首页 > 最新文献

2020 IEEE Symposium on Security and Privacy (SP)最新文献

英文 中文
Plundervolt: Software-based Fault Injection Attacks against Intel SGX Plundervolt:针对Intel SGX的基于软件的故障注入攻击
Pub Date : 2020-05-01 DOI: 10.1109/SP40000.2020.00057
Kit Murdock, David F. Oswald, Flavio D. Garcia, Jo Van Bulck, D. Gruss, F. Piessens
Dynamic frequency and voltage scaling features have been introduced to manage ever-growing heat and power consumption in modern processors. Design restrictions ensure frequency and voltage are adjusted as a pair, based on the current load, because for each frequency there is only a certain voltage range where the processor can operate correctly. For this purpose, many processors (including the widespread Intel Core series) expose privileged software interfaces to dynamically regulate processor frequency and operating voltage.In this paper, we demonstrate that these privileged interfaces can be reliably exploited to undermine the system’s security. We present the Plundervolt attack, in which a privileged software adversary abuses an undocumented Intel Core voltage scaling interface to corrupt the integrity of Intel SGX enclave computations. Plundervolt carefully controls the processor’s supply voltage during an enclave computation, inducing predictable faults within the processor package. Consequently, even Intel SGX’s memory encryption/authentication technology cannot protect against Plundervolt. In multiple case studies, we show how the induced faults in enclave computations can be leveraged in real-world attacks to recover keys from cryptographic algorithms (including the AES-NI instruction set extension) or to induce memory safety vulnerabilities into bug-free enclave code. We finally discuss why mitigating Plundervolt is not trivial, requiring trusted computing base recovery through microcode updates or hardware changes.
在现代处理器中引入了动态频率和电压缩放功能来管理不断增长的热量和功耗。设计限制确保频率和电压作为一对进行调整,基于电流负载,因为对于每个频率,只有一个特定的电压范围,处理器可以正常工作。为此,许多处理器(包括广泛使用的Intel Core系列)提供特权软件接口来动态调节处理器频率和工作电压。在本文中,我们证明了这些特权接口可以被可靠地利用来破坏系统的安全性。我们提出了Plundervolt攻击,其中一个特权软件对手滥用未记录的英特尔酷睿电压缩放接口来破坏英特尔SGX飞地计算的完整性。Plundervolt在飞地计算期间小心地控制处理器的电源电压,在处理器包内引起可预测的故障。因此,即使是英特尔SGX的内存加密/认证技术也无法防止Plundervolt。在多个案例研究中,我们展示了如何在实际攻击中利用enclave计算中的诱导错误,从加密算法(包括AES-NI指令集扩展)中恢复密钥,或者将内存安全漏洞引入无bug的enclave代码中。我们最后讨论了为什么减轻Plundervolt不是微不足道的,需要通过微码更新或硬件更改来恢复可信的计算基础。
{"title":"Plundervolt: Software-based Fault Injection Attacks against Intel SGX","authors":"Kit Murdock, David F. Oswald, Flavio D. Garcia, Jo Van Bulck, D. Gruss, F. Piessens","doi":"10.1109/SP40000.2020.00057","DOIUrl":"https://doi.org/10.1109/SP40000.2020.00057","url":null,"abstract":"Dynamic frequency and voltage scaling features have been introduced to manage ever-growing heat and power consumption in modern processors. Design restrictions ensure frequency and voltage are adjusted as a pair, based on the current load, because for each frequency there is only a certain voltage range where the processor can operate correctly. For this purpose, many processors (including the widespread Intel Core series) expose privileged software interfaces to dynamically regulate processor frequency and operating voltage.In this paper, we demonstrate that these privileged interfaces can be reliably exploited to undermine the system’s security. We present the Plundervolt attack, in which a privileged software adversary abuses an undocumented Intel Core voltage scaling interface to corrupt the integrity of Intel SGX enclave computations. Plundervolt carefully controls the processor’s supply voltage during an enclave computation, inducing predictable faults within the processor package. Consequently, even Intel SGX’s memory encryption/authentication technology cannot protect against Plundervolt. In multiple case studies, we show how the induced faults in enclave computations can be leveraged in real-world attacks to recover keys from cryptographic algorithms (including the AES-NI instruction set extension) or to induce memory safety vulnerabilities into bug-free enclave code. We finally discuss why mitigating Plundervolt is not trivial, requiring trusted computing base recovery through microcode updates or hardware changes.","PeriodicalId":6849,"journal":{"name":"2020 IEEE Symposium on Security and Privacy (SP)","volume":"28 1","pages":"1466-1482"},"PeriodicalIF":0.0,"publicationDate":"2020-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"84700725","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 217
Enabling Rack-scale Confidential Computing using Heterogeneous Trusted Execution Environment 使用异构可信执行环境实现机架级机密计算
Pub Date : 2020-05-01 DOI: 10.1109/SP40000.2020.00054
Jianping Zhu, Rui Hou, Xiaofeng Wang, Wenhao Wang, Jiangfeng Cao, Boyan Zhao, Zhongpu Wang, Yuhui Zhang, Jiameng Ying, Lixin Zhang, Dan Meng
With its huge real-world demands, large-scale confidential computing still cannot be supported by today’s Trusted Execution Environment (TEE), due to the lack of scalable and effective protection of high-throughput accelerators like GPUs, FPGAs, and TPUs etc. Although attempts have been made recently to extend the CPU-like enclave to GPUs, these solutions require change to the CPU or GPU chips, may introduce new security risks due to the side-channel leaks in CPU-GPU communication and are still under the resource constraint of today’s CPU TEE.To address these problems, we present the first Heterogeneous TEE design that can truly support large-scale compute or data intensive (CDI) computing, without any chip-level change. Our approach, called HETEE, is a device for centralized management of all computing units (e.g., GPUs and other accelerators) of a server rack. It is uniquely designed to work with today’s data centres and clouds, leveraging modern resource pooling technologies to dynamically compartmentalize computing tasks, and enforce strong isolation and reduce TCB through hardware support. More specifically, HETEE utilizes the PCIe ExpressFabric to allocate its accelerators to the server node on the same rack for a non-sensitive CDI task, and move them back into a secure enclave in response to the demand for confidential computing. Our design runs a thin TCB stack for security management on a security controller (SC), while leaving a large set of software (e.g., AI runtime, GPU driver, etc.) to the integrated microservers that operate enclaves. An enclaves is physically isolated from others through hardware and verified by the SC at its inception. Its microserver and computing units are restored to a secure state upon termination.We implemented HETEE on a real hardware system, and evaluated it with popular neural network inference and training tasks. Our evaluations show that HETEE can easily support the CDI tasks on the real-world scale and incurred a maximal throughput overhead of 2.17% for inference and 0.95% for training on ResNet152.
