These slides have been presented by Alberto Carelli, Ph.D. student from TestGroup presented our latest study on “Shielding Performance Monitor Counters: a double edge weapon for safety and security” @ 24th IEEE International Symposium on On-Line Testing and Robust System Design (Hotel Cap Roig, Platja d’Aro, Costa Brava, Spain July 2-4, 2018).
Recent years have witnessed the growth of the adoption of Cyber-Physical Systems (CPSs) in many sectors such as automotive, aerospace, civil infrastructures and healthcare. Several CPS applications include critical scenarios, where a failure of the system can lead to catastrophic consequences. Therefore, anomalies due to failure or malicious attacks must be timely detected. This paper focuses on two relevant aspects of the design of a CPS: safety and security. In particular, it studies how performance monitor counters (PMCs) available in modern microprocessors can be from the one hand a valuable tool to enhance the safety of a system and, on the other hand, a security backdoor. Starting from the example of a PMC based safety mechanism, the paper shows the implementation of a possible attack and eventually proposes a strategy to mitigate the effectiveness of the attack while preserving the safeness of the system.
Watch the presentation at: https://youtu.be/GV5xRDgfCw4
Paper information:
A. Carelli , A. Vallero and S. Di Carlo, “Shielding Performance Monitor Counters: a double edge weapon for safety and security”, 24th IEEE International Symposium on On-Line Testing and Robust System Design 2018 (IOLTS 2018), Platja d'Aro, Spain, July 2-4, 2018.
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Shielding Performance Monitor Counters: a double edge weapon for safety and security
1. Shielding
Performance Monitor
Counters:
a double edge
weapon for safety and
security
A. Carelli, A. Vallero
and S. Di Carlo
24th IEEE International Symposium on On-Line Testing
and Robust System Design
Hotel Cap Roig, Platja d’Aro, Costa Brava, Spain, July
2-4, 2018
2. • The application of Cyber Physical Systems (CPSs) is becoming pervasive,
even for critical structures
• Safety and security must be taken into account to prevent misbehavior
leading to catastrophic consequences.
• In modern microprocessors the usage of Performance Monitor Counters
(PMCs):
✚ helps to detect timing violations and other physical failure
⁃ Can be exploited to perform attack compromising security
MOTIVATIONS
What is the relation between safety and security of
Cyber Physical Systems?
3. • The application of Cyber Physical Systems (CPSs) is becoming pervasive,
even for critical structures
• Safety and security must be taken into account to prevent misbehavior
leading to catastrophic consequences.
• In modern microprocessors the usage of Performance Monitor Counters
(PMCs):
✚ helps to detect timing violations and other physical failure
⁃ Can be exploited to perform attack compromising security
MOTIVATIONS
What is the relation between safety and security of
Cyber Physical Systems?We want to
protect PMC from
security attacks
without
compromising
safety
8. CPS ARCHITECTURE
Safety task
Safety
tasks
PMC
Service
Performanc
e Monitor
Counters
Applications
Operating
System
uProcessor
1) Off-line phase: PMCs profiling
2) On-line phase: PMCs monitoring
Safety is guaranteed
through PMCs as
proposed in [S.Esposito
et al., ACM-TECS, 2017]
9. SAFETY TECHNIQUE
Detecting deadline misses
Off-line phase: PMCs profiling
Cumulative Distribution Function
(CDF) of the execution time of an
application
What is the
probability the
execution time of the
application is lower
than t?
