Biblio

A hidden dimension of software and hardware security is secret-revealing information disseminated through side channels. Even the most secure systems tend to reveal their secrets through secret-dependent computation. Secret-dependent computation is detectable by monitoring a system's time, power, outputs, and electromagnetic signature. Common defenses to side channel emanations include adding noise to the channel or making algorithmic changes to eliminate specific side channels. Unfortunately, existing solutions are either, not automatic, not comprehensive, and/or not practical. We propose an isolation-based approach for eliminating power and timing side-channels that is automatic, comprehensive, and practical. Our approach eliminates side channels by leveraging energy harvesting techniques to isolate trusted computation from the rest of the system. Software has the ability to request a fixed-power and fixed-time quantum of isolated computation. By discretizing power and time, our approach controls the granularity of side channel leakage; the only burden on programmers is to ensure that all secret-dependent execution differences converge within a single power/time quantum. We design and implement three approaches to power/time-based quantization and isolation: a wholly-digital version, a hybrid version that uses capacitors for time tracking, and a full-custom version. A key insight we leverage is that capacitors act as resource efficient, workload and environment independent time trackers. We explore the trade-offs of the three designs and look at the challenges ahead.

Ensuring the integrity and security of the memory system is critical. Recent studies have shown serious security concerns due to "rowhammer" attacks, where repeated accesses to a row of memory cause bit flips in adjacent rows. Recent work by Google's Project Zero has shown how to leverage rowhammer-induced bit-flips as the basis for security exploits that include malicious code injection and memory privilege escalation. Being an important security concern, industry has attempted to defend against rowhammer attacks. Deployed defenses employ two strategies: (1) doubling the system DRAM refresh rate and (2) restricting access to the CLFLUSH instruction that attackers use to bypass the cache to increase memory access frequency (i.e., the rate of rowhammering). We demonstrate that such defenses are inadequte: we implement rowhammer attacks that both avoid using the CLFLUSH instruction and cause bit flips with a doubled refresh rate. Our next-generation CLFLUSH-free rowhammer attack bypasses the cache by manipulating cache replacement state to allow frequent misses out of the last-level cache to DRAM rows of our choosing. To protect existing systems from more advanced rowhammer attacks, we develop a software-based defense, ANVIL, which thwarts all known rowhammer attacks on existing systems. ANVIL detects rowhammer attacks by tracking the locality of DRAM accesses using existing hardware performance counters. Our detector identifies the rows being frequently accessed (i.e., the aggressors), then selectively refreshes the nearby victim rows to prevent hammering. Experiments running on real hardware with the SPEC2006 benchmarks show that ANVIL has less than a 1% false positive rate and an average slowdown of 1%. ANVIL is low-cost and robust, and our experiments indicate that it is an effective approach for protecting existing and future systems from even advanced rowhammer attacks.