![Page 1: Storage Side Channel Attacks in Modern OS and Networking ...zhiyunq/teaching/cs153/lectures/lec25.pdf · UI State Hijacking Attack Demo 24 Video demo: UI state hijacking attack steals](https://reader035.vdocuments.us/reader035/viewer/2022071117/6002e249fa765b03ce1ba4dd/html5/thumbnails/1.jpg)
Zhiyun Qian
University of California, Riverside
1
Storage Side Channel Attacks in Modern OS and Networking Stacks --- How to break isolation in OS?
![Page 2: Storage Side Channel Attacks in Modern OS and Networking ...zhiyunq/teaching/cs153/lectures/lec25.pdf · UI State Hijacking Attack Demo 24 Video demo: UI state hijacking attack steals](https://reader035.vdocuments.us/reader035/viewer/2022071117/6002e249fa765b03ce1ba4dd/html5/thumbnails/2.jpg)
2
Outline
Background and methodology
Android UI state inference
Off-path TCP sequence number inference
Firewall-middlebox-enabled attacks
H ost-based attacks
Summary
![Page 3: Storage Side Channel Attacks in Modern OS and Networking ...zhiyunq/teaching/cs153/lectures/lec25.pdf · UI State Hijacking Attack Demo 24 Video demo: UI state hijacking attack steals](https://reader035.vdocuments.us/reader035/viewer/2022071117/6002e249fa765b03ce1ba4dd/html5/thumbnails/3.jpg)
3
Outline
Background and methodology
Android UI state inference
Off-path TCP sequence number inference
Firewall-middlebox-enabled attacks
Host-based attacks
Summary
![Page 4: Storage Side Channel Attacks in Modern OS and Networking ...zhiyunq/teaching/cs153/lectures/lec25.pdf · UI State Hijacking Attack Demo 24 Video demo: UI state hijacking attack steals](https://reader035.vdocuments.us/reader035/viewer/2022071117/6002e249fa765b03ce1ba4dd/html5/thumbnails/4.jpg)
4
Side channels - Real world example Mafia game
![Page 5: Storage Side Channel Attacks in Modern OS and Networking ...zhiyunq/teaching/cs153/lectures/lec25.pdf · UI State Hijacking Attack Demo 24 Video demo: UI state hijacking attack steals](https://reader035.vdocuments.us/reader035/viewer/2022071117/6002e249fa765b03ce1ba4dd/html5/thumbnails/5.jpg)
5
Another example
Anyone at home? ???
![Page 6: Storage Side Channel Attacks in Modern OS and Networking ...zhiyunq/teaching/cs153/lectures/lec25.pdf · UI State Hijacking Attack Demo 24 Video demo: UI state hijacking attack steals](https://reader035.vdocuments.us/reader035/viewer/2022071117/6002e249fa765b03ce1ba4dd/html5/thumbnails/6.jpg)
OS Security Mechanism -- Isolation
Memory isolation
![Page 7: Storage Side Channel Attacks in Modern OS and Networking ...zhiyunq/teaching/cs153/lectures/lec25.pdf · UI State Hijacking Attack Demo 24 Video demo: UI state hijacking attack steals](https://reader035.vdocuments.us/reader035/viewer/2022071117/6002e249fa765b03ce1ba4dd/html5/thumbnails/7.jpg)
OS Security Mechanism -- Isolation
File system isolation
/home
/home/alice /home/bob
drwx------ alice drwx------ bob
![Page 8: Storage Side Channel Attacks in Modern OS and Networking ...zhiyunq/teaching/cs153/lectures/lec25.pdf · UI State Hijacking Attack Demo 24 Video demo: UI state hijacking attack steals](https://reader035.vdocuments.us/reader035/viewer/2022071117/6002e249fa765b03ce1ba4dd/html5/thumbnails/8.jpg)
OS Security Mechanism -- Isolation
Android File system isolation
/data
/data/app1 /data/app2
drwx------ app1 drwx------ app2
![Page 9: Storage Side Channel Attacks in Modern OS and Networking ...zhiyunq/teaching/cs153/lectures/lec25.pdf · UI State Hijacking Attack Demo 24 Video demo: UI state hijacking attack steals](https://reader035.vdocuments.us/reader035/viewer/2022071117/6002e249fa765b03ce1ba4dd/html5/thumbnails/9.jpg)
OS Security Mechanism -- Isolation
Exceptions /proc/[pid]/statm /proc/net/netstat Etc.