• Profile each application to collect PMC
values related to their execution time
10. SAFETY TECHNIQUE
Detecting deadline misses
Off-line phase: PMCs profiling
Cumulative Distribution Function
(CDF) of the execution time of an
application
• Profile each application to collect PMC
values related to their execution time
• Define 2 thresholds related to the CDF
in order to decide when the execution of
an application is safe or critical
11. • Profile each application to collect PMC
values related to their execution time
• Define 2 thresholds related to the CDF
in order to decide when the execution of
an application is safe or critical
SAFETY TECHNIQUE
Detecting deadline misses
Off-line phase: PMCs profiling
Cumulative Distribution Function
(CDF) of the execution time of an
application
Warning Threshold - WTH
Critical Threshold - CTH
𝑃 𝑋 > 𝑊𝑇𝐻 < 𝐶 𝑊 → 𝐹𝑋 𝑊𝑇𝐻 > 1 − 𝐶 𝑊
𝑃 𝑋 > 𝐶 𝑇𝐻 < 𝐶 𝐶 → 𝐹𝑋 𝐶 𝑇𝐻 > 1 − 𝐶 𝐶
WTH
CW
CC
CTH
12. SAFETY TECHNIQUE
Detecting deadline misses
• Profile each application to collect PMC
values related to their execution time
• Define 2 thresholds related to the CDF
in order to decide when the execution of
an application is safe or critical
• Decide if the execution of an application
is critical or not critical
Cumulative Distribution Function
(CDF) of the execution time of an
application
On-line phase: PMCs monitoring CTH
13. SAFETY TECHNIQUE
Detecting deadline misses
• Profile each application to collect PMC
values related to their execution time
• Define 2 thresholds related to the CDF
in order to decide when the execution of
an application is safe or critical
• Decide if the execution of an application
is critical or not critical
Cumulative Distribution Function
(CDF) of the execution time of an
application
When the execution
time of an
application exceeds
CTH is classified as
critical
Critical AreaOn-line phase: PMCs monitoring
14. SAFETY TECHNIQUE
Detecting deadline misses
• Profile each application to collect PMC
values related to their execution time
• Define 2 thresholds related to the CDF
in order to decide when the execution of
an application is safe or critical
• Decide if the execution of an application
is critical or not critical
• Decide if the execution of an application
is safe or potentially critical
Cumulative Distribution Function
(CDF) of the execution time of an
application
On-line phase: PMCs monitoring WTH
15. • Profile each application to collect PMC
values related to their execution time
• Define 2 thresholds related to the CDF in
order to decide when the execution of
an application is safe or critical
• Decide if the execution of an application
is critical or not critical
• Decide if the execution of an application
is safe or potentially critical
SAFETY TECHNIQUE
Detecting deadline misses
Cumulative Distribution Function
(CDF) of the execution time of an
application
Safe Area
When the execution
time of an
application is lower
than WTH is
classified as safe
On-line phase: PMCs monitoring
16. SAFETY TECHNIQUE
Detecting deadline misses
• Profile each application to collect PMC
values related to their execution time
• Define 2 thresholds related to the CDF
in order to decide when the execution of
an application is safe or critical
• Decide if the execution of an application
is critical or not critical
• Decide if the execution of an application
is safe or potentially critical
Cumulative Distribution Function
(CDF) of the execution time of an
application
Warning AreaWhen the
execution time of
an application is
between WTH and
CTH is classfied as
potentially critical
On-line phase: PMCs monitoring
17. On-line phase: PMCs monitoring
SAFETY TECHNIQUE
Detecting deadline misses
• Profile each application to collect PMC
values related to their execution time
• Define 2 thresholds related to the CDF in
order to decide when the execution of
an application is safe or critical
• Decide if the execution of an application
is critical or not critical
• Decide if the execution of an application
is safe or potentially critical
Cumulative Distribution Function
(CDF) of the execution time of an
application
Warning Area
If the application is
classified as
potentially critical
for α-times
consecutively, the
application is
classified as critical
18. CPS ARCHITECTURE
Attack Model
Tasks
Safety
tasks
Maliciou
s task
Service
s
Encryption
Service
PMC
Service
Performanc
e Monitor
Counters
K
E
Y
Applications
Operating
System
uProcessor
Side-channel attack based on
PMCs
[Bonneau et al., CHES, 2006]
• Target: AES encryption key
• Exploits the data locality of the
final round S-box in cache
memories
• Evolves a guessed key according
to encryption time and ciphertext
We assume that the attacker can
• inject malicious tasks in a node
• probe PMCs and trigger the
encryption process
19. ATTACK MITIGATION
Finding the correct dose of poison for PMCs
Service
s
Encryption
Service
PMC
Service
Performanc
e Monitor
Counters
K
E
Y
Operating
System
uProcessor
Solution:
Poison the values of PMCs to
neutralize the attack
20. ATTACK MITIGATION
Finding the correct dose of poison for PMCs
Service
s
Encryption
Service
PMC
Service
Performanc
e Monitor
Counters
K
E
Y
Operating
System
uProcessor
Solution:
Poison the values of PMCs to
neutralize the attack
The safety task will be
affected by the poisoning
too, thus it might fail!
21. ATTACK MITIGATION
Finding the correct dose of poison for PMCs
Service
s
Encryption
Service
PMC
Service
Performanc
e Monitor
Counters
K
E
Y
Operating
System
uProcessor
Solution:
Poison the values of PMCs to
neutralize the attack
What’s your poison???
