Sharjeel Khan

Chris Porter, Sharjeel Khan, Santosh Pande

Modern code reuse attacks are taking full advantage of bloated software. Attackers piece together short sequences of instructions in otherwise benign code to carry out malicious actions. Eliminating these reusable code snippets, known as gadgets, has become one of the prime concerns of attack surface reduction. The aim is to break these chains of gadgets, thereby making such code reuse attacks impossible or substantially less common. Previous work on attack surface reduction has typically tried to eliminate such attacks by subsetting the application, e.g. via user-specified inputs, configurations, or features, or by focusing on third-party libraries to achieve high gadget reductions with minimal interference to the application. In this work we present a general, whole-program attack surface reduction technique called OCA that significantly reduces gadgets and has minor performance degradation. OCA requires no user inputs and leaves all features intact. OCA identifies specific program points and through analysis determines key function sets to enable/disable at runtime. The runtime system, thus, controls the set of enabled functions during execution, thereby significantly reducing the set of active gadgets an attacker can use, and by extension, cutting down the set of active gadget chains dramatically. On SPEC CPU 2017, our framework achieves 73.2% total gadget reduction with only 4% average slowdown. On 10 GNU coreutils applications, it achieves 87.2% reduction. On the nginx server it achieves 80.3% reduction with 2% slowdown. We also provide a gadget chain-breaking study across all applications, and show that our framework breaks the shell-spawning chain in all cases.

Sharjeel Khan, Girish Mururu, Santosh Pande

Side channel attacks steal secret keys by cleverly leveraging information leakages and can, therefore, break encryption. Thus, detection and mitigation of side channel attacks is a very important problem, but the solutions proposed in the literature have limitations in that they do not work in a real-world multi-tenancy setting on servers, have high false positives, or have high overheads. In this work, we demonstrate a compiler guided scheduler, Biscuit, that detects cache-based side channel attacks for processes scheduled on multi-tenancy server farms. A key element of this solution involves the use of a cache-miss model which is inserted by the compiler at the entrances of loop nests to predict the cache misses of the corresponding loop. Such inserted library calls, or beacons, convey the cache miss information to the scheduler at run time, which uses it to co-schedule processes such that their combined cache footprint does not exceed the maximum capacity of the last level cache. The scheduled processes are then monitored for actual vs predicted cache misses, and when an anomaly is detected, the scheduler performs a search to isolate the attacker. We show that Biscuit is able to detect and mitigate Prime+Probe, Flush+Reload, and Flush+Flush attacks on OpenSSL cryptography algorithms with an F-score of 1, and also to detect and mitigate degradation of service on a vision application suite with an F-score of 0.9375. Under a no-attack scenario, the scheme poses low overheads (up to a maximum of 6 percent). In the case of an attack, the scheme ends up with less than 11 percent overhead and is able to reduce the degradation of service in some cases by 40 percent. With these many desirable features such as an ability to deal with multi-tenancy, its ability to detect attacks early, its ability to mitigate those attacks, and low runtime overheads, Biscuit is a practical solution.