由于gpu、fpga、tpu等高吞吐量加速器缺乏可扩展性和有效的保护,如今的可信执行环境(Trusted Execution Environment, TEE)仍然无法支持大规模机密计算的巨大现实需求。虽然最近已经尝试将类CPU飞地扩展到GPU,但这些解决方案需要更改CPU或GPU芯片,可能会由于CPU-GPU通信中的侧信道泄漏而引入新的安全风险,并且仍然处于今天CPU TEE的资源限制之下。为了解决这些问题,我们提出了第一个异构TEE设计,它可以真正支持大规模计算或数据密集型(CDI)计算,而无需进行任何芯片级更改。我们的方法,称为HETEE,是一种集中管理服务器机架上所有计算单元(例如,gpu和其他加速器)的设备。它的独特设计是为了与当今的数据中心和云一起工作,利用现代资源池技术动态划分计算任务,并通过硬件支持强制执行强隔离和减少TCB。更具体地说,HETEE利用PCIe ExpressFabric将其加速器分配到同一机架上的服务器节点上,以执行非敏感的CDI任务,并将它们移回安全飞地以响应机密计算的需求。我们的设计在安全控制器(SC)上运行一个用于安全管理的薄TCB堆栈,同时将大量软件(例如,AI运行时,GPU驱动程序等)留给操作飞地的集成微服务器。飞地通过硬件在物理上与其他飞地隔离,并在其开始时由SC进行验证。它的微服务器和计算单元在终止时恢复到安全状态。我们在一个真实的硬件系统上实现了HETEE,并用流行的神经网络推理和训练任务对其进行了评估。我们的评估表明,HETEE可以很容易地支持现实世界规模的CDI任务,并且在ResNet152上产生的最大吞吐量开销为2.17%的推理和0.95%的训练。
{"title":"Enabling Rack-scale Confidential Computing using Heterogeneous Trusted Execution Environment","authors":"Jianping Zhu, Rui Hou, Xiaofeng Wang, Wenhao Wang, Jiangfeng Cao, Boyan Zhao, Zhongpu Wang, Yuhui Zhang, Jiameng Ying, Lixin Zhang, Dan Meng","doi":"10.1109/SP40000.2020.00054","DOIUrl":"https://doi.org/10.1109/SP40000.2020.00054","url":null,"abstract":"With its huge real-world demands, large-scale confidential computing still cannot be supported by today’s Trusted Execution Environment (TEE), due to the lack of scalable and effective protection of high-throughput accelerators like GPUs, FPGAs, and TPUs etc. Although attempts have been made recently to extend the CPU-like enclave to GPUs, these solutions require change to the CPU or GPU chips, may introduce new security risks due to the side-channel leaks in CPU-GPU communication and are still under the resource constraint of today’s CPU TEE.To address these problems, we present the first Heterogeneous TEE design that can truly support large-scale compute or data intensive (CDI) computing, without any chip-level change. Our approach, called HETEE, is a device for centralized management of all computing units (e.g., GPUs and other accelerators) of a server rack. It is uniquely designed to work with today’s data centres and clouds, leveraging modern resource pooling technologies to dynamically compartmentalize computing tasks, and enforce strong isolation and reduce TCB through hardware support. More specifically, HETEE utilizes the PCIe ExpressFabric to allocate its accelerators to the server node on the same rack for a non-sensitive CDI task, and move them back into a secure enclave in response to the demand for confidential computing. Our design runs a thin TCB stack for security management on a security controller (SC), while leaving a large set of software (e.g., AI runtime, GPU driver, etc.) to the integrated microservers that operate enclaves. An enclaves is physically isolated from others through hardware and verified by the SC at its inception. Its microserver and computing units are restored to a secure state upon termination.We implemented HETEE on a real hardware system, and evaluated it with popular neural network inference and training tasks. Our evaluations show that HETEE can easily support the CDI tasks on the real-world scale and incurred a maximal throughput overhead of 2.17% for inference and 0.95% for training on ResNet152.","PeriodicalId":6849,"journal":{"name":"2020 IEEE Symposium on Security and Privacy (SP)","volume":"2 1","pages":"1450-1465"},"PeriodicalIF":0.0,"publicationDate":"2020-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"88394353","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 50
SEVurity: No Security Without Integrity : Breaking Integrity-Free Memory Encryption with Minimal Assumptions 安全性:没有完整性就没有安全:用最小的假设打破无完整性的内存加密
Pub Date : 2020-04-23 DOI: 10.1109/SP40000.2020.00080
Luca Wilke, Jan Wichelmann, M. Morbitzer, T. Eisenbarth
One reason for not adopting cloud services is the required trust in the cloud provider: As they control the hypervisor, any data processed in the system is accessible to them. Full memory encryption for Virtual Machines (VM) protects against curious cloud providers as well as otherwise compromised hypervisors. AMD Secure Encrypted Virtualization (SEV) is the most prevalent hardware-based full memory encryption for VMs. Its newest extension, SEV-ES, also protects the entire VM state during context switches, aiming to ensure that the host neither learns anything about the data that is processed inside the VM, nor is able to modify its execution state. Several previous works have analyzed the security of SEV and have shown that, by controlling I/O, it is possible to exfiltrate data or even gain control over the VM’s execution. In this work, we introduce two new methods that allow us to inject arbitrary code into SEV-ES secured virtual machines. Due to the lack of proper integrity protection, it is sufficient to reuse existing ciphertext to build a high-speed encryption oracle. As a result, our attack no longer depends on control over the I/O, which is needed by prior attacks. As I/O manipulation is highly detectable, our attacks are stealthier. In addition, we reverse-engineer the previously unknown, improved Xor-Encrypt-Xor (XEX) based encryption mode, that AMD is using on updated processors, and show, for the first time, how it can be overcome by our new attacks.