• Fixed value alteration
• Random value alteration
22. ATTACK MITIGATION
Finding the correct dose of poison for PMCs
On-line phase: PMCs monitoring
Both Safety task and
malicious task monitor
PMCs.
As countermeasure for the
attack, the PMC value is
altered
𝑃𝑀𝐶 = 𝑃𝑀𝐶 + 𝑐
Tasks
Safety
tasks
Maliciou
s task
Service
s
Encryption
Service
PMC
Service
Performance
Monitor
Counters
K
E
Y
Applications
Operating
System
uProcessor
𝑐 = 𝑈(0, 𝑠 × (𝑊𝑇𝐻 − 𝜇)/2)
• s is a scaling factor
• µ is the average of PMC
value
23. uProcessor
ATTACK MITIGATION
Finding the correct dose of poison for PMCs
On-line phase: PMCs monitoring
Both Safety task and
malicious task monitor
PMCs.
As countermeasure for the
attack, the PMC value is
altered
𝑃𝑀𝐶 = 𝑃𝑀𝐶 + 𝑐
Tasks
Safety
tasks
Maliciou
s task
Service
s
Encryption
Service
PMC
Service
Performance
Monitor
Counters
K
E
Y
Applications
Operating
System
𝑐 = 𝑈(0, 𝑠 × (𝑊𝑇𝐻 − 𝜇)/2)
• s is a scaling factor
• µ is the average of PMC
value
WTHµ CTH
24. uProcessor
ATTACK MITIGATION
Finding the correct dose of poison for PMCs
On-line phase: PMCs monitoring
Both Safety task and
malicious task monitor
PMCs.
As countermeasure for the
attack, the PMC value is
altered
𝑃𝑀𝐶 = 𝑃𝑀𝐶 + 𝑐
Tasks
Safety
tasks
Maliciou
s task
Service
s
Encryption
Service
PMC
Service
Performance
Monitor
Counters
K
E
Y
Applications
Operating
System
𝑐 = 𝑈(0, 𝑠 × (𝑊𝑇𝐻 − 𝜇)/2)
• s is a scaling factor
• µ is the average of PMC
value
WTHµ CTH
25. EXPERIMENTAL RESULTS
Experimental Setup
• Experiments are conduced on a Slave node
• It runs 7 applications:
⁃ MiBench [*] benchmarks used: cjpeg, djpeg, fft, qsort, susan smoothing, susan
edges and susan corners
• Linux-like Operating System, with additional modules implemented:
⁃ PMC reading service
⁃ encryption service (AES algorithm)
• PMC considered: Clock Cycle Counter (on Intel Core i7 Q720 @1.6
GHz)
• 100 K samples, repeated 1,000 times for each application
• CW = 5% and CC = 0.6%
[*] M.R. Guthaus et al., IEEE-WWC-4, 2001
26. EXPERIMENTAL RESULTS
Experimental Setup
• Experiments are conduced on a Slave node
• It runs 7 applications:
⁃ MiBench [*] benchmarks used: cjpeg, djpeg, fft, qsort, susan smoothing, susan
edges and susan corners
• Linux-like Operating System, with additional modules implemented:
⁃ PMC reading service
⁃ encryption service (AES algorithm)
• PMC considered: Clock Cycle Counter (on Intel Core i7 Q720 @1.6
GHz)
• 100 K samples, repeated 1,000 times for each application
• CW = 5% and CC = 0.6%
[*] M.R. Guthaus et al., IEEE-WWC-4, 2001
Cumulative Distribution Function
(CDF) of the execution time of an
application
WTH
CW
CC
CTH
27. EXPERIMENTAL RESULTS
Scaling factor s ranging from 0.2 to 0.8 and α=3
Task (%) misclassified as critical
0
0.0005
0.001
0.0015
0.002
0.0025
0.003
0.0035
0.004
0.0045
0.005
enc fft cjpeg djpeg qsort corn edges smooth avg
s-0.2
28. EXPERIMENTAL RESULTS
Scaling factor s ranging from 0.2 to 0.8 and α=3
Task (%) misclassified as critical
0
0.002
0.004
0.006
0.008
0.01
0.012
enc fft cjpeg djpeg qsort corn edges smooth avg
