WEKO3
アイテム
Mitigating Foreshadow Side-channel Attack Using Dedicated Kernel Memory Mechanism
https://ipsj.ixsq.nii.ac.jp/records/222827
https://ipsj.ixsq.nii.ac.jp/records/222827f34df1c2-3414-47a7-8780-b49553653120
| 名前 / ファイル | ライセンス | アクション |
|---|---|---|
IPSJ-JNL6312003.pdf (824.4 kB)
|
Copyright (c) 2022 by the Information Processing Society of Japan
|
|
| オープンアクセス | ||
| Item type | Journal(1) | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| 公開日 | 2022-12-15 | |||||||||
| タイトル | ||||||||||
| タイトル | Mitigating Foreshadow Side-channel Attack Using Dedicated Kernel Memory Mechanism | |||||||||
| タイトル | ||||||||||
| 言語 | en | |||||||||
| タイトル | Mitigating Foreshadow Side-channel Attack Using Dedicated Kernel Memory Mechanism | |||||||||
| 言語 | ||||||||||
| 言語 | eng | |||||||||
| キーワード | ||||||||||
| 主題Scheme | Other | |||||||||
| 主題 | [特集:持続可能な社会のIT基盤に向けた情報セキュリティとトラスト] side channel attack, system security, operating system, kernel | |||||||||
| 資源タイプ | ||||||||||
| 資源タイプ識別子 | http://purl.org/coar/resource_type/c_6501 | |||||||||
| 資源タイプ | journal article | |||||||||
| 著者所属 | ||||||||||
| Graduate School of Engineering, Kobe University | ||||||||||
| 著者所属 | ||||||||||
| Faculty of Natural Science and Technology, Okayama University | ||||||||||
| 著者所属(英) | ||||||||||
| en | ||||||||||
| Graduate School of Engineering, Kobe University | ||||||||||
| 著者所属(英) | ||||||||||
| en | ||||||||||
| Faculty of Natural Science and Technology, Okayama University | ||||||||||
| 著者名 |
Hiroki, Kuzuno
× Hiroki, Kuzuno
× Toshihiro, Yamauchi
|
|||||||||
| 著者名(英) |
Hiroki, Kuzuno
× Hiroki, Kuzuno
× Toshihiro, Yamauchi
|
|||||||||
| 論文抄録 | ||||||||||
| 内容記述タイプ | Other | |||||||||
| 内容記述 | New threats to operating systems include side-channel attacks (e.g., Meltdown and Foreshadow) that combine the speculative execution of the central processing unit (CPU) and cache manipulation to facilitate inference of the kernel code and kernel data stored in CPU caches. Side-channel attacks mitigation strategies require kernel memory isolation mechanisms that modify kernel design, such as the kernel page table isolation that separates the kernel memory space for the kernel and user modes to mitigate the Meltdown, and the address space isolation that segregates the virtualization features from the kernel memory space for Foreshadow mitigation. However, user processes still share the remaining kernel feature on the same kernel memory space. The speculative execution of the CPU in a side-channel attack using Foreshadow allows the adversary to refer to the kernel data of the targeted user process with kernel features. This paper presents a dedicated kernel memory mechanism (DKMM), which controls the memory space allocation method for each user process with kernel features. It mitigates Foreshadow side-channel attack (e.g., Foreshadow-OS) with speculative execution. Furthermore, it enables each user process to use its dedicated kernel memory space and suppresses the reference to the kernel data of kernel feature used by the attacked user process attacked by Foreshadow side-channel. We implemented the DKMM on Linux and evaluated its security capability to protect the kernel data of container features against side-channel attack by the Foreshadow proof of concept code. The performance evaluation was reasonable, as the maximum system call overhead was 7.864μs, the web client program ranged from 0.55% to 0.77% for the 100,000 Hypertext Transfer Protocol sessions, and the benchmark score was 1.06% overhead. ------------------------------ This is a preprint of an article intended for publication Journal of Information Processing(JIP). This preprint should not be cited. This article should be cited as: Journal of Information Processing Vol.30(2022) (online) DOI http://dx.doi.org/10.2197/ipsjjip.30.796 ------------------------------ |
|||||||||
| 論文抄録(英) | ||||||||||
| 内容記述タイプ | Other | |||||||||
| 内容記述 | New threats to operating systems include side-channel attacks (e.g., Meltdown and Foreshadow) that combine the speculative execution of the central processing unit (CPU) and cache manipulation to facilitate inference of the kernel code and kernel data stored in CPU caches. Side-channel attacks mitigation strategies require kernel memory isolation mechanisms that modify kernel design, such as the kernel page table isolation that separates the kernel memory space for the kernel and user modes to mitigate the Meltdown, and the address space isolation that segregates the virtualization features from the kernel memory space for Foreshadow mitigation. However, user processes still share the remaining kernel feature on the same kernel memory space. The speculative execution of the CPU in a side-channel attack using Foreshadow allows the adversary to refer to the kernel data of the targeted user process with kernel features. This paper presents a dedicated kernel memory mechanism (DKMM), which controls the memory space allocation method for each user process with kernel features. It mitigates Foreshadow side-channel attack (e.g., Foreshadow-OS) with speculative execution. Furthermore, it enables each user process to use its dedicated kernel memory space and suppresses the reference to the kernel data of kernel feature used by the attacked user process attacked by Foreshadow side-channel. We implemented the DKMM on Linux and evaluated its security capability to protect the kernel data of container features against side-channel attack by the Foreshadow proof of concept code. The performance evaluation was reasonable, as the maximum system call overhead was 7.864μs, the web client program ranged from 0.55% to 0.77% for the 100,000 Hypertext Transfer Protocol sessions, and the benchmark score was 1.06% overhead. ------------------------------ This is a preprint of an article intended for publication Journal of Information Processing(JIP). This preprint should not be cited. This article should be cited as: Journal of Information Processing Vol.30(2022) (online) DOI http://dx.doi.org/10.2197/ipsjjip.30.796 ------------------------------ |
|||||||||
| 書誌レコードID | ||||||||||
| 収録物識別子タイプ | NCID | |||||||||
| 収録物識別子 | AN00116647 | |||||||||
| 書誌情報 |
情報処理学会論文誌 巻 63, 号 12, 発行日 2022-12-15 |
|||||||||
| ISSN | ||||||||||
| 収録物識別子タイプ | ISSN | |||||||||
| 収録物識別子 | 1882-7764 | |||||||||
| 公開者 | ||||||||||
| 言語 | ja | |||||||||
| 出版者 | 情報処理学会 | |||||||||
