Mitigating Memory Controller Side Channels

Author(s)
Deutsch, Peter William
Thumbnail
DownloadThesis PDF (1.834Mb)
Advisor
Yan, Mengjia
Terms of use
In Copyright - Educational Use Permitted Copyright MIT http://rightsstatements.org/page/InC-EDU/1.0/
Metadata
Show full item record
Abstract
Memory timing side channels, where attackers utilize contention within DRAM controllers to infer a victim’s secrets, pose an important challenge to secure computation in shared memory environments. Attacks utilizing these side channels are broad and highly effective, as memory controllers offer a shared attack surface across all cores on a machine. Attacks have been demonstrated in the wild to leak cryptographic keys and other secret data, emphasizing the importance of employing mitigations to block the ability of an attacker to leak information. Existing state-of-the-art memory timing side channel mitigations have several key performance and security limitations. Prior schemes require onerous static bandwidth partitioning, extensive profiling phases, or simply fail to protect against attacks which exploit fine-grained timing and bank information. In this thesis we present DAGguise, a defense mechanism which fully protects against memory timing side channels while allowing for dynamic traffic contention in order to achieve good performance. DAGguise utilizes a novel abstract memory access representation, the Directed Acyclic Request Graph (rDAG for short), to model memory access patterns which experience contention. DAGguise shapes a victim’s access patterns according to a publicly known rDAG obtained through a lightweight profiling stage, completely eliminating information leakage. We formally verify the security of DAGguise, proving that it maintains strong security guarantees. Moreover, by allowing dynamic traffic contention, DAGguise achieves a 12% overall system speedup relative to Fixed Service, which is the state-of-the-art mitigation mechanism, with up to a 20% relative speedup for co-located applications which do not require protection. We further claim that the principles of DAGguise can be generalized to protect against other types of scheduler-based timing side channels, such as those targeting on-chip networks, or functional units in SMT cores.
Date issued
2022-09
URI
https://hdl.handle.net/1721.1/147311
Department
Massachusetts Institute of Technology. Department of Electrical Engineering and Computer Science
Publisher
Massachusetts Institute of Technology
Collections