s-0.4
s-0.2
29. EXPERIMENTAL RESULTS
Scaling factor s ranging from 0.2 to 0.8 and α=3
Task (%) misclassified as critical
0
0.002
0.004
0.006
0.008
0.01
0.012
0.014
enc fft cjpeg djpeg qsort corn edges smooth avg
s-0.6
s-0.4
s-0.2
30. EXPERIMENTAL RESULTS
Scaling factor s ranging from 0.2 to 0.8 and α=3
Task (%) misclassified as critical
0
0.002
0.004
0.006
0.008
0.01
0.012
0.014
0.016
enc fft cjpeg djpeg qsort corn edges smooth avg
s-0.8
s-0.6
s-0.4
s-0.2
31. 0
0.002
0.004
0.006
0.008
0.01
0.012
0.014
0.016
enc fft cjpeg djpeg qsort corn edges smooth avg
s-0.8
s-0.6
s-0.4
s-0.2
EXPERIMENTAL RESULTS
Scaling factor s ranging from 0.2 to 0.8 and α=3
Task (%) misclassified as critical
Increasing values of scaling
factor s the percentage of
misclassified executions
increases
32. EXPERIMENTAL RESULTS
Scaling factor s ranging from 0.2 to 0.8 and α=3
Percentage of samples misclassified as critical
-0.002
0
0.002
0.004
0.006
0.008
0.01
0.012
Wrn Err Wrn Err Wrn Err Wrn Err Wrn Err Wrn Err Wrn Err Wrn Err Wrn Err
enc fft cjpeg djpeg qsort corn edges smooth avg
s-0.8
s-0.6
s-0.4
s-0.2
33. EXPERIMENTAL RESULTS
Scaling factor s ranging from 0.2 to 0.8 and α=3
Percentage of samples misclassified as critical
-0.002
0
0.002
0.004
0.006
0.008
0.01
0.012
Wrn Err Wrn Err Wrn Err Wrn Err Wrn Err Wrn Err Wrn Err Wrn Err Wrn Err
enc fft cjpeg djpeg qsort corn edges smooth avg
s-0.8
s-0.6
s-0.4
s-0.2
The increase of Err
and WrnToErr
depends on the
CDF of each
benchmark
37. • We presented the interplay between safety and
security aspects in the design of a CPS
• The PMCs play a double role:
⁃ on the one hand they are employed for a safety mechanism
⁃ on the other hand, they can be exploited as a security
vulnerability
• We proposed an attack mitigation strategy
• Further on-going work is underway to extend case
study
CONCLUSIONS
Final remarks
47. EXPERIMENTAL RESULTS
Scaling factor s ranging from 0.2 to 0.8
Recovery actions: False positives Vs. Correct detections
a-3
a-3-s0.2
a-3-s0.4
a-3-s0.6
a-3-s0.8
a-3
a-3-s0.2
a-3-s0.4
a-3-s0.6
a-3-s0.8
a-3
a-3-s0.2
a-3-s0.4
a-3-s0.6
a-3-s0.8
a-3
a-3-s0.2
a-3-s0.4
a-3-s0.6
a-3-s0.8
a-3
a-3-s0.2
a-3-s0.4
a-3-s0.6
a-3-s0.8
a-3
a-3-s0.2
a-3-s0.4
a-3-s0.6
a-3-s0.8
a-3
a-3-s0.2
a-3-s0.4
a-3-s0.6
a-3-s0.8
a-3
a-3-s0.2
a-3-s0.4
a-3-s0.6
a-3-s0.8
a-3
a-3-s0.2
a-3-s0.4
a-3-s0.6
a-3-s0.8
enc fft cjpeg djpeg qsort corn edges smooth avg
0%
20%
40%
60%
80%
100%
120%
140%
160%
The increase of s
translates into an
increase of false positives
48. •Without PMC protection: attack successful
in 65M samples
•With PMC protection:
⁃Attack successful after 163M (~2.5x) of
samples (s=0.2)
⁃Attack successful after 204M (~3.1x) of
samples (s=0.4)
EXPERIMENTAL RESULTS
Security perspective
49. •Without PMC protection: attack successful
in 65M samples
•With PMC protection:
⁃Attack successful after 163M (~2.5x) of
samples (s=0.2)
⁃Attack successful after 204M (~3.1x) of
samples (s=0.4)
EXPERIMENTAL RESULTS
Security perspective
Best conditions for
the attacker!
