Skip to Main Content
Frequently Asked Questions
Submit an ETD
Global Search Box
Need Help?
Keyword Search
Participating Institutions
Advanced Search
School Logo
Files
File List
Dissertation-6.pdf (2.44 MB)
ETD Abstract Container
Abstract Header
Automatic and Systematic Detection of Software-exploitable Hardware Vulnerabilities
Author Info
Xiao, Yuan
Permalink:
http://rave.ohiolink.edu/etdc/view?acc_num=osu1595971890093791
Abstract Details
Year and Degree
2020, Doctor of Philosophy, Ohio State University, Computer Science and Engineering.
Abstract
Software-exploitable hardware vulnerabilities allow adversaries to gain illegal access to sensitive data. Examples of software-exploitable hardware vulnerabilities include row hammer vulnerabilities, micro-architectural side-channel vulnerabilities, speculative execution side-channel hardware vulnerabilities, performance counter side-channel vulnerabilities, etc. Row hammer vulnerabilities are hardware flaws where electromagnetic effect of DRAM cells on neighbors is abused to induce unexpected bit flips in DRAM chips. Traditional micro-architectural side-channel vulnerabilities are caused by attackers leveraging the micro-architectural state changes to infer sensitive information such as cryptographic keys stored in memory. Speculative execution side-channel hardware vulnerabilities, on the other hand, are due to out-of-order or speculative execution of modern processors. Attackers exploit the features to transmit secrets whose access should be forbidden. Performance monitoring counters (PMCs) also lead to side-channel vulnerabilities. PMCs reflect the execution status of SGX enclaves and thus can be used to further infer enclave secrets. Detecting these vulnerabilities automatically and systematically has real-world values: with such a capability, hardware and software vendors will be empowered to detect and eliminate bugs in their products; end-users will be empowered to scan their own applications/systems to ensure security. Unlike traditional software bug scanning, the detection of software-exploitable hardware vulnerabilities is complicated as they depend on hardware characteristics. The processor micro-architecture and other hardware implementation are often not thoroughly documented and varies from product to product. Also, the vulnerabilities may reside either in software or in hardware itself. In this dissertation, we focus on (1) developing automatic detection tool frameworks of various software-exploitable hardware vulnerabilities, (2) understanding the nature of the vulnerabilities and (3) bringing forward exploitation of the detected vulnerabilities. Specifically, we study the detection of four categories of software-exploitable hardware vulnerabilities. First, we demonstrate an efficient DRAM scanning tool for double-sided row hammer vulnerability. This is enabled by our novel technique to reverse-engineer the physical address mapping to hardware memory of modern Intel processors at runtime. We further come up with exploitation from a guest VM in commercial cloud to break the memory isolation enforced by virtualization and then achieve arbitrary memory access of a whole physical machine. Second, we present a tool framework based on dynamic program analysis and differential testing to detect page-level, cacheline-level and branch-level side-channel vulnerabilities in SSL/TLS libraries in Intel SGX environment. Almost all popular TLS libraries are found suffering from them. We demonstrate efficient attacks with two of the found vulnerabilities, leading to leakage of plaintext secret or private key at least 10 times faster than traditional attacks, and they have been fixed in mainstream libraries such as OpenSSL and GnuTLS. Third, we exhibit a systematic analysis tool framework for recently-disclosed SPEculative Execution side-Channel Hardware (SPEECH) vulnerabilities in x86 processors. The tool framework exposes the internal micro-architectural states of processors with cache covert-channel, enabling quantitative analysis of SPEECH vulnerabilities. A comprehensive test is performed on potential variants with exception-triggering instructions summarized from processor manufacturer manuals. It discovers new variants in both Intel and AMD processors. What’s more, we propose a novel two-phase model of the internal exception handling of modern processors to understand the root causes of this new category of software- exploitable hardware vulnerabilities. The model is validated by the analysis results from the framework and it clarifies common mis-understandings of the well-known Meltdown-type vulnerabilities. Lastly, we design a differential fuzzing tool, dubbed PERMAFUZZ, to enable automatic search through the huge space of PMC configuration to find proper settings that lead to PERMALEAK exploitation against given target enclave applications. PERMALEAK is a new type of micro-architectural side-channel attacks brought forward in this work, originating from a systematic study on PMC when it is used in enclave mode. Our study reveals important hardware implementation details including a hardware design flaw of performance monitoring interrupts (PMI) which could directly expose enclave execution status to adversaries via PMC. Besides the direct PERMALEAK, we also design mechanisms to conduct indirect PERMALEAK by monitoring non-enclave instructions to infer enclave execution. It does not rely on any hardware implementation bugs. PERMAFUZZ is designed specific to direct or indirect PERMALEAK to fuzz the PMC monitoring settings. The use of PERMAFUZZ is illustrated with two direct PERMALEAK sample attacks against the ECDSA and RSA implementation of Intel SGX SSL and two indirect PERMALEAK attack cases. For example, we show PERMALEAK is able to extract the private keys of the constant-time RSA implementation of Intel’s SGX SSL library. The attack is only possible using a new side channel with finer-than-cacheline granularity, enabled by PERMALEAK.
Committee
Yinqian Zhang (Advisor)
Zhiqiang Lin (Committee Member)
Radu Teodorescu (Committee Member)
Pages
248 p.
Subject Headings
Computer Engineering
;
Computer Science
Recommended Citations
Refworks
EndNote
RIS
Mendeley
Citations
Xiao, Y. (2020).
Automatic and Systematic Detection of Software-exploitable Hardware Vulnerabilities
[Doctoral dissertation, Ohio State University]. OhioLINK Electronic Theses and Dissertations Center. http://rave.ohiolink.edu/etdc/view?acc_num=osu1595971890093791
APA Style (7th edition)
Xiao, Yuan.
Automatic and Systematic Detection of Software-exploitable Hardware Vulnerabilities.
2020. Ohio State University, Doctoral dissertation.
OhioLINK Electronic Theses and Dissertations Center
, http://rave.ohiolink.edu/etdc/view?acc_num=osu1595971890093791.
MLA Style (8th edition)
Xiao, Yuan. "Automatic and Systematic Detection of Software-exploitable Hardware Vulnerabilities." Doctoral dissertation, Ohio State University, 2020. http://rave.ohiolink.edu/etdc/view?acc_num=osu1595971890093791
Chicago Manual of Style (17th edition)
Abstract Footer
Document number:
osu1595971890093791
Download Count:
519
Copyright Info
© 2020, all rights reserved.
This open access ETD is published by The Ohio State University and OhioLINK.