Clockwork: Tracking Remote Timing Attacks
Paper i proceeding, 2020
Timing leaks have been a major concern for the security community. A common approach is to prevent secrets from affecting the execution time, thus achieving security with respect to a strong, local attacker who can measure the timing of program runs. However, this approach becomes restrictive as soon as programs branch on a secret.
This paper focuses on timing leaks under remote execution. A key difference is that the remote attacker does not have a reference point of when a program run has started or finished, which significantly restricts attacker capabilities. We propose an extensional security characterization that captures the essence of remote timing attacks. We identify patterns of combining clock access, secret branching, and output in a way that leads to timing leaks. Based on these patterns, we design Clockwork, a monitor that rules out remote timing leaks. We implement the approach for JavaScript, leveraging JSFlow, a state-of-the-art information flow tracker. We demonstrate the feasibility of the approach on case studies with IFTTT, a popular IoT app platform, and VJSC, an advanced JavaScript library for e-voting.
This paper focuses on timing leaks under remote execution. A key difference is that the remote attacker does not have a reference point of when a program run has started or finished, which significantly restricts attacker capabilities. We propose an extensional security characterization that captures the essence of remote timing attacks. We identify patterns of combining clock access, secret branching, and output in a way that leads to timing leaks. Based on these patterns, we design Clockwork, a monitor that rules out remote timing leaks. We implement the approach for JavaScript, leveraging JSFlow, a state-of-the-art information flow tracker. We demonstrate the feasibility of the approach on case studies with IFTTT, a popular IoT app platform, and VJSC, an advanced JavaScript library for e-voting.
timing attacks
IoT
information flow control
Författare
Iulia Bastys
Chalmers, Data- och informationsteknik, Informationssäkerhet
Musard Balliu
Kungliga Tekniska Högskolan (KTH)
Tamara Rezk
Institut National de Recherche en Informatique et en Automatique (INRIA)
Andrei Sabelfeld
Chalmers, Data- och informationsteknik, Informationssäkerhet
Proceedings - IEEE Computer Security Foundations Symposium
19401434 (ISSN)
Vol. 2020-June 350-365 91551059781728165721 (ISBN)
Computer Security Foundations Symposium (CSF)
Boston, USA,
Boston, USA,
Ämneskategorier
Datorteknik
Datavetenskap (datalogi)
Datorsystem
Styrkeområden
Informations- och kommunikationsteknik
DOI
10.1109/CSF49147.2020.00032