More Like this

1. MC3: Memory Contention-based Covert Channel Communication on Shared DRAM System-on-Chips

   Dagli, Ismet; Crea, James; Seckiner, Soner; Xu, Yuanchao; Köse, Selçuk; Belviranli, Mehmet (March 2025, 2025 Design Automation and Test in Europe)

   Shared memory system-on-chips (SM-SoCs) are ubiquitously employed by a wide range of computing platforms, including edge/IoT devices, autonomous systems, and smartphones. In SM-SoCs, system-wide shared memory enables a convenient and cost-effective mechanism for making data accessible across dozens of processing units (PUs), such as CPU cores and domain-specific accelerators. Due to the diverse computational characteristics of the PUs they embed, SM-SoCs often do not employ a shared last-level cache (LLC). Although covert channel attacks have been widely studied in shared memory systems, high-throughput communication has previously been feasible only by relying on an LLC or by possessing privileged or physical access to the shared memory subsystem. In this study, we introduce a new memory-contention-based covert communication attack, MC3, which specifically targets shared system memory in mobile SoCs. Unlike existing attacks, our approach achieves high-throughput communication without the need for an LLC or elevated access to the system. We explore the effectiveness of our methodology by demonstrating the trade-off between the channel transmission rate and the robustness of the communication. We evaluate MC3 on NVIDIA Orin AGX, NX, and Nano platforms and achieve transmission rates up to 6.4 Kbps with less than 1% error rate. 

   more » « less
2. Keyless Covert Communication in the Presence of Non-causal Channel State Information

   Zivari-Fard, H.; Bloch, M.; Nosratinia, A. (August 2019, IEEE Information Theory Workshop)

   We consider the problem of covert communication over a state-dependent channel, for which the transmitter and the legitimate receiver have non-causal access to the channel state information. Covert communication with respect to an adversary, referred to as the “warden,” is one in which the distribution induced during communication at the channel output observed by the warden is identical to the output distribution conditioned on an inactive channel-input symbol. Covert communication involves fooling an adversary in part by a proliferation of codebooks; for reliable decoding at the legitimate receiver the codebook uncertainty is removed via a shared secret key that is unavailable to the warden. Unlike earlier work in state-dependent covert communication, we do not assume the availability of a shared key at the transmitter and legitimate receiver. Rather, a shared randomness is extracted at the transmitter and the receiver from the channel state, in a manner that keeps the shared randomness secret from the warden despite the influence of the channel state on the warden’s output. An inner bound on the covert capacity, in the absence of an externally provided secret key, is derived. 

   more » « less
3. Covert Communications Under Environmental Uncertainty on a Continuous-Time Channel

   https://doi.org/10.1109/IEEECONF59524.2023.10476936  

   Gillani, Amna; Sobers, Tamara V; Towsley, Don; Goeckel, Dennis (October 2023, IEEE)

   Covert communication is achieved when a transmitter Alice can successfully transmit a message to a receiver Bob without being detected by an attentive and capable adversary Willie. Early results demonstrated the difficulty of the covert communications problem: with AWGN discrete-time channels between all parties, only O(sqrt(n)) bits can be sent in n channel uses. But it was soon recognized that uncertainty about the environment at Willie, for example, uncertainty in his own noise statistics, could allow for a positive rate: O(n) bits can be sent covertly in n channel uses. However, most covert communication results, including this promising positive rate result, have been obtained for a discrete-time communications channel. Here, we demonstrate that the assumption of a discrete-time channel is problematic when trying to exploit Willie's noise uncertainty. In particular, we demonstrate that if Alice transmits ω(sqrt(T)) bits in a length T interval to Bob on a continuous-time channel, then there exists a detector at Willie that can detect her transmission, as the probability of false alarm and missed detection PMD+PFA→0 as T→∞. In other words, the communication is not covert, unlike the case of a discrete-time channel. 

   more » « less
4. Shielding Software From Privileged Side-Channel Attacks

   Dong, Xiaowan; Shen, Zhuojia; Criswell, John; Cox, Alan L.; Dwarkada, Sandhya (August 2018, Proceedings of the Twenty Seventh Usenix Security Symposium)

   Commodity operating system (OS) kernels, such as Windows, Mac OS X, Linux, and FreeBSD, are susceptible to numerous security vulnerabilities. Their monolithic design gives successful attackers complete access to all application data and system resources. Shielding systems such as InkTag, Haven, and Virtual Ghost protect sensitive application data from compromised OS kernels. However, such systems are still vulnerable to side-channel attacks. Worse yet, compromised OS kernels can leverage their control over privileged hardware state to exacerbate existing side channels; recent work has shown that a compromised OS kernel can steal entire documents via side channels. This paper presents defenses against page table and last-level cache (LLC) side-channel attacks launched by a compromised OS kernel. Our page table defenses restrict the OS kernel’s ability to read and write page table pages and defend against page allocation attacks, and our LLC defenses utilize the Intel Cache Allocation Technology along with memory isolation primitives. We proto- type our solution in a system we call Apparition, building on an optimized version of Virtual Ghost. Our evaluation shows that our side-channel defenses add 1% to 18% (with up to 86% for one application) overhead to the optimized Virtual Ghost (relative to the native kernel) on real-world applications. 

   more » « less
5. Securing Network-on-chips Against Fault-injection and Crypto-analysis Attacks via Stochastic Anonymous Routing

   https://doi.org/10.1145/3592798  

   Patooghy, Ahmad; Hasanzadeh, Mahdi; Sarihi, Amin; Abdelrehim, Mostafa; Badawy, Abdel-Hameed A (July 2023, ACM Journal on Emerging Technologies in Computing Systems)

   Network-on-chip (NoC) is widely used as an efficient communication architecture in multi-core and many-core System-on-chips (SoCs). However, the shared communication resources in an NoC platform, e.g., channels, buffers, and routers, might be used to conduct attacks compromising the security of NoC-based SoCs. Most of the proposed encryption-based protection methods in the literature require leaving some parts of the packet unencrypted to allow the routers to process/forward packets accordingly. This reveals the source/destination information of the packet to malicious routers, which can be exploited in various attacks. For the first time, we propose the idea of secure, anonymous routing with minimal hardware overhead to encrypt the entire packet while exchanging secure information over the network. We have designed and implemented a new NoC architecture that works with encrypted addresses. The proposed method can manage malicious and benign failures at NoC channels and buffers by bypassing failed components with a situation-driven stochastic path diversification approach. Hardware evaluations show that the proposed security solution combats the security threats at the affordable cost of 1.5% area and 20% power overheads chip-wide. 

   more » « less