skip to main content

Title: Packet Chasing: Spying on Network Packets over a Cache Side-Channel
This paper presents Packet Chasing, an attack on the network that does not require access to the network, and works regardless of the privilege level of the process receiving the packets. A spy process can easily probe and discover the exact cache location of each buffer used by the network driver. Even more useful, it can discover the exact sequence in which those buffers are used to receive packets. This then enables packet frequency and packet sizes to be monitored through cache side channels. This allows both covert channels between a sender and a remote spy with no access to the network, as well as direct attacks that can identify, among other things, the web page access patterns of a victim on the network. In addition to identifying the potential attack, this work proposes a software-based short-term mitigation as well as a light-weight, adaptive, cache partitioning mitigation that blocks the interference of I/O and CPU requests in the last-level cache.
Authors:
; ;
Award ID(s):
1823444
Publication Date:
NSF-PAR ID:
10207938
Journal Name:
International Symposium on Computer Architecture
Page Range or eLocation-ID:
721 to 734
Sponsoring Org:
National Science Foundation
More Like this
  1. Despite advances in network security, attacks targeting mission critical systems and applications remain a significant problem for network and datacenter providers. Existing telemetry platforms detect volumetric attacks at terabit scales using approximation techniques and coarse grain analysis. However, the prevalence of low and slow attacks that require very little bandwidth, makes flow-state tracking critical to overall attack mitigation. Traffic queries deployed on network switches are often limited by hardware constraints, preventing them from carrying out flow tracking features required to detect stealthy attacks. Such attacks can go undetected in the midst of high traffic volumes. We design SmartWatch, a novel flow state tracking and flow logging system at line rate, using SmartNICs to optimize performance and simultaneously detect a number of stealthy attacks. SmartWatch leverages advances in switch based network telemetry platforms to process the bulk of the traffic and only forward suspicious traffic subsets to the SmartNIC. The programmable network switches perform coarse-grained traffic analysis while the SmartNIC conducts the finer-grained analysis which involves additional processing of the packet as a 'bump-in-the-wire'. A control loop between the SmartNIC and programmable switch tunes the queries performed in the switch to direct the most appropriate traffic subset to the SmartNIC. SmartWatch'smore »cooperative monitoring approach yields 2.39 times better detection rate compared to existing platforms deployed on programmable switches. SmartWatch can detect covert timing channels and perform website fingerprinting more efficiently compared to standalone programmable switch solutions, relieving switch memory and control-plane processor resources. Compared to host-based approaches, SmartWatch can reduce the packet processing latency by 72.32%.« less
  2. Over the past decades, the major objectives of computer design have been to improve performance and to reduce cost, energy consumption, and size, while security has remained a secondary concern. Meanwhile, malicious attacks have rapidly grown as the number of Internet-connected devices, ranging from personal smart embedded systems to large cloud servers, have been increasing. Traditional antivirus software cannot keep up with the increasing incidence of these attacks, especially for exploits targeting hardware design vulnerabilities. For example, as DRAM process technology scales down, it becomes easier for DRAM cells to electrically interact with each other. For instance, in Rowhammer attacks, it is possible to corrupt data in nearby rows by reading the same row in DRAM. As Rowhammer exploits a computer hardware weakness, no software patch can completely fix the problem. Similarly, there is no efficient software mitigation to the recently reported attack Spectre. The attack exploits microarchitectural design vulnerabilities to leak protected data through side channels. In general, completely fixing hardware-level vulnerabilities would require a redesign of the hardware which cannot be backported. In this paper, we demonstrate that by monitoring deviations in microarchitectural events such as cache misses, branch mispredictions from existing CPU performance counters, hardware-level attacks suchmore »as Rowhammer and Spectre can be efficiently detected during runtime with promising accuracy and reasonable performance overhead using various machine learning classifiers.« less
  3. Network densification through the deployment of WiFi access points (APs) is a promising solution towards achieving high connectivity rates required for emerging applications. A critical first step is to discover an AP before an active association between the client and the AP can be established. Legacy AP discovery procedures initiated by the client result in high latency in the order of a few 100 ms and waste spectrum, especially when clients need to frequently switch between multiple APs. We propose CSIscan that exploits the broadcast nature of WiFi channels by embedding discovery related information within an AP’s ongoing regular transmissions. The AP does this by intelligently distorting the transmitted OFDM frame by inducing perturbations in the preamble, and these injected ‘bits’ of information are detected via changes in the perceived channel state information (CSI). A deep learning framework allocates the optimal level of distortion on a per-subcarrier basis that keeps the resulting packet error rate to less than 1%. Existing clients perceive no changes in their ongoing communication, while potential new clients quickly obtain discovery information at the same time. We experimentally demonstrate that CSIscan reduces the overall WiFi latency from 150 ms to 10 ms and improves spectrum utilizationmore »with ∼ 72% reduction in the probe traffic. We show that CSIscan delivers up to 40 discovery information bits in the outgoing WiFi packet in an indoor environment.« less
  4. Coherent optical excitations in two-dimensional (2D) materials, 2D polaritons, can generate a plethora of optical phenomena that arise from the extraordinary dispersion relations that do not exist in regular materials. Probing of the dynamical phenomena of 2D polaritons requires simultaneous spatial and temporal imaging capabilities and could reveal unknown coherent optical phenomena in 2D materials. Here, we present a spatiotemporal measurement of 2D wave packet dynamics, from its formation to its decay, using an ultrafast transmission electron microscope driven by femtosecond midinfrared pulses. The ability to coherently excite phonon-polariton wave packets and probe their evolution in a nondestructive manner reveals intriguing dispersion-dependent dynamics that includes splitting of multibranch wave packets and, unexpectedly, wave packet deceleration and acceleration. Having access to the full spatiotemporal dynamics of 2D wave packets can be used to illuminate puzzles in topological polaritons and discover exotic nonlinear optical phenomena in 2D materials.

  5. Virtual private networks (VPNs) allow organizations to support their remote employees by creating tunnels that ensure confidentiality, integrity and authenticity of communicated packets. However, these same services are often provided by the application, in protocols such as TLS. As a result, the historical driving force for VPNs may be in decline. Instead, VPNs are often used to determine whether a communicating host is a legitimate member of the network to simplify filtering and access control. However, this comes with a cost: VPN implementations often introduce performance bottlenecks that affect the user experience. To preserve straightforward filtering without the limitations of VPN deployments, we explore a simple network-level identifier that allows remote users to provide evidence that they have previously been vetted. This approach uniquely identifies each user, even if they are behind Carrier-Grade Network Address Translation, which causes widespread IP address sharing. Such identifiers remove the redundant cryptography, packet header overheads, and need for dedicated servers to implement VPNs. This lightweight approach can achieve access control goals with minimal performance overheads.