不采用云服务的一个原因是需要对云提供商的信任:由于云提供商控制管理程序,因此系统中处理的任何数据都可以被云提供商访问。虚拟机(VM)的全内存加密可以防止奇怪的云提供商以及其他受到损害的管理程序。AMD安全加密虚拟化(SEV)是最流行的基于硬件的虚拟机全内存加密。它的最新扩展SEV-ES还在上下文切换期间保护整个VM状态,旨在确保主机既不了解VM内部处理的数据,也不能修改其执行状态。以前的一些工作已经分析了SEV的安全性,并表明,通过控制I/O,可以泄露数据,甚至可以控制VM的执行。在这项工作中,我们引入了两种允许我们将任意代码注入SEV-ES安全虚拟机的新方法。由于缺乏适当的完整性保护,重用现有密文来构建高速加密oracle就足够了。因此,我们的攻击不再依赖于对I/O的控制,这是以前的攻击所需要的。由于I/O操作是高度可检测的,因此我们的攻击更加隐蔽。此外,我们对AMD在更新后的处理器上使用的基于Xor-Encrypt-Xor (XEX)的加密模式进行了逆向工程,并首次展示了如何通过我们的新攻击来克服它。
{"title":"SEVurity: No Security Without Integrity : Breaking Integrity-Free Memory Encryption with Minimal Assumptions","authors":"Luca Wilke, Jan Wichelmann, M. Morbitzer, T. Eisenbarth","doi":"10.1109/SP40000.2020.00080","DOIUrl":"https://doi.org/10.1109/SP40000.2020.00080","url":null,"abstract":"One reason for not adopting cloud services is the required trust in the cloud provider: As they control the hypervisor, any data processed in the system is accessible to them. Full memory encryption for Virtual Machines (VM) protects against curious cloud providers as well as otherwise compromised hypervisors. AMD Secure Encrypted Virtualization (SEV) is the most prevalent hardware-based full memory encryption for VMs. Its newest extension, SEV-ES, also protects the entire VM state during context switches, aiming to ensure that the host neither learns anything about the data that is processed inside the VM, nor is able to modify its execution state. Several previous works have analyzed the security of SEV and have shown that, by controlling I/O, it is possible to exfiltrate data or even gain control over the VM’s execution. In this work, we introduce two new methods that allow us to inject arbitrary code into SEV-ES secured virtual machines. Due to the lack of proper integrity protection, it is sufficient to reuse existing ciphertext to build a high-speed encryption oracle. As a result, our attack no longer depends on control over the I/O, which is needed by prior attacks. As I/O manipulation is highly detectable, our attacks are stealthier. In addition, we reverse-engineer the previously unknown, improved Xor-Encrypt-Xor (XEX) based encryption mode, that AMD is using on updated processors, and show, for the first time, how it can be overcome by our new attacks.","PeriodicalId":6849,"journal":{"name":"2020 IEEE Symposium on Security and Privacy (SP)","volume":"50 1","pages":"1483-1496"},"PeriodicalIF":0.0,"publicationDate":"2020-04-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"88719378","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 36
TRRespass: Exploiting the Many Sides of Target Row Refresh TRRespass:利用目标行刷新的多个方面
Pub Date : 2020-04-03 DOI: 10.1109/SP40000.2020.00090
Pietro Frigo, Emanuele Vannacci, Hasan Hassan, V. V. D. Veen, O. Mutlu, Cristiano Giuffrida, H. Bos, Kaveh Razavi
After a plethora of high-profile RowHammer attacks, CPU and DRAM vendors scrambled to deliver what was meant to be the definitive hardware solution against the RowHammer problem: Target Row Refresh (TRR). A common belief among practitioners is that, for the latest generation of DDR4 systems that are protected by TRR, RowHammer is no longer an issue in practice. However, in reality, very little is known about TRR. How does TRR exactly prevent RowHammer? Which parts of a system are responsible for operating the TRR mechanism? Does TRR completely solve the RowHammer problem or does it have weaknesses? In this paper, we demystify the inner workings of TRR and debunk its security guarantees. We show that what is advertised as a single mitigation mechanism is actually a series of different solutions coalesced under the umbrella term Target Row Refresh. We inspect and disclose, via a deep analysis, different existing TRR solutions and demonstrate that modern implementations operate entirely inside DRAM chips. Despite the difficulties of analyzing in-DRAM mitigations, we describe novel techniques for gaining insights into the operation of these mitigation mechanisms. These insights allow us to build TRRespass, a scalable black-box RowHammer fuzzer that we evaluate on 42 recent DDR4 modules. TRRespass shows that even the latest generation DDR4 chips with in-DRAM TRR, immune to all known RowHammer attacks, are often still vulnerable to new TRR-aware variants of RowHammer that we develop. In particular, TRRespass finds that, on present-day DDR4 modules, RowHammer is still possible when many aggressor rows are used (as many as 19 in some cases), with a method we generally refer to as Many-sided RowHammer. Overall, our analysis shows that 13 out of the 42 modules from all three major DRAM vendors (i.e., Samsung, Micron, and Hynix) are vulnerable to our TRR-aware RowHammer access patterns, and thus one can still mount existing state-of-the-art system-level RowHammer attacks. In addition to DDR4, we also experiment with LPDDR4(X)1 chips and show that they are susceptible to RowHammer bit flips too. Our results provide concrete evidence that the pursuit of better RowHammer mitigations must continue.