(lowest corruption
value)
50. SAFETY TECHNIQUE
Finding the correct dose of poison for PMCs
Off-line phase: PMCs profiling
• Profile tasks to collect PMC
values related to the execution
time
Time Profile for a Task
ExecutionTime
(ClockCycles)
Iteration
Time Profile for a Task
51. SAFETY TECHNIQUE
Finding the correct dose of poison for PMCs
Off-line phase: PMCs profiling
𝑃 𝑋 > 𝑇 𝑊 < 𝐶 𝑊 → 𝐹𝑋 𝑇 𝑊 > 1 − 𝐶 𝑊
𝑃 𝑋 > 𝑇𝐶 < 𝐶 𝐶 → 𝐹𝑋 𝑇𝐶 > 1 − 𝐶 𝐶
• Profile tasks to collect PMC
values
• Define 3 operating areas:
• safe, warning, critical
• Respective thresholds TW and TC
are based on confidence levels
(CW and CC)
Critical Area
52. SAFETY TECHNIQUE
Finding the correct dose of poison for PMCs
Off-line phase: PMCs profiling
𝑃 𝑋 > 𝑇 𝑊 < 𝐶 𝑊 → 𝐹𝑋 𝑇 𝑊 > 1 − 𝐶 𝑊
𝑃 𝑋 > 𝑇𝐶 < 𝐶 𝐶 → 𝐹𝑋 𝑇𝐶 > 1 − 𝐶 𝐶
• Profile tasks to collect PMC
values
• Define 3 operating areas:
• safe, warning, critical
• Respective thresholds TW and TC
are based on confidence levels
(CW and CC)
Cumulative Distribution Function
(CDF) of a task execution time (in
clock cycles)
53. SAFETY TECHNIQUE
Finding the correct dose of poison for PMCs
Off-line phase: PMCs profiling
𝑃 𝑋 > 𝑇 𝑊 < 𝐶 𝑊 → 𝐹𝑋 𝑇 𝑊 > 1 − 𝐶 𝑊
𝑃 𝑋 > 𝑇𝐶 < 𝐶 𝐶 → 𝐹𝑋 𝑇𝐶 > 1 − 𝐶 𝐶
• Profile tasks to collect PMC
values
• Define 3 operating areas:
• safe, warning, critical
• Respective thresholds TW and TC
are based on confidence levels
(CW and CC)
Safe Area
54. SAFETY TECHNIQUE
Finding the correct dose of poison for PMCs
Off-line phase: PMCs profiling
𝑃 𝑋 > 𝑇 𝑊 < 𝐶 𝑊 → 𝐹𝑋 𝑇 𝑊 > 1 − 𝐶 𝑊
𝑃 𝑋 > 𝑇𝐶 < 𝐶 𝐶 → 𝐹𝑋 𝑇𝐶 > 1 − 𝐶 𝐶
• Profile tasks to collect PMC
values
• Define 3 operating areas:
• safe, warning, critical
• Respective thresholds TW and TC
are based on confidence levels
(CW and CC)
Warning Area
55. SAFETY TECHNIQUE
Finding the correct dose of poison for PMCs
Critical
Area
Warning Area
Safe
Area
On-line phase: PMCs monitoring
56. SAFETY TECHNIQUE
Finding the correct dose of poison for PMCs
Ok
Critical
Area
Warning Area
Safe
Area
On-line phase: PMCs monitoring
Erra-consecutive
warnings?
Which discuss the mutual interaction of 2 design aspects which are safety and sec [when designing a sys]
CPS are becoming m&m pervasive and find appl in CI, where Saf&Sec are 2 mandatory aspects to consider
Safety & sec must be considered together bcs safety techn might negatively affect sec of the system e viceversa.
To demonstrate this, we know there are a certain no of safety techn based on PC, however the PC are a src of SCA
In our work, we show a possible way to safely & securely use PCs, mitigating possible attacks
We consider a distributed system architecture because it is used in most CPS
In our work we focus on the node
Node is uP-based system, with an OS, running applications for the node
OS offers Enc srv, bcs sec comm of data xchanged
OS offers PMC srv, bcs as I’ll show, they will be used for safety mechn
[Indeed, nodes might fail, so it is necessary to guarantee safety -> add tasks]
Indeed, nodes might fail, so it is necessary to guarantee safety -> add safety mech as safety tasks
I nodi must meet deadlines, quindi il safety task controlla che le deadline siano rispettate
In the offline phase, every app is profiled to collect its exec time
Given the collected data, webuilt the cdf chart which tells
These 2 th are defined as W e C, and have associate a respective confidence level
During the online phase the application are monitored and their exec time is …
Sostituire «What’s your poison» con «How?» o «How much?»
«neutralize»: non dimostriamo di neutralizzare l’attacco. Semplicemente ritardiamo la scoperta della chiave