Slide 1 Adapted from Vitaly Shmatikov, UT Austin Intrusion Detection.
Suman Jana and Vitaly Shmatikov The University of Texas at Austin Memento: Learning Secrets from...
-
Upload
hugo-horton -
Category
Documents
-
view
215 -
download
1
Transcript of Suman Jana and Vitaly Shmatikov The University of Texas at Austin Memento: Learning Secrets from...
Suman Jana and Vitaly Shmatikov
The University of Texas at Austin
Memento: Learning Secrets from
Process Footprints
33rd Security & Privacy (May, 2012) Best student paper award
This slide is modified fromhttp://www.cs.utexas.edu/~suman/publications/oakland12/Memento.pptx
Outline
2012/05/28A Seminar at Advanced Defense Lab2
IntroductionSide channels through /procMementoImplementationEvaluationVariations of the attackSolutions?Summary
Introduction
2012/05/28A Seminar at Advanced Defense Lab3
Implementing whole security mechanism at user mode is very difficult.
Trends in software design
Applications rely on OS abstractions to improve their safety and reliability“Process”“User”
Case study: Web browsers
www.xbank.com www.quickdate.com
Fork a new process
OS isolation
Fork a new process
4 2012/05/28
Unintended consequences
GoodBetter isolationBetter reliability
Others not affected if one process crashes
Better safety
Bad
Leaks more info to concurrent processes
Topic of this talk
5 2012/05/28A Seminar at Advanced Defense Lab
ProcFS: Process info in multi-user OS
ps
top –p 1
introduced in the 1980s
Tom Killian"Processes as Files" (1984)
cat /proc/1/st
atus
6
What can one learn from ProcFS?
• IP addrs of websites other users are visiting
7 A Seminar at Advanced Defense Lab 2012/05/28
Side channels through /proc
• "Peeping Tom in the Neighborhood: Keystroke Eavesdropping on Multi-User Systems" - Usenix Security 2009o Keystroke timing leak through ESP/EIP values
from /proc/<pid>/stat
XiaoFeng Wang Kehuan Zhang 8 A Seminar at Advanced Defense Lab 2012/05/28
The story of "Peeping Tom"
NDSS '09 program committee:
"Nobody uses multi-user computers anymore"
Shout-out toXiaoFeng ;)
9 A Seminar at Advanced Defense Lab 2012/05/28
The story of "Peeping Tom"
Oakland '09 program committee:
"Nobody uses multi-user computers anymore"
Shout-out toXiaoFeng ;)
10 A Seminar at Advanced Defense Lab 2012/05/28
Nobody uses multi-user computers anymore???
11 A Seminar at Advanced Defense Lab 2012/05/28
Android sandboxing =UNIX multi-user isolation
ps
top –p 1
UNIX multi-users in the 1980s
cat /proc/1/st
atus
12 A Seminar at Advanced Defense Lab 2012/05/28
Android sandboxing =UNIX multi-user isolation
ps
top –p 1
Android “multi-users” in 2012
cat /proc/1/st
atus
13 A Seminar at Advanced Defense Lab 2012/05/28
Android sandboxing =UNIX multi-user isolation
Different apps run as different users
Android uses OS “user” abstraction to isolate applications
14 2012/05/28
Android “multi-users” in 2012
cat /proc/1/st
atus
Android sandboxing =UNIX multi-user isolation
ps
top –p 1
ProcFS API is still unchanged!!
15 A Seminar at Advanced Defense Lab 2012/05/28
What can a zero-permission app do?
Can read all world-readable files in /proc
• … but “Peeping Tom” attack does not work o ESP/EIP too unpredictable - JVM, GUI etc.
• Introducing “Memento” attacks Works on all major OSs (except iOS)
16 A Seminar at Advanced Defense Lab 2012/05/28
This is not just about Android!
17 A Seminar at Advanced Defense Lab 2012/05/28
Process resource usage =big-time side channel
Memory usage leaks inputs and user actionsReveals webpages visited in Chrome, Firefox,
Android browser, any WebKit-based browserReveals state of Web applications
Membership in dating sites, specific interests on medical sites, etc.
CPU usage leaks keystroke timingFor bash, ssh, Android on-screen keyboard
handlerYields a better, much more robust “Peeing
Tom”
Completelynew attack!
