as Files" (1984)

cat /proc/1/st

atus

6

What can one learn from ProcFS?

• IP addrs of websites other users are visiting

7 A Seminar at Advanced Defense Lab 2012/05/28

Side channels through /proc

• "Peeping Tom in the Neighborhood: Keystroke Eavesdropping on Multi-User Systems" - Usenix Security 2009o Keystroke timing leak through ESP/EIP values

from /proc/<pid>/stat

XiaoFeng Wang Kehuan Zhang 8 A Seminar at Advanced Defense Lab 2012/05/28

The story of "Peeping Tom"

NDSS '09 program committee:

"Nobody uses multi-user computers anymore"

Shout-out toXiaoFeng ;)


The story of "Peeping Tom"

Oakland '09 program committee:

"Nobody uses multi-user computers anymore"

Shout-out toXiaoFeng ;)


Nobody uses multi-user computers anymore???


Android sandboxing =UNIX multi-user isolation

ps

top –p 1

UNIX multi-users in the 1980s

cat /proc/1/st

atus



ps

top –p 1

Android “multi-users” in 2012

cat /proc/1/st

atus



Different apps run as different users

Android uses OS “user” abstraction to isolate applications

14 2012/05/28

Android “multi-users” in 2012

cat /proc/1/st

atus


ps

top –p 1

ProcFS API is still unchanged!!


What can a zero-permission app do?

Can read all world-readable files in /proc

• … but “Peeping Tom” attack does not work o ESP/EIP too unpredictable - JVM, GUI etc.

• Introducing “Memento” attacks Works on all major OSs (except iOS)


This is not just about Android!


Process resource usage =big-time side channel

Memory usage leaks inputs and user actionsReveals webpages visited in Chrome, Firefox,

Android browser, any WebKit-based browserReveals state of Web applications

Membership in dating sites, specific interests on medical sites, etc.

CPU usage leaks keystroke timingFor bash, ssh, Android on-screen keyboard

handlerYields a better, much more robust “Peeing

Tom”

Completelynew attack!


“Memento” (2000): putting together “memory streams”


Memprint: stream of memory usage

10568 KB15976 KB

11632 KB65948 KB

49380 KB

48996 KB

60280 KB 60820 KB 59548 KB


2050

Sniffing memory footprints

zero-permission malicious process

OS isolation

browser process

alloc 1 alloc 2

OS free page pool

used page countmemprint

2050


2056



OS isolation

browser process

alloc 1 alloc 2

OS free page pool


brk/mmap

2050 2056


2080



OS isolation

browser process

alloc 1 alloc 2

OS free page pool


brk/mmap

20562050 2080


Memprint for Chrome loading benaughty.com


Full attack

OS isolation

browserzero-permission

app

/proc/pid/statm

memprint

memprint database


Implementation


Measuring the target’s memory footprintLinux and Anddroid

/proc/<pid>/statm drs (data resident size) [link]FreeBSD

kvm_getprocs [link]Windows

Performance Data Helper (PDH) library [link]

http://www.kernel.org/doc/man-pages/online/pages/man5/proc.5.html

http://www.openbsd.org/cgi-bin/man.cgi?query=kvm_getprocs

http://msdn.microsoft.com/en-us/library/windows/desktop/aa373214(v=vs.85).aspx

Environment


ChromeVersion: 13.0.782.220Measure the render process

FirefoxVersion: 3.6.23Monolithic browser

Using fresh browser

AndroidVersion: 2.2 Froyo in the x86 simulatorThe results are the same for 3.1 Honeycomb

in Google’s ARM simulator.

Building the signature database


A memprint is a set of (E, c) tuples. E is an integer representing a particular

footprint sizec is how often it was observed during

measurement.Ex:

ALEXA TOP 1,000:

Similarity


21

2121

21212211

21212211

,:_

,max,,,

,min,,,

mm

mmmmJindexJaccard

mmccEmcEmcE

mmccEmcEmcE

Why the attack works

• Memprints are unique (for up to 43% of webpages)

• Can tune recognition to achieve zero false positives

• Memprints are stable• … across repeated visits to the same page

memprints are OS/browser-

dependent but machine-

independent

33

Cross-page similarity for 100 random pages out of Alexa top 1000

Different from others

Similar tothemselves

web

pag

e ID

web page ID

similarity = Jaccard index of memprints

34 A Seminar at Advanced Defense Lab


Evaluation

Distinguishability

A page is distinguishableDistinguishability > 0

values.similarity ofdeviation standard theis

values,similarity ofmean theis

,habilitydistinguisOrigin

neighborneighbortargettarget

MinMax

ilitytinguishaborigin dis

ormalize)hability(nDistinguis


100 random pages, 1,000-page ambiguity set


If the threshold makes no false positive

100 random distinguishable pages


Variations of the attack

Only focus changes caused by allocating or de-allocating large images.

Inferring the state f Web sessions.Add secondary side channel information

Ex : CPU scheduling statistics

Fine-grained info leak: OkCupid

is login successful

?

no

yes

memory usage

increases by 1-2 MB

is a paidcustomer

?

no

memory usage increases by

27-36 MB

no new flash player plugin

process

new flash player plugin

process to display ads

yes


Concurrent processes don't hurt, sometimes make it even better!!


Memento attacks: CPU usage info

• Monitor /proc/<pid>/status for number of context switches

Infer inter-keystroke timing for bash, ssh, Android on-screen keyboard handler etc. o Processing each keystroke requires a

predictable number of context switcheso Keystroke processing time << keystroke

interval

sufficient to reconstruct typed text

[Zhang and Wang]

41 2012/05/28

Keystroke timing (Android MMS app)


Solutions?

Increasing reliance on OS isolation makes these attacks easier OS problem, not an application problem

• Disable /proco FreeBSD: no /proc, but attacker can still

measure victim's memory footprint via kvm_getprocs

Stop reporting fine-grained resource usage across “user” boundary Only report info for user's own processes Breaks tools like ps, top etc.


does NOT need the API

needed the API

Summary

• Process info API o A legacy of the 1980so Reveals process's resource usage - CPU, mem,

netwo A single measurement is harmless (most of the

time)o Dynamics of processes’ resource usage = high-bandwidth side channel

Memento attacks o OS designers must rethink process info API

44 2012/05/28

Suman Jana and Vitaly Shmatikov The University of Texas at Austin Memento: Learning Secrets from...

Documents

Transcript of Suman Jana and Vitaly Shmatikov The University of Texas at Austin Memento: Learning Secrets from...