在一系列备受瞩目的RowHammer攻击之后,CPU和DRAM供应商争相推出针对RowHammer问题的最终硬件解决方案:目标行刷新(TRR)。从业者普遍认为,对于受TRR保护的最新一代DDR4系统,RowHammer在实践中不再是一个问题。然而,在现实中,我们对TRR知之甚少。TRR究竟是如何预防RowHammer的呢?系统的哪些部分负责运行TRR机制?TRR是否完全解决了RowHammer问题,或者它是否有弱点?在本文中,我们揭开了TRR的内部工作原理,并揭穿了其安全保证。我们展示了被宣传为单一缓解机制的东西实际上是一系列不同的解决方案合并在目标行刷新这个总术语下。通过深入分析,我们检查并披露了不同的现有TRR解决方案,并展示了现代实现完全在DRAM芯片内运行。尽管分析dram内的缓解存在困难,但我们描述了一些新技术,以深入了解这些缓解机制的运作。这些见解使我们能够构建TRRespass,这是一个可扩展的黑盒RowHammer模糊器,我们对42个最近的DDR4模块进行了评估。TRRespass表明,即使是最新一代具有内置dram TRR的DDR4芯片,也可以免疫所有已知的RowHammer攻击,但通常仍然容易受到我们开发的新的TRR感知RowHammer变体的攻击。特别是,TRRespass发现,在当今的DDR4模块上,当使用许多攻击行(在某些情况下多达19行)时,我们通常将其称为多方RowHammer的方法,仍然可以进行RowHammer。总体而言,我们的分析显示,来自三大DRAM供应商(即三星,美光和海力士)的42个模块中有13个容易受到我们trr感知的RowHammer访问模式的攻击,因此仍然可以安装现有的最先进的系统级RowHammer攻击。除了DDR4,我们还对LPDDR4(X)1芯片进行了实验,并表明它们也容易受到RowHammer位翻转的影响。我们的研究结果提供了具体的证据,表明必须继续寻求更好的RowHammer缓解措施。
{"title":"TRRespass: Exploiting the Many Sides of Target Row Refresh","authors":"Pietro Frigo, Emanuele Vannacci, Hasan Hassan, V. V. D. Veen, O. Mutlu, Cristiano Giuffrida, H. Bos, Kaveh Razavi","doi":"10.1109/SP40000.2020.00090","DOIUrl":"https://doi.org/10.1109/SP40000.2020.00090","url":null,"abstract":"After a plethora of high-profile RowHammer attacks, CPU and DRAM vendors scrambled to deliver what was meant to be the definitive hardware solution against the RowHammer problem: Target Row Refresh (TRR). A common belief among practitioners is that, for the latest generation of DDR4 systems that are protected by TRR, RowHammer is no longer an issue in practice. However, in reality, very little is known about TRR. How does TRR exactly prevent RowHammer? Which parts of a system are responsible for operating the TRR mechanism? Does TRR completely solve the RowHammer problem or does it have weaknesses? In this paper, we demystify the inner workings of TRR and debunk its security guarantees. We show that what is advertised as a single mitigation mechanism is actually a series of different solutions coalesced under the umbrella term Target Row Refresh. We inspect and disclose, via a deep analysis, different existing TRR solutions and demonstrate that modern implementations operate entirely inside DRAM chips. Despite the difficulties of analyzing in-DRAM mitigations, we describe novel techniques for gaining insights into the operation of these mitigation mechanisms. These insights allow us to build TRRespass, a scalable black-box RowHammer fuzzer that we evaluate on 42 recent DDR4 modules. TRRespass shows that even the latest generation DDR4 chips with in-DRAM TRR, immune to all known RowHammer attacks, are often still vulnerable to new TRR-aware variants of RowHammer that we develop. In particular, TRRespass finds that, on present-day DDR4 modules, RowHammer is still possible when many aggressor rows are used (as many as 19 in some cases), with a method we generally refer to as Many-sided RowHammer. Overall, our analysis shows that 13 out of the 42 modules from all three major DRAM vendors (i.e., Samsung, Micron, and Hynix) are vulnerable to our TRR-aware RowHammer access patterns, and thus one can still mount existing state-of-the-art system-level RowHammer attacks. In addition to DDR4, we also experiment with LPDDR4(X)1 chips and show that they are susceptible to RowHammer bit flips too. Our results provide concrete evidence that the pursuit of better RowHammer mitigations must continue.","PeriodicalId":6849,"journal":{"name":"2020 IEEE Symposium on Security and Privacy (SP)","volume":"40 1","pages":"747-762"},"PeriodicalIF":0.0,"publicationDate":"2020-04-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"91204033","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 133
Towards Effective Differential Privacy Communication for Users’ Data Sharing Decision and Comprehension 面向用户数据共享决策与理解的有效差分隐私通信
Pub Date : 2020-03-31 DOI: 10.1109/SP40000.2020.00088
Aiping Xiong, Tianhao Wang, Ninghui Li, S. Jha
Differential privacy protects an individual’s privacy by perturbing data on an aggregated level (DP) or individual level (LDP). We report four online human-subject experiments investigating the effects of using different approaches to communicate differential privacy techniques to laypersons in a health app data collection setting. Experiments 1 and 2 investigated participants’ data disclosure decisions for low-sensitive and high-sensitive personal information when given different DP or LDP descriptions. Experiments 3 and 4 uncovered reasons behind participants’ data sharing decisions, and examined participants’ subjective and objective comprehensions of these DP or LDP descriptions. When shown descriptions that explain the implications instead of the definition/processes of DP or LDP technique, participants demonstrated better comprehension and showed more willingness to share information with LDP than with DP, indicating their understanding of LDP’s stronger privacy guarantee compared with DP.
