Unveiling Your Keystrokes

Unveiling your keystrokes: A
Cache-based Side-channel
Attack on Graphics Libraries
Daimeng Wang, Ajaya Neupane, Zhiyun Qian,
Nael Abu−Ghazaleh, Srikanth V. Krishnamurthy,
Edward J. M. Colbert † , Paul Yu‡
University of California Riverside, Virginia Tech † ,
U. S. Army Research Lab ‡
Introduction
Graphics is essential
Graphic rendering is complex
gdk, gtk, pixman, freetype, cairo, skia, hwui, …
2/26/2019 NDSS 2019 2

Introduction
Graphics is essential
Graphic rendering is complex
gdk, gtk, pixman, freetype, cairo, skia, hwui, …
0x53
2/26/2019 NDSS 2019 3

Example
static void D32_LCD32_Opaque(...) {
...
do {
blit_lcd32_opaque_row(dstRow, srcRow, color, width);
dstRow = (SkPMColor*)((char*)dstRow + dstRB);
srcRow = (const SkPMColor*)((const char*)srcRow + maskRB);
} while (--height != 0);
}
static void blit_lcd32_opaque_row(dst, src, color, width) {

...
for (int i = 0; i < width; i++) {
if (0 == src[i]) {
continue;
}
...
}
}
2/26/2019 NDSS 2019 4

Example
static void D32_LCD32_Opaque(...) {
...
do {
blit_lcd32_opaque_row(dstRow, srcRow, color, width);
dstRow = (SkPMColor*)((char*)dstRow + dstRB);
srcRow = (const SkPMColor*)((const char*)srcRow + maskRB);
} while (--height != 0);
}
static void blit_lcd32_opaque_row(dst, src, color, width) {

...
for (int i = 0; i < width; i++) {
if (0 == src[i]) {
continue;
}
...
}
}
2/26/2019 NDSS 2019 5

Exploiting the Side-channel
If an attacker can know when …
Text rendering procedure starts
Text rendering procedure ends
S
Render Render
Start Finish
2/26/2019 NDSS 2019 6

Potentially Vulnerable Apps
2/26/2019 NDSS 2019 7

Example: Onboard
Onscreen keyboard
Ubuntu 16.04
2/26/2019 NDSS 2019 8

Example: Onboard
Onscreen keyboard
Ubuntu 16.04
2/26/2019 NDSS 2019 9

Attack: Onboard
2/26/2019 NDSS 2019 10

Attack: Onboard
2/26/2019 NDSS 2019 11

Challenges
How to perform measurement?
Unprivileged attacker
Render Render
Start Finish
2/26/2019 NDSS 2019 12

Challenges
How to find start/end of rendering?
Millions of code. Multiple libraries.
Varies from application to application.
Render Render
Start Finish
2/26/2019 NDSS 2019 13

Challenges
Noise?
Victim’s noise
CPU cache, TLB, branch prediction, …
Attacker’s noise
Render Render
Start Finish
2/26/2019 NDSS 2019 14

Challenges
Perform measurement without privilege
Discover side-channel in graphic libraries
Noise-resistant key prediction
2/26/2019 NDSS 2019 15

Threat Model
Attacker’s goal
Eavesdrop sensitive text input that will be rendered on screen
PIN, passwd, etc
Attacker’s capabilities
Access to same model/version of victim’s hardware and graphic
libraries
Offline profiling
Launch unprivileged process alongside victim process
Online attack
2/26/2019 NDSS 2019 16

Performing Measurement
… …
libA.so
renderStart()
renderEnd() libA.so
renderStart()
renderEnd()
… …
2/26/2019 NDSS 2019 17
Physical Memory
… …
libA.so renderStart()
renderStart() renderEnd()
renderEnd() libA.so
renderStart()
renderEnd()
… …
2/26/2019 NDSS 2019 18
Physical Memory
… …
renderEnd() libA.so
renderStart()
renderEnd()
CPU LLC …
…
2/26/2019 NDSS 2019 19
Flush+Reload
Physical Memory
…
…
…
…
renderEnd() libA.so
renderStart()
renderEnd()
CPU LLC
… …
2/26/2019 NDSS 2019 20
Flush+Reload 𝑡𝑠𝑡𝑎𝑟𝑡
Physical Memory
…
…
…
…
renderEnd() libA.so
renderStart()
renderEnd()
CPU LLC
… …
2/26/2019 NDSS 2019 21
Flush+Reload 𝑡𝑠𝑡𝑎𝑟𝑡 𝑡𝑒𝑛𝑑
Physical Memory 𝑡𝑟𝑒𝑛𝑑𝑒𝑟 = 𝑡𝑒𝑛𝑑 − 𝑡𝑠𝑡𝑎𝑟𝑡
…
…
…
…
renderEnd() libA.so
renderStart()
renderEnd()
CPU LLC
… …
2/26/2019 NDSS 2019 22
Measurement Resolution
Onboard
~ 600ns per round
~ 350,000ns rendering
Render Render
Start Finish
2/26/2019 NDSS 2019 23