![Page 10: Storage Side Channel Attacks in Modern OS and Networking ...zhiyunq/teaching/cs153/lectures/lec25.pdf · UI State Hijacking Attack Demo 24 Video demo: UI state hijacking attack steals](https://reader035.vdocuments.us/reader035/viewer/2022071117/6002e249fa765b03ce1ba4dd/html5/thumbnails/10.jpg)
Breaking Isolation through Side Channel Attacks
Anyone at home? ???
![Page 11: Storage Side Channel Attacks in Modern OS and Networking ...zhiyunq/teaching/cs153/lectures/lec25.pdf · UI State Hijacking Attack Demo 24 Video demo: UI state hijacking attack steals](https://reader035.vdocuments.us/reader035/viewer/2022071117/6002e249fa765b03ce1ba4dd/html5/thumbnails/11.jpg)
11
What is a side channel attack?
Information gained from the physical implementation of a cryptosystem, rather than brute force or theoretical weaknesses [1] Timing, Power monitoring, Acoustic, Electromagnetic, etc.
Used as early as World War II.
[1] TEMPEST: A Signal Problem. Journal of Cryptologic Spectrum 1972
![Page 12: Storage Side Channel Attacks in Modern OS and Networking ...zhiyunq/teaching/cs153/lectures/lec25.pdf · UI State Hijacking Attack Demo 24 Video demo: UI state hijacking attack steals](https://reader035.vdocuments.us/reader035/viewer/2022071117/6002e249fa765b03ce1ba4dd/html5/thumbnails/12.jpg)
12
Modern side channel attacks
Information gained from the physical design and implementation of a cryptosystem, rather than brute force or theoretical weaknesses
Keystrokes (e.g., password) inference [Song01,Zhang09,Vuagnoux09,Chen10]
Timing, IPID, Power, Electromagnetic waves
Crypto key extraction through VM co-residency [Zhang12] CPU cache
Clear input/output Passive
![Page 13: Storage Side Channel Attacks in Modern OS and Networking ...zhiyunq/teaching/cs153/lectures/lec25.pdf · UI State Hijacking Attack Demo 24 Video demo: UI state hijacking attack steals](https://reader035.vdocuments.us/reader035/viewer/2022071117/6002e249fa765b03ce1ba4dd/html5/thumbnails/13.jpg)
13
Timing vs. Storage side channels
Password authentication for(i = 0; i < len; i++) {
if(input[i] != password[i]) {
failed = true;
break;
}
}
![Page 14: Storage Side Channel Attacks in Modern OS and Networking ...zhiyunq/teaching/cs153/lectures/lec25.pdf · UI State Hijacking Attack Demo 24 Video demo: UI state hijacking attack steals](https://reader035.vdocuments.us/reader035/viewer/2022071117/6002e249fa765b03ce1ba4dd/html5/thumbnails/14.jpg)
14
Timing vs. Storage side channels
Memory allocation secret_func() {
malloc(1000KB);
// … computation
malloc(1000KB);
// … computation
malloc(1000KB);
// … computation
}
![Page 15: Storage Side Channel Attacks in Modern OS and Networking ...zhiyunq/teaching/cs153/lectures/lec25.pdf · UI State Hijacking Attack Demo 24 Video demo: UI state hijacking attack steals](https://reader035.vdocuments.us/reader035/viewer/2022071117/6002e249fa765b03ce1ba4dd/html5/thumbnails/15.jpg)
15
Research contributions
Uncover a new class of storage side channel attacks against OS and networking stacks
Real-world security impact caused by OS design, firewall middleboxes and network stacks
Linux kernel
FreeBSD kernel
…
![Page 16: Storage Side Channel Attacks in Modern OS and Networking ...zhiyunq/teaching/cs153/lectures/lec25.pdf · UI State Hijacking Attack Demo 24 Video demo: UI state hijacking attack steals](https://reader035.vdocuments.us/reader035/viewer/2022071117/6002e249fa765b03ce1ba4dd/html5/thumbnails/16.jpg)
16
Research methodology
Measurement-based characterization