差分隐私通过干扰聚合层(DP)或个体层(LDP)上的数据来保护个人隐私。我们报告了四个在线人类受试者实验,调查了在健康应用程序数据收集设置中使用不同方法向外行人传达不同隐私技术的影响。实验1和实验2考察了在给定不同DP或LDP描述时,被试对低敏感和高敏感个人信息的披露决策。实验3和4揭示了参与者数据共享决策背后的原因,并检查了参与者对这些DP或LDP描述的主观和客观理解。当被展示的描述是解释DP或LDP技术的含义而不是定义/过程时,参与者表现出比DP更好的理解和更愿意与LDP分享信息,这表明他们对LDP比DP更强的隐私保障的理解。
{"title":"Towards Effective Differential Privacy Communication for Users’ Data Sharing Decision and Comprehension","authors":"Aiping Xiong, Tianhao Wang, Ninghui Li, S. Jha","doi":"10.1109/SP40000.2020.00088","DOIUrl":"https://doi.org/10.1109/SP40000.2020.00088","url":null,"abstract":"Differential privacy protects an individual’s privacy by perturbing data on an aggregated level (DP) or individual level (LDP). We report four online human-subject experiments investigating the effects of using different approaches to communicate differential privacy techniques to laypersons in a health app data collection setting. Experiments 1 and 2 investigated participants’ data disclosure decisions for low-sensitive and high-sensitive personal information when given different DP or LDP descriptions. Experiments 3 and 4 uncovered reasons behind participants’ data sharing decisions, and examined participants’ subjective and objective comprehensions of these DP or LDP descriptions. When shown descriptions that explain the implications instead of the definition/processes of DP or LDP technique, participants demonstrated better comprehension and showed more willingness to share information with LDP than with DP, indicating their understanding of LDP’s stronger privacy guarantee compared with DP.","PeriodicalId":6849,"journal":{"name":"2020 IEEE Symposium on Security and Privacy (SP)","volume":"82 1","pages":"392-410"},"PeriodicalIF":0.0,"publicationDate":"2020-03-31","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"79323860","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 35
This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs 这个PIN可以很容易地猜到:分析智能手机解锁PIN的安全性
Pub Date : 2020-03-10 DOI: 10.1109/SP40000.2020.00100
Philipp Markert, D. Bailey, M. Golla, Markus Dürmuth, Adam J. Aviv
In this paper, we provide the first comprehensive study of user-chosen 4- and 6-digit PINs (n = 1220) collected on smartphones with participants being explicitly primed for device unlocking. We find that against a throttled attacker (with 10, 30, or 100 guesses, matching the smartphone unlock setting), using 6-digit PINs instead of 4-digit PINs provides little to no increase in security, and surprisingly may even decrease security. We also study the effects of blacklists, where a set of "easy to guess" PINs is disallowed during selection. Two such blacklists are in use today by iOS, for 4-digits (274 PINs) as well as 6-digits (2910 PINs). We extracted both blacklists compared them with four other blacklists, including a small 4-digit (27 PINs), a large 4-digit (2740 PINs), and two placebo blacklists for 4- and 6-digit PINs that always excluded the first-choice PIN. We find that relatively small blacklists in use today by iOS offer little or no benefit against a throttled guessing attack. Security gains are only observed when the blacklists are much larger, which in turn comes at the cost of increased user frustration. Our analysis suggests that a blacklist at about 10 % of the PIN space may provide the best balance between usability and security.
在本文中,我们首次对智能手机上收集的用户选择的4位和6位pin (n = 1220)进行了全面研究,参与者被明确地为设备解锁做好了准备。我们发现,针对受限的攻击者(有10、30或100次猜测,与智能手机解锁设置相匹配),使用6位pin而不是4位pin几乎没有增加安全性,令人惊讶的是,甚至可能降低安全性。我们还研究了黑名单的影响,在选择过程中不允许使用一组“容易猜测”的pin。目前iOS使用了两种这样的黑名单,一种是4位数(274个pin),另一种是6位数(2910个pin)。我们提取了这两个黑名单,并将它们与其他四个黑名单进行比较,其中包括一个小的4位数(27个PIN),一个大的4位数(2740个PIN),以及两个4位和6位PIN的安慰剂黑名单,这些黑名单总是排除第一选择的PIN。我们发现,目前iOS所使用的相对较小的黑名单并不能有效对抗受限的猜测攻击。只有当黑名单更大时,才能观察到安全性的提高,而这反过来又以增加用户挫败感为代价。我们的分析表明,黑名单在大约10%的PIN空间可能提供可用性和安全性之间的最佳平衡。
{"title":"This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs","authors":"Philipp Markert, D. Bailey, M. Golla, Markus Dürmuth, Adam J. Aviv","doi":"10.1109/SP40000.2020.00100","DOIUrl":"https://doi.org/10.1109/SP40000.2020.00100","url":null,"abstract":"In this paper, we provide the first comprehensive study of user-chosen 4- and 6-digit PINs (n = 1220) collected on smartphones with participants being explicitly primed for device unlocking. We find that against a throttled attacker (with 10, 30, or 100 guesses, matching the smartphone unlock setting), using 6-digit PINs instead of 4-digit PINs provides little to no increase in security, and surprisingly may even decrease security. We also study the effects of blacklists, where a set of \"easy to guess\" PINs is disallowed during selection. Two such blacklists are in use today by iOS, for 4-digits (274 PINs) as well as 6-digits (2910 PINs). We extracted both blacklists compared them with four other blacklists, including a small 4-digit (27 PINs), a large 4-digit (2740 PINs), and two placebo blacklists for 4- and 6-digit PINs that always excluded the first-choice PIN. We find that relatively small blacklists in use today by iOS offer little or no benefit against a throttled guessing attack. Security gains are only observed when the blacklists are much larger, which in turn comes at the cost of increased user frustration. Our analysis suggests that a blacklist at about 10 % of the PIN space may provide the best balance between usability and security.","PeriodicalId":6849,"journal":{"name":"2020 IEEE Symposium on Security and Privacy (SP)","volume":"14 1","pages":"286-303"},"PeriodicalIF":0.0,"publicationDate":"2020-03-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"84437813","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 38
Are We Susceptible to Rowhammer? An End-to-End Methodology for Cloud Providers 我们容易受到罗汉默病的影响吗?云提供商的端到端方法论
Pub Date : 2020-03-10 DOI: 10.1109/SP40000.2020.00085
L. Cojocar, Jeremie S. Kim, Minesh Patel, L. Tsai, S. Saroiu, A. Wolman, O. Mutlu
Cloud providers are concerned that Rowhammer poses a potentially critical threat to their servers, yet today they lack a systematic way to test whether the DRAM used in their servers is vulnerable to Rowhammer attacks. This paper presents an endto-end methodology to determine if cloud servers are susceptible to these attacks. With our methodology, a cloud provider can construct worst-case testing conditions for DRAM.We apply our methodology to three classes of servers from a major cloud provider. Our findings show that none of the CPU instruction sequences used in prior work to mount Rowhammer attacks create worst-case DRAM testing conditions. To address this limitation, we develop an instruction sequence that leverages microarchitectural side-effects to "hammer" DRAM at a near-optimal rate on modern Intel Skylake and Cascade Lake platforms. We also design a DDR4 fault injector that can reverse engineer row adjacency for any DDR4 DIMM. When applied to our cloud provider’s DIMMs, we find that DRAM rows do not always follow a linear map.
