Unveiling your keystrokes: A Cache-based Side-channel Attack on Graphics Libraries

Wang, Daimeng; Neupane, Ajaya; Qian, Zhiyun; Abu-Ghazaleh, Nael; Krishnamurthy, Srikanth V.; Colbert, E. J. M.; Yu, Paul

doi:10.14722/ndss.2019.23221

Cited by 32 publications

(30 citation statements)

References 26 publications

(26 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Cache attacks exploit the access-time differences for cached and uncached data. Since their introduction in 1996 [59], they have been used for powerful attacks on cryptographic primitives [59], [77], [98], [7], [80], [76], user interactions [89], [62], [108], or as building blocks for transientexecution attacks [64], [58], [13].…”

Section: A Cache Attacksmentioning

confidence: 99%

Dynamic Process Isolation

Schwarzl,

Borrello,

Kogler

et al. 2021

Preprint

View full text Add to dashboard Cite

In the quest for efficiency and performance, edgecomputing providers eliminate isolation boundaries between tenants, such as strict process isolation, and instead let them compute in a more lightweight multi-threaded single-process design. Edgecomputing providers support a high number of tenants per machine to reduce the physical distance to customers without requiring a large number of machines. Isolation is provided by sandboxing mechanisms, e.g., tenants can only run sandboxed V8 JavaScript code. While this is as secure as a sandbox for software vulnerabilities, microarchitectural attacks can bypass these sandboxes.In this paper, we show that it is possible to mount a Spectre attack on such a restricted environment, leaking secrets from co-located tenants. Cloudflare Workers is one of the top three edge-computing solutions and handles millions of HTTP requests per second worldwide across tens of thousands of web sites every day. We demonstrate a remote Spectre attack using amplification techniques in combination with a remote timing server, which is capable of leaking 120 bit/h. This motivates our main contribution, Dynamic Process Isolation, a processisolation mechanism that only isolates suspicious worker scripts following a detection mechanism. In the worst case of only false positives, Dynamic Process Isolation simply degrades to process isolation. Our proof-of-concept implementation augments a realworld cloud infrastructure framework, Cloudflare Workers, which is used in production at large scale.1 With a false-positive rate of only 0.61 %, we demonstrate that our solution vastly outperforms strict process isolation in terms of performance. In our security evaluation, we show that Dynamic Process Isolation statistically provides the same security guarantees as strict process isolation, fully mitigating Spectre attacks between multiple tenants.

show abstract

Section: A Cache Attacksmentioning

confidence: 99%

Dynamic Process Isolation

Schwarzl,

Borrello,

Kogler

et al. 2021

Preprint

View full text Add to dashboard Cite

show abstract

“…Mobile CPU caches have also been exploited for side channel attacks, to infer coarse-grained user activities [15,31]. Some recent work further demonstrated the possibility of inferring users' PIN inputs from knowledge about cache behaviors [53], but only achieved low accuracy (30%). In contrast, our proposed attack achieves much higher accuracy (>80%) without requiring any guess, and hence has higher applicability in practical systems.…”

Section: Moving Circles and Trianglesmentioning

confidence: 99%

“…Existing hardware eavesdropping attacks on smartphones mainly focus on CPU and on-board sensors. For example, access time on CPU cache provides information about victim applications when they contend for cache accesses [13,15,53], and IMU sensor readings could be used to infer users' keystrokes [1,2,26,33,35,39]. However, the correlations between these hardware data and user activities are usually weak and ambiguous, and are susceptible to various system factors and random noise in practice [25].…”

Section: Introductionmentioning

confidence: 99%

Eavesdropping user credentials via GPU side channels on smartphones

Yang

Chen

Huang

et al. 2022

Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems

View full text Add to dashboard Cite

Graphics Processing Unit (GPU) on smartphones is an effective target for hardware attacks. In this paper, we present a new side channel attack on mobile GPUs of Android smartphones, allowing an unprivileged attacker to eavesdrop the user's credentials, such as login usernames and passwords, from their inputs through onscreen keyboard. Our attack targets on Qualcomm Adreno GPUs and investigate the amount of GPU overdraw when rendering the popups of user's key presses of inputs. Such GPU overdraw caused by each key press corresponds to unique variations of selected GPU performance counters, from which these key presses can be accurately inferred. Experiment results from practical use on multiple models of Android smartphones show that our attack can correctly infer more than 80% of user's credential inputs, but incur negligible amounts of computing overhead and network traffic on the victim device. To counter this attack, this paper suggests mitigations of access control on GPU performance counters, or applying obfuscations on the values of GPU performance counters. CCS CONCEPTS• Security and privacy → Systems security; • Human-centered computing → Ubiquitous and mobile computing.

show abstract

“…Prior keystroke recovery attacks have targeted procf [48], audio [70], CPU scheduling [71], Wi-Fi Signals [72], interrupts [73] and graphic renderings [74]. Song et al [47] were the first to use SSH network packets to exploit interleaving times for password recovery, using a Hidden Markov Model (HMM) to model character pairs.…”

Section: Keystroke Attacksmentioning

confidence: 99%

NetCAT: Practical Cache Attacks from the Network

Kurth

Gras

Andriesse

et al. 2020

2020 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

Increased peripheral performance is causing strain on the memory subsystem of modern processors. For example, available DRAM throughput can no longer sustain the traffic of a modern network card. Scrambling to deliver the promised performance, instead of transferring peripheral data to and from DRAM, modern Intel processors perform I/O operations directly on the Last Level Cache (LLC). While Direct Cache Access (DCA) instead of Direct Memory Access (DMA) is a sensible performance optimization, it is unfortunately implemented without care for security, as the LLC is now shared between the CPU and all the attached devices, including the network card.In this paper, we reverse engineer the behavior of DCA, widely referred to as Data-Direct I/O (DDIO), on recent Intel processors and present its first security analysis. Based on our analysis, we present NetCAT, the first Network-based PRIME+PROBE Cache Attack on the processor's LLC of a remote machine. We show that NetCAT not only enables attacks in cooperative settings where an attacker can build a covert channel between a network client and a sandboxed server process (without network), but more worryingly, in general adversarial settings. In such settings, NetCAT can enable disclosure of network timing-based sensitive information. As an example, we show a keystroke timing attack on a victim SSH connection belonging to another client on the target server. Our results should caution processor vendors against unsupervised sharing of (additional) microarchitectural components with peripherals exposed to malicious input.

show abstract

Unveiling your keystrokes: A Cache-based Side-channel Attack on Graphics Libraries

Cited by 32 publications

References 26 publications

Dynamic Process Isolation

Dynamic Process Isolation

Eavesdropping user credentials via GPU side channels on smartphones

NetCAT: Practical Cache Attacks from the Network

Contact Info

Product

Resources

About