FLUSH+RELOAD attack is recently proposed as a new type of Cache timing attacks.There are three essential factors in this attack,which are monitored instructions.threshold and waiting interval.However,existing literatu...FLUSH+RELOAD attack is recently proposed as a new type of Cache timing attacks.There are three essential factors in this attack,which are monitored instructions.threshold and waiting interval.However,existing literature seldom exploit how and why they could affect the system.This paper aims to study the impacts of these three parameters,and the method of how to choose optimal values.The complete rules for choosing the monitored instructions based on necessary and sufficient condition are proposed.How to select the optimal threshold based on Bayesian binary signal detection principal is also proposed.Meanwhile,the time sequence model of monitoring is constructed and the calculation of the optimal waiting interval is specified.Extensive experiments are conducted on RSA implemented with binary square-and-multiply algorithm.The results show that the average success rate of full RSA key recovery is89.67%.展开更多
Although there exist a few good schemes to protect the kernel hooks of operating systems, attackers are still able to circumvent existing defense mechanisms with spurious context infonmtion. To address this challenge,...Although there exist a few good schemes to protect the kernel hooks of operating systems, attackers are still able to circumvent existing defense mechanisms with spurious context infonmtion. To address this challenge, this paper proposes a framework, called HooklMA, to detect compromised kernel hooks by using hardware debugging features. The key contribution of the work is that context information is captured from hardware instead of from relatively vulnerable kernel data. Using commodity hardware, a proof-of-concept pro- totype system of HooklMA has been developed. This prototype handles 3 082 dynamic control-flow transfers with related hooks in the kernel space. Experiments show that HooklMA is capable of detecting compomised kernel hooks caused by kernel rootkits. Performance evaluations with UnixBench indicate that runtirre overhead introduced by HooklMA is about 21.5%.展开更多
基金supported by National Natural Science Foundation of China (No.61472357,No.61309021,No.61272491, No.61173191)the Major State Basic Research Development Program(973 Plan) of China under the grant 2013CB338004
文摘FLUSH+RELOAD attack is recently proposed as a new type of Cache timing attacks.There are three essential factors in this attack,which are monitored instructions.threshold and waiting interval.However,existing literature seldom exploit how and why they could affect the system.This paper aims to study the impacts of these three parameters,and the method of how to choose optimal values.The complete rules for choosing the monitored instructions based on necessary and sufficient condition are proposed.How to select the optimal threshold based on Bayesian binary signal detection principal is also proposed.Meanwhile,the time sequence model of monitoring is constructed and the calculation of the optimal waiting interval is specified.Extensive experiments are conducted on RSA implemented with binary square-and-multiply algorithm.The results show that the average success rate of full RSA key recovery is89.67%.
基金The authors would like to thank the anonymous reviewers for their insightful corrnlents that have helped improve the presentation of this paper. The work was supported partially by the National Natural Science Foundation of China under Grants No. 61070192, No.91018008, No. 61170240 the National High-Tech Research Development Program of China under Grant No. 2007AA01ZA14 the Natural Science Foundation of Beijing un- der Grant No. 4122041.
文摘Although there exist a few good schemes to protect the kernel hooks of operating systems, attackers are still able to circumvent existing defense mechanisms with spurious context infonmtion. To address this challenge, this paper proposes a framework, called HooklMA, to detect compromised kernel hooks by using hardware debugging features. The key contribution of the work is that context information is captured from hardware instead of from relatively vulnerable kernel data. Using commodity hardware, a proof-of-concept pro- totype system of HooklMA has been developed. This prototype handles 3 082 dynamic control-flow transfers with related hooks in the kernel space. Experiments show that HooklMA is capable of detecting compomised kernel hooks caused by kernel rootkits. Performance evaluations with UnixBench indicate that runtirre overhead introduced by HooklMA is about 21.5%.