云提供商担心Rowhammer会对他们的服务器造成潜在的严重威胁,但目前他们缺乏一种系统的方法来测试他们服务器中使用的DRAM是否容易受到Rowhammer攻击。本文提出了一种端到端方法来确定云服务器是否容易受到这些攻击。使用我们的方法,云提供商可以为DRAM构建最坏的测试条件。我们将我们的方法应用于一家主要云提供商的三类服务器。我们的研究结果表明,在之前的工作中,用于安装Rowhammer攻击的CPU指令序列都不会产生最坏的DRAM测试条件。为了解决这一限制,我们开发了一个指令序列,利用微架构的副作用,在现代英特尔Skylake和Cascade Lake平台上以接近最佳的速度“敲打”DRAM。我们还设计了一个DDR4故障注入器,可以对任何DDR4 DIMM的行邻接进行逆向工程。当应用于我们云提供商的内存时,我们发现DRAM行并不总是遵循线性映射。
{"title":"Are We Susceptible to Rowhammer? An End-to-End Methodology for Cloud Providers","authors":"L. Cojocar, Jeremie S. Kim, Minesh Patel, L. Tsai, S. Saroiu, A. Wolman, O. Mutlu","doi":"10.1109/SP40000.2020.00085","DOIUrl":"https://doi.org/10.1109/SP40000.2020.00085","url":null,"abstract":"Cloud providers are concerned that Rowhammer poses a potentially critical threat to their servers, yet today they lack a systematic way to test whether the DRAM used in their servers is vulnerable to Rowhammer attacks. This paper presents an endto-end methodology to determine if cloud servers are susceptible to these attacks. With our methodology, a cloud provider can construct worst-case testing conditions for DRAM.We apply our methodology to three classes of servers from a major cloud provider. Our findings show that none of the CPU instruction sequences used in prior work to mount Rowhammer attacks create worst-case DRAM testing conditions. To address this limitation, we develop an instruction sequence that leverages microarchitectural side-effects to \"hammer\" DRAM at a near-optimal rate on modern Intel Skylake and Cascade Lake platforms. We also design a DDR4 fault injector that can reverse engineer row adjacency for any DDR4 DIMM. When applied to our cloud provider’s DIMMs, we find that DRAM rows do not always follow a linear map.","PeriodicalId":6849,"journal":{"name":"2020 IEEE Symposium on Security and Privacy (SP)","volume":"29 1","pages":"712-728"},"PeriodicalIF":0.0,"publicationDate":"2020-03-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"81573005","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 71
Ask the Experts: What Should Be on an IoT Privacy and Security Label? 问专家:物联网隐私和安全标签上应该写些什么?
Pub Date : 2020-02-11 DOI: 10.1109/SP40000.2020.00043
Pardis Emami Naeini, Yuvraj Agarwal, L. Cranor, Hanan Hibshi
Information about the privacy and security of Internet of Things (IoT) devices is not readily available to consumers who want to consider it before making purchase decisions. While legislators have proposed adding succinct, consumer accessible, labels, they do not provide guidance on the content of these labels. In this paper, we report on the results of a series of interviews and surveys with privacy and security experts, as well as consumers, where we explore and test the design space of the content to include on an IoT privacy and security label. We conduct an expert elicitation study by following a three-round Delphi process with 22 privacy and security experts to identify the factors that experts believed are important for consumers when comparing the privacy and security of IoT devices to inform their purchase decisions. Based on how critical experts believed each factor is in conveying risk to consumers, we distributed these factors across two layers—a primary layer to display on the product package itself or prominently on a website, and a secondary layer available online through a web link or a QR code. We report on the experts’ rationale and arguments used to support their choice of factors. Moreover, to study how consumers would perceive the privacy and security information specified by experts, we conducted a series of semi-structured interviews with 15 participants, who had purchased at least one IoT device (smart home device or wearable). Based on the results of our expert elicitation and consumer studies, we propose a prototype privacy and security label to help consumers make more informed IoT-related purchase decisions.
对于想要在做出购买决定之前进行考虑的消费者来说,有关物联网(IoT)设备的隐私和安全的信息并不容易获得。虽然立法者建议增加简洁,消费者可访问的标签,但他们没有对这些标签的内容提供指导。在本文中,我们报告了与隐私和安全专家以及消费者进行的一系列访谈和调查的结果,在这些访谈和调查中,我们探索和测试了内容的设计空间,包括物联网隐私和安全标签。我们进行了一项专家启发研究,通过与22位隐私和安全专家进行三轮德尔菲过程,以确定专家认为在比较物联网设备的隐私和安全时对消费者重要的因素,从而为他们的购买决策提供信息。根据专家认为每个因素在向消费者传达风险方面的重要程度,我们将这些因素分为两层——第一层显示在产品包装上或网站上的显著位置,第二层通过网络链接或二维码在线提供。我们报告了专家的基本原理和论据,用来支持他们选择的因素。此外,为了研究消费者如何看待专家指定的隐私和安全信息,我们对15名至少购买过一个物联网设备(智能家居设备或可穿戴设备)的参与者进行了一系列半结构化访谈。基于我们的专家启发和消费者研究的结果,我们提出了一个隐私和安全标签的原型,以帮助消费者做出更明智的物联网相关购买决策。
{"title":"Ask the Experts: What Should Be on an IoT Privacy and Security Label?","authors":"Pardis Emami Naeini, Yuvraj Agarwal, L. Cranor, Hanan Hibshi","doi":"10.1109/SP40000.2020.00043","DOIUrl":"https://doi.org/10.1109/SP40000.2020.00043","url":null,"abstract":"Information about the privacy and security of Internet of Things (IoT) devices is not readily available to consumers who want to consider it before making purchase decisions. While legislators have proposed adding succinct, consumer accessible, labels, they do not provide guidance on the content of these labels. In this paper, we report on the results of a series of interviews and surveys with privacy and security experts, as well as consumers, where we explore and test the design space of the content to include on an IoT privacy and security label. We conduct an expert elicitation study by following a three-round Delphi process with 22 privacy and security experts to identify the factors that experts believed are important for consumers when comparing the privacy and security of IoT devices to inform their purchase decisions. Based on how critical experts believed each factor is in conveying risk to consumers, we distributed these factors across two layers—a primary layer to display on the product package itself or prominently on a website, and a secondary layer available online through a web link or a QR code. We report on the experts’ rationale and arguments used to support their choice of factors. Moreover, to study how consumers would perceive the privacy and security information specified by experts, we conducted a series of semi-structured interviews with 15 participants, who had purchased at least one IoT device (smart home device or wearable). Based on the results of our expert elicitation and consumer studies, we propose a prototype privacy and security label to help consumers make more informed IoT-related purchase decisions.","PeriodicalId":6849,"journal":{"name":"2020 IEEE Symposium on Security and Privacy (SP)","volume":"108 1","pages":"447-464"},"PeriodicalIF":0.0,"publicationDate":"2020-02-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"88077786","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 113