18 A Seminar at Advanced Defense Lab 2012/05/28
“Memento” (2000): putting together “memory streams”
19 A Seminar at Advanced Defense Lab 2012/05/28
“Memento” (2000): putting together “memory streams”
20 A Seminar at Advanced Defense Lab 2012/05/28
Memprint: stream of memory usage
10568 KB15976 KB
11632 KB65948 KB
49380 KB
48996 KB
60280 KB 60820 KB 59548 KB
21 A Seminar at Advanced Defense Lab 2012/05/28
2050
Sniffing memory footprints
zero-permission malicious process
OS isolation
browser process
alloc 1 alloc 2
OS free page pool
used page countmemprint
2050
22 A Seminar at Advanced Defense Lab 2012/05/28
2056
Sniffing memory footprints
zero-permission malicious process
OS isolation
browser process
alloc 1 alloc 2
OS free page pool
used page countmemprint
brk/mmap
2050 2056
23 A Seminar at Advanced Defense Lab 2012/05/28
2080
Sniffing memory footprints
zero-permission malicious process
OS isolation
browser process
alloc 1 alloc 2
OS free page pool
used page countmemprint
brk/mmap
20562050 2080
24 A Seminar at Advanced Defense Lab 2012/05/28
Memprint for Chrome loading benaughty.com
25 A Seminar at Advanced Defense Lab 2012/05/28
Memprint for Chrome loading benaughty.com
26 A Seminar at Advanced Defense Lab 2012/05/28
Memprint for Chrome loading benaughty.com
27 A Seminar at Advanced Defense Lab 2012/05/28
Full attack
OS isolation
browserzero-permission
app
/proc/pid/statm
memprint
memprint database
28 A Seminar at Advanced Defense Lab 2012/05/28
Implementation
2012/05/28A Seminar at Advanced Defense Lab29
Measuring the target’s memory footprintLinux and Anddroid
/proc/<pid>/statm drs (data resident size) [link]FreeBSD
kvm_getprocs [link]Windows
Performance Data Helper (PDH) library [link]
Environment
2012/05/28A Seminar at Advanced Defense Lab30
ChromeVersion: 13.0.782.220Measure the render process
FirefoxVersion: 3.6.23Monolithic browser
Using fresh browser
AndroidVersion: 2.2 Froyo in the x86 simulatorThe results are the same for 3.1 Honeycomb
in Google’s ARM simulator.
Building the signature database
2012/05/28A Seminar at Advanced Defense Lab31
A memprint is a set of (E, c) tuples. E is an integer representing a particular
footprint sizec is how often it was observed during
measurement.Ex:
ALEXA TOP 1,000:
Similarity
2012/05/28A Seminar at Advanced Defense Lab32
21
2121
21212211
21212211
,:_
,max,,,
,min,,,
mm
mmmmJindexJaccard
mmccEmcEmcE
mmccEmcEmcE
Why the attack works
• Memprints are unique (for up to 43% of webpages)
• Can tune recognition to achieve zero false positives
• Memprints are stable• … across repeated visits to the same page
memprints are OS/browser-
dependent but machine-
independent
33
Cross-page similarity for 100 random pages out of Alexa top 1000
Different from others
Similar tothemselves
web
pag
e ID
web page ID
similarity = Jaccard index of memprints
34 A Seminar at Advanced Defense Lab
35 2012/05/28A Seminar at Advanced Defense Lab
Evaluation
Distinguishability
A page is distinguishableDistinguishability > 0
values.similarity ofdeviation standard theis
values,similarity ofmean theis
,habilitydistinguisOrigin
neighborneighbortargettarget
MinMax
ilitytinguishaborigin dis
ormalize)hability(nDistinguis
36 2012/05/28A Seminar at Advanced Defense Lab
100 random pages, 1,000-page ambiguity set
37 2012/05/28A Seminar at Advanced Defense Lab
If the threshold makes no false positive
100 random distinguishable pages
38 2012/05/28A Seminar at Advanced Defense Lab
Variations of the attack
Only focus changes caused by allocating or de-allocating large images.
Inferring the state f Web sessions.Add secondary side channel information
Ex : CPU scheduling statistics
Fine-grained info leak: OkCupid
is login successful
?
no
yes
memory usage
increases by 1-2 MB
is a paidcustomer
?
no
memory usage increases by
27-36 MB
no new flash player plugin
process
new flash player plugin
process to display ads
yes
39 A Seminar at Advanced Defense Lab 2012/05/28
Concurrent processes don't hurt, sometimes make it even better!!
40 A Seminar at Advanced Defense Lab 2012/05/28
Memento attacks: CPU usage info
• Monitor /proc/<pid>/status for number of context switches
Infer inter-keystroke timing for bash, ssh, Android on-screen keyboard handler etc. o Processing each keystroke requires a
predictable number of context switcheso Keystroke processing time << keystroke
interval
sufficient to reconstruct typed text
[Zhang and Wang]
41 2012/05/28
Keystroke timing (Android MMS app)
42 A Seminar at Advanced Defense Lab 2012/05/28
Solutions?
Increasing reliance on OS isolation makes these attacks easier OS problem, not an application problem
• Disable /proco FreeBSD: no /proc, but attacker can still
measure victim's memory footprint via kvm_getprocs
Stop reporting fine-grained resource usage across “user” boundary Only report info for user's own processes Breaks tools like ps, top etc.
43 A Seminar at Advanced Defense Lab 2012/05/28
does NOT need the API
needed the API
Summary
• Process info API o A legacy of the 1980so Reveals process's resource usage - CPU, mem,
netwo A single measurement is harmless (most of the
time)o Dynamics of processes’ resource usage = high-bandwidth side channel
Memento attacks o OS designers must rethink process info API
44 2012/05/28