Identification of sensitive state
Identification of side channels
Attack defense
UI State
Known side-channels Source code analysis
Reverse engineering Source code analysis
Android GUI framework
OS component, Network policy, protocol behavior
Secret
Secret and side channels
Attack discovery
Vulnerability
Principle-driven
![Page 17: Storage Side Channel Attacks in Modern OS and Networking ...zhiyunq/teaching/cs153/lectures/lec25.pdf · UI State Hijacking Attack Demo 24 Video demo: UI state hijacking attack steals](https://reader035.vdocuments.us/reader035/viewer/2022071117/6002e249fa765b03ce1ba4dd/html5/thumbnails/17.jpg)
17
Outline
Background and methodology
Android UI state inference
[USENIX SECURITY 14]
Off-path TCP sequence number inference
Firewall-middlebox-enabled attacks
H ost-based attacks
Summary
![Page 18: Storage Side Channel Attacks in Modern OS and Networking ...zhiyunq/teaching/cs153/lectures/lec25.pdf · UI State Hijacking Attack Demo 24 Video demo: UI state hijacking attack steals](https://reader035.vdocuments.us/reader035/viewer/2022071117/6002e249fa765b03ce1ba4dd/html5/thumbnails/18.jpg)
Importance of GUI Security
GUI content confidentiality and integrity are critical for end-to-end security
UI Spoofing in desktop/browsers1
Screenshot capture on Android without privilege2
18
1Chen, Oakland’07
2ScreenMilker, NDSS’14
![Page 19: Storage Side Channel Attacks in Modern OS and Networking ...zhiyunq/teaching/cs153/lectures/lec25.pdf · UI State Hijacking Attack Demo 24 Video demo: UI state hijacking attack steals](https://reader035.vdocuments.us/reader035/viewer/2022071117/6002e249fa765b03ce1ba4dd/html5/thumbnails/19.jpg)
Android OS
App no root privilege
App can request limited permissions (users have to agree)
Apps isolated from each other
19
![Page 20: Storage Side Channel Attacks in Modern OS and Networking ...zhiyunq/teaching/cs153/lectures/lec25.pdf · UI State Hijacking Attack Demo 24 Video demo: UI state hijacking attack steals](https://reader035.vdocuments.us/reader035/viewer/2022071117/6002e249fa765b03ce1ba4dd/html5/thumbnails/20.jpg)
Android Security Mechanism -- Isolation
Memory isolation
![Page 21: Storage Side Channel Attacks in Modern OS and Networking ...zhiyunq/teaching/cs153/lectures/lec25.pdf · UI State Hijacking Attack Demo 24 Video demo: UI state hijacking attack steals](https://reader035.vdocuments.us/reader035/viewer/2022071117/6002e249fa765b03ce1ba4dd/html5/thumbnails/21.jpg)
Android Security Mechanism -- Isolation
File system isolation
/data/data
/data/data/
app1
/data/data/
app2
drwx------ app1 drwx------ app2
![Page 22: Storage Side Channel Attacks in Modern OS and Networking ...zhiyunq/teaching/cs153/lectures/lec25.pdf · UI State Hijacking Attack Demo 24 Video demo: UI state hijacking attack steals](https://reader035.vdocuments.us/reader035/viewer/2022071117/6002e249fa765b03ce1ba4dd/html5/thumbnails/22.jpg)
22
Another Form of GUI Confidentiality Breach
A weaker form
UI state an app is in (e.g., login state) without knowing the exact pixels of the screen
22
Use UI state info for best timing
Serious security implications!
![Page 23: Storage Side Channel Attacks in Modern OS and Networking ...zhiyunq/teaching/cs153/lectures/lec25.pdf · UI State Hijacking Attack Demo 24 Video demo: UI state hijacking attack steals](https://reader035.vdocuments.us/reader035/viewer/2022071117/6002e249fa765b03ce1ba4dd/html5/thumbnails/23.jpg)
Tracking UI state!
Enabled Attack: UI State Hijacking
Hijack