Humpty Dumpty: Controlling Word Meanings via Corpus Poisoning 矮胖子:通过语料库中毒控制词义
Pub Date : 2020-01-14 DOI: 10.1109/SP40000.2020.00115
R. Schuster, Tal Schuster, Yoav Meri, Vitaly Shmatikov
Word embeddings, i.e., low-dimensional vector representations such as GloVe and SGNS, encode word "meaning" in the sense that distances between words’ vectors correspond to their semantic proximity. This enables transfer learning of semantics for a variety of natural language processing tasks.Word embeddings are typically trained on large public corpora such as Wikipedia or Twitter. We demonstrate that an attacker who can modify the corpus on which the embedding is trained can control the "meaning" of new and existing words by changing their locations in the embedding space. We develop an explicit expression over corpus features that serves as a proxy for distance between words and establish a causative relationship between its values and embedding distances. We then show how to use this relationship for two adversarial objectives: (1) make a word a top-ranked neighbor of another word, and (2) move a word from one semantic cluster to another.An attack on the embedding can affect diverse downstream tasks, demonstrating for the first time the power of data poisoning in transfer learning scenarios. We use this attack to manipulate query expansion in information retrieval systems such as resume search, make certain names more or less visible to named entity recognition models, and cause new words to be translated to a particular target word regardless of the language. Finally, we show how the attacker can generate linguistically likely corpus modifications, thus fooling defenses that attempt to filter implausible sentences from the corpus using a language model.
词嵌入,即低维向量表示,如GloVe和SGNS,在单词向量之间的距离对应于它们的语义接近的意义上编码单词的“意义”。这使得语义迁移学习可以用于各种自然语言处理任务。词嵌入通常是在维基百科或Twitter等大型公共语料库上进行训练的。我们证明,攻击者可以修改训练嵌入的语料库,通过改变嵌入空间中的位置来控制新单词和现有单词的“意义”。我们开发了语料库特征的显式表达式,作为单词之间距离的代理,并在其值和嵌入距离之间建立了因果关系。然后,我们展示了如何将这种关系用于两个对立的目标:(1)使一个词成为另一个词的顶级邻居,(2)将一个词从一个语义簇移动到另一个语义簇。对嵌入的攻击可以影响不同的下游任务,首次展示了数据中毒在迁移学习场景中的力量。我们使用这种攻击来操纵信息检索系统(如简历搜索)中的查询扩展,使某些名称对命名实体识别模型或多或少可见,并导致新单词被翻译成特定的目标单词,而不管语言是什么。最后,我们展示了攻击者如何生成语言上可能的语料库修改,从而欺骗试图使用语言模型从语料库中过滤不可信句子的防御。
{"title":"Humpty Dumpty: Controlling Word Meanings via Corpus Poisoning","authors":"R. Schuster, Tal Schuster, Yoav Meri, Vitaly Shmatikov","doi":"10.1109/SP40000.2020.00115","DOIUrl":"https://doi.org/10.1109/SP40000.2020.00115","url":null,"abstract":"Word embeddings, i.e., low-dimensional vector representations such as GloVe and SGNS, encode word \"meaning\" in the sense that distances between words’ vectors correspond to their semantic proximity. This enables transfer learning of semantics for a variety of natural language processing tasks.Word embeddings are typically trained on large public corpora such as Wikipedia or Twitter. We demonstrate that an attacker who can modify the corpus on which the embedding is trained can control the \"meaning\" of new and existing words by changing their locations in the embedding space. We develop an explicit expression over corpus features that serves as a proxy for distance between words and establish a causative relationship between its values and embedding distances. We then show how to use this relationship for two adversarial objectives: (1) make a word a top-ranked neighbor of another word, and (2) move a word from one semantic cluster to another.An attack on the embedding can affect diverse downstream tasks, demonstrating for the first time the power of data poisoning in transfer learning scenarios. We use this attack to manipulate query expansion in information retrieval systems such as resume search, make certain names more or less visible to named entity recognition models, and cause new words to be translated to a particular target word regardless of the language. Finally, we show how the attacker can generate linguistically likely corpus modifications, thus fooling defenses that attempt to filter implausible sentences from the corpus using a language model.","PeriodicalId":6849,"journal":{"name":"2020 IEEE Symposium on Security and Privacy (SP)","volume":"122 1","pages":"1295-1313"},"PeriodicalIF":0.0,"publicationDate":"2020-01-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"87734074","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 30
Binsec/Rel: Efficient Relational Symbolic Execution for Constant-Time at Binary-Level Binsec/Rel:有效的关系符号执行常数时间在二进制级
Pub Date : 2019-12-18 DOI: 10.1109/SP40000.2020.00074
Lesly-Ann Daniel, Sébastien Bardin, Tamara Rezk
The constant-time programming discipline (CT) is an efficient countermeasure against timing side-channel attacks, requiring the control flow and the memory accesses to be independent from the secrets. Yet, writing CT code is challenging as it demands to reason about pairs of execution traces (2-hypersafety property) and it is generally not preserved by the compiler, requiring binary-level analysis. Unfortunately, current verification tools for CT either reason at higher level (C or LLVM), or sacrifice bug-finding or bounded-verification, or do not scale. We tackle the problem of designing an efficient binary-level verification tool for CT providing both bug-finding and bounded-verification. The technique builds on relational symbolic execution enhanced with new optimizations dedicated to information flow and binary-level analysis, yielding a dramatic improvement over prior work based on symbolic execution. We implement a prototype, BINSEC/REL, and perform extensive experiments on a set of 338 cryptographic implementations, demonstrating the benefits of our approach in both bug-finding and bounded-verification. Using BINSEC/REL, we also automate a previous manual study of CT preservation by compilers. Interestingly, we discovered that gcc -O0 and backend passes of clang introduce violations of CT in implementations that were previously deemed secure by a state-of-the-art CT verification tool operating at LLVM level, showing the importance of reasoning at binary-level.