Side-channel Discovery
Instrument graphic libraries & collect victim trace
a
𝑎0 𝑎1 𝑎2 𝑎3 𝑎4 𝑎5
2/26/2019 NDSS 2019 24

a
𝑎0 𝑎1 𝑎2 𝑎3 𝑎4 𝑎5
a
𝑎0 𝑎1 𝑎2 𝑎3 𝑎4 𝑎5
b
𝑎0 𝑎1 𝑎2 𝑎3 𝑎4 𝑎5
b
𝑎0 𝑎1 𝑎2 𝑎3 𝑎4 𝑎5
2/26/2019 NDSS 2019 25

a
𝑎0 𝑎1 𝑎2 𝑎3 𝑎4 𝑎5
a
𝑎0 𝑎1 𝑎2 𝑎3 𝑎4 𝑎5
b
𝑎0 𝑎1 𝑎2 𝑎3 𝑎4 𝑎5
b
𝑎0 𝑎1 𝑎2 𝑎3 𝑎4 𝑎5
2/26/2019 NDSS 2019 26

a
𝑎0 𝑎1 𝑎2 𝑎3 𝑎4 𝑎5
a
𝑎0 𝑎1 𝑎2 𝑎3 𝑎4 𝑎5
b
𝑎0 𝑎1 𝑎2 𝑎3 𝑎4 𝑎5
b
𝑎0 𝑎1 𝑎2 𝑎3 𝑎4 𝑎5
2/26/2019 NDSS 2019 27

a
𝑎0 𝑎1 𝑎2 𝑎3 𝑎4 𝑎5
a
𝑎0 𝑎1 𝑎2 𝑎3 𝑎4 𝑎5
b
𝑎0 𝑎1 𝑎2 𝑎3 𝑎4 𝑎5
b
𝑎0 𝑎1 𝑎2 𝑎3 𝑎4 𝑎5
2/26/2019 NDSS 2019 28

a
𝑎0 𝑎1 𝑎2 𝑎3 𝑎4 𝑎5
a
𝑎0 𝑎1 𝑎2 𝑎3 𝑎4 𝑎5
b
𝑎0 𝑎1 𝑎2 𝑎3 𝑎4 𝑎5
b
𝑎0 𝑎1 𝑎2 𝑎3 𝑎4 𝑎5
2/26/2019 NDSS 2019 29

Select pairs of addresses 𝑎𝑥 , 𝑎𝑦 > 6 million pairs
𝑑𝑖𝑠𝑡 𝑎𝑥 , 𝑎𝑦 is long enough for flush+reload to measure

𝑑𝑖𝑠𝑡 𝑎𝑥 , 𝑎𝑦 is stable across the same input
𝑑𝑖𝑠𝑡 𝑎𝑥 , 𝑎𝑦 has high information gain ~1000 pairs
𝑎𝑥 , 𝑎𝑦 not affected by cache architecture
2/26/2019 NDSS 2019 30

Select pairs of addresses 𝑎𝑥 , 𝑎𝑦 > 6 million pairs
𝑑𝑖𝑠𝑡 𝑎𝑥 , 𝑎𝑦 is long enough for flush+reload to measure

𝑑𝑖𝑠𝑡 𝑎𝑥 , 𝑎𝑦 is stable across the same input
𝑑𝑖𝑠𝑡 𝑎𝑥 , 𝑎𝑦 has high information gain ~1000 pairs
𝑎𝑥 , 𝑎𝑦 not affected by cache architecture
Sanity Check: Run attack offline

Filter out addressed affected system noise <100 pairs
Filter out addressed affected by instrumentation
2/26/2019 NDSS 2019 31

Keypress Prediction
Machine Learning Model Construction
Collect measurements for all different user inputs
Random Forest with 100 estimators
s:0.70, a:0.15
n:0.12, m:0.03
Keypress Prediction
Classify measurement with confidence
2/26/2019 NDSS 2019 32

Challenges
Perform measurement without privilege
Discover side-channel in graphic libraries
Noise-resistant key prediction
2/26/2019 NDSS 2019 33

Attack 1: Onboard
Ubuntu 16.04, Intel Core i7-4770
# Address Library Function
1 0x75a40 libcairo.so _cairo_surface_create_scratch
0x69e40 libcairo.so _cairo_scaled_font_map_lock
2 0x69e40 libcairo.so _cairo_scaled_font_map_lock
0x41f40 libcairo.so _cairo_intern_string
3 0x24440 libcairo.so _cairo_clip_copy_with_translation
0xbe000 libcairo.so _cairo_ft_unscaled_font_lock_face
4 0x6b900 libcairo.so _cairo_path_fixed_approximate_stroke_extents
0x41700 libcairo.so _intern_string_pluc
5 0x6a5c0 libcairo.so _cairo_scaled_font_thaw_cache
0x41700 libcairo.so _intern_string_pluc
2/26/2019 NDSS 2019 34

