A Library for Removing Cache-based Attacks in Concurrent Information Flow Systems
Paper in proceedings, 2013
Information-flow control (IFC) allows untrusted code to manipulate sensitive data while preserving confidentiality. Although this is a promising approach to building extensible applications, IFC is susceptible to attacks that leak information through covert channels. In this paper we focus on LIO, a concurrent IFC system. LIO is vulnerable to attacks that leak information through the internal timing covert channel by leveraging the effects of the underlying CPU cache. We present a resumption-based library to address such attacks. Resumptions provide fine-gained control over the interleaving of thread computations. Leveraging this, our library removes cache-based attacks by enforcing that every thread yield after executing an "instruction." Importantly, our library allows for porting the full LIO library -- our resumption approach handles local state and exceptions, both complex features present in LIO. To amend for performance degradations due to library-level thread scheduling, our library provides two novel primitives. First, we allow pure code to securely execute in parallel. Second, we allow developers to control the granularity of instructions, i.e., atomic actions, that threads execute; this allows developers to adjust the frequency of context switching according to their application.