恒定时间编程原则(CT)是一种有效的对抗定时侧信道攻击的方法,它要求控制流和存储器访问与秘密无关。然而,编写CT代码是具有挑战性的,因为它需要推断成对的执行轨迹(2-超安全属性),并且编译器通常不会保留它,需要二进制级别的分析。不幸的是,目前用于CT的验证工具要么在更高的级别(C或LLVM)进行验证,要么牺牲bug查找或有界验证,要么无法扩展。我们解决的问题是设计一个有效的二进制级验证工具,为CT提供bug查找和有界验证。该技术建立在关系符号执行的基础上,通过专门针对信息流和二进制级分析的新优化进行了增强,与之前基于符号执行的工作相比,产生了巨大的改进。我们实现了一个原型BINSEC/REL,并对一组338个加密实现进行了广泛的实验,证明了我们的方法在bug查找和边界验证方面的好处。使用BINSEC/REL,我们还自动化了以前编译器对CT保存的手工研究。有趣的是,我们发现gcc - 0和clang的后端传递在实现中引入了违反CT的行为,而这些实现以前被在LLVM级别运行的最先进的CT验证工具认为是安全的,这显示了在二进制级别进行推理的重要性。
{"title":"Binsec/Rel: Efficient Relational Symbolic Execution for Constant-Time at Binary-Level","authors":"Lesly-Ann Daniel, Sébastien Bardin, Tamara Rezk","doi":"10.1109/SP40000.2020.00074","DOIUrl":"https://doi.org/10.1109/SP40000.2020.00074","url":null,"abstract":"The constant-time programming discipline (CT) is an efficient countermeasure against timing side-channel attacks, requiring the control flow and the memory accesses to be independent from the secrets. Yet, writing CT code is challenging as it demands to reason about pairs of execution traces (2-hypersafety property) and it is generally not preserved by the compiler, requiring binary-level analysis. Unfortunately, current verification tools for CT either reason at higher level (C or LLVM), or sacrifice bug-finding or bounded-verification, or do not scale. We tackle the problem of designing an efficient binary-level verification tool for CT providing both bug-finding and bounded-verification. The technique builds on relational symbolic execution enhanced with new optimizations dedicated to information flow and binary-level analysis, yielding a dramatic improvement over prior work based on symbolic execution. We implement a prototype, BINSEC/REL, and perform extensive experiments on a set of 338 cryptographic implementations, demonstrating the benefits of our approach in both bug-finding and bounded-verification. Using BINSEC/REL, we also automate a previous manual study of CT preservation by compilers. Interestingly, we discovered that gcc -O0 and backend passes of clang introduce violations of CT in implementations that were previously deemed secure by a state-of-the-art CT verification tool operating at LLVM level, showing the importance of reasoning at binary-level.","PeriodicalId":6849,"journal":{"name":"2020 IEEE Symposium on Security and Privacy (SP)","volume":"362 1","pages":"1021-1038"},"PeriodicalIF":0.0,"publicationDate":"2019-12-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"76522792","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 45
期刊
2020 IEEE Symposium on Security and Privacy (SP)
全部 Acc. Chem. Res. ACS Applied Bio Materials ACS Appl. Electron. Mater. ACS Appl. Energy Mater. ACS Appl. Mater. Interfaces ACS Appl. Nano Mater. ACS Appl. Polym. Mater. ACS BIOMATER-SCI ENG ACS Catal. ACS Cent. Sci. ACS Chem. Biol. ACS Chemical Health & Safety ACS Chem. Neurosci. ACS Comb. Sci. ACS Earth Space Chem. ACS Energy Lett. ACS Infect. Dis. ACS Macro Lett. ACS Mater. Lett. ACS Med. Chem. Lett. ACS Nano ACS Omega ACS Photonics ACS Sens. ACS Sustainable Chem. Eng. ACS Synth. Biol. Anal. Chem. BIOCHEMISTRY-US Bioconjugate Chem. BIOMACROMOLECULES Chem. Res. Toxicol. Chem. Rev. Chem. Mater. CRYST GROWTH DES ENERG FUEL Environ. Sci. Technol. Environ. Sci. Technol. Lett. Eur. J. Inorg. Chem. IND ENG CHEM RES Inorg. Chem. J. Agric. Food. Chem. J. Chem. Eng. Data J. Chem. Educ. J. Chem. Inf. Model. J. Chem. Theory Comput. J. Med. Chem. J. Nat. Prod. J PROTEOME RES J. Am. Chem. Soc. LANGMUIR MACROMOLECULES Mol. Pharmaceutics Nano Lett. Org. Lett. ORG PROCESS RES DEV ORGANOMETALLICS J. Org. Chem. J. Phys. Chem. J. Phys. Chem. A J. Phys. Chem. B J. Phys. Chem. C J. Phys. Chem. Lett. Analyst Anal. Methods Biomater. Sci. Catal. Sci. Technol. Chem. Commun. Chem. Soc. Rev. CHEM EDUC RES PRACT CRYSTENGCOMM Dalton Trans. Energy Environ. Sci. ENVIRON SCI-NANO ENVIRON SCI-PROC IMP ENVIRON SCI-WAT RES Faraday Discuss. Food Funct. Green Chem. Inorg. Chem. Front. Integr. Biol. J. Anal. At. Spectrom. J. Mater. Chem. A J. Mater. Chem. B J. Mater. Chem. C Lab Chip Mater. Chem. Front. Mater. Horiz. MEDCHEMCOMM Metallomics Mol. Biosyst. Mol. Syst. Des. Eng. Nanoscale Nanoscale Horiz. Nat. Prod. Rep. New J. Chem. Org. Biomol. Chem. Org. Chem. Front. PHOTOCH PHOTOBIO SCI PCCP Polym. Chem.
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1