Attack 1: Onboard
Single keypress prediction
2/26/2019 NDSS 2019 35

Attack 1: Onboard
Augment 1: Multiple logins
2/26/2019 NDSS 2019 36

Attack 1: Onboard
2/26/2019 NDSS 2019 37

Attack 1: Onboard
Augment 2: Dictionary
2/26/2019 NDSS 2019 38

Attack 2: Capital One
Huawei Nexus 6P. Android 8.0
Flush+reload => Evict+reload
Resolution 20x lower than Intel
2/26/2019 NDSS 2019 39

2/26/2019 NDSS 2019 40

2/26/2019 NDSS 2019 41

Pre-render triggered only once
# Library Function
1 libskia.so SkScalerContext_FreeType_Base
::generateGlyphImage
libskia.so SkMask::getAddr
2 libskia.so SkGlyph::computeImageSize
libskia.so SkAAClipBlitter::~SkAAClipBlitter
2/26/2019 NDSS 2019 42

Attack 2: CapitalOne
Augment 1: 10 logins
2/26/2019 NDSS 2019 43

2/26/2019 NDSS 2019 44

Augment 2: Dictionary
2/26/2019 NDSS 2019 45

Other Apps
2/26/2019 NDSS 2019 46

Discussion
Measurement challenge
Measurement resolution
Extensions
Mitigations
2/26/2019 NDSS 2019 47

Discussion
Extensions
Inter-keystroke timing
Combining with other side-channels
Examine other libraries
Mitigations
2/26/2019 NDSS 2019 48

Discussion
Extensions
Mitigations
Prevent flush+reload
Constant-time rendering
2/26/2019 NDSS 2019 49

Conclusion
Effective execution time measurement
Exposing side-channels in graphics libraries
Evaluations on real-world applications
Acknowledgement
U.S. Army Research Laboratory Cyber Security Collaborative
Research Alliance
2/26/2019 NDSS 2019 50

Thanks!
Q&A

Unveiling Your Keystrokes

Uploaded by

Copyright:

Available Formats

Unveiling Your Keystrokes

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Unveiling Your Keystrokes

Uploaded by

Copyright:

Available Formats

Unveiling your keystrokes: A

2/26/2019 NDSS 2019 2

2/26/2019 NDSS 2019 3

static void blit_lcd32_opaque_row(dst, src, color, width) {

2/26/2019 NDSS 2019 4

static void blit_lcd32_opaque_row(dst, src, color, width) {

2/26/2019 NDSS 2019 5

2/26/2019 NDSS 2019 6

2/26/2019 NDSS 2019 7

2/26/2019 NDSS 2019 8

2/26/2019 NDSS 2019 9

2/26/2019 NDSS 2019 10

2/26/2019 NDSS 2019 11

2/26/2019 NDSS 2019 12

2/26/2019 NDSS 2019 13

2/26/2019 NDSS 2019 14

Discover side-channel in graphic libraries

Noise-resistant key prediction

2/26/2019 NDSS 2019 15

2/26/2019 NDSS 2019 16

2/26/2019 NDSS 2019 23

2/26/2019 NDSS 2019 24

2/26/2019 NDSS 2019 25

2/26/2019 NDSS 2019 26

2/26/2019 NDSS 2019 27

2/26/2019 NDSS 2019 28

2/26/2019 NDSS 2019 29

𝑑𝑖𝑠𝑡 𝑎𝑥 , 𝑎𝑦 is long enough for flush+reload to measure

2/26/2019 NDSS 2019 30

𝑑𝑖𝑠𝑡 𝑎𝑥 , 𝑎𝑦 is long enough for flush+reload to measure

Sanity Check: Run attack offline

2/26/2019 NDSS 2019 31

2/26/2019 NDSS 2019 32

Discover side-channel in graphic libraries

Noise-resistant key prediction

2/26/2019 NDSS 2019 33

2/26/2019 NDSS 2019 34

2/26/2019 NDSS 2019 35

2/26/2019 NDSS 2019 36

2/26/2019 NDSS 2019 37

2/26/2019 NDSS 2019 38

2/26/2019 NDSS 2019 39

2/26/2019 NDSS 2019 40

2/26/2019 NDSS 2019 41

2/26/2019 NDSS 2019 42

2/26/2019 NDSS 2019 43

2/26/2019 NDSS 2019 44

2/26/2019 NDSS 2019 45

2/26/2019 NDSS 2019 46

2/26/2019 NDSS 2019 47

2/26/2019 NDSS 2019 48

2/26/2019 NDSS 2019 49

Exposing side-channels in graphics libraries

Evaluations on real-world applications

2/26/2019 NDSS 2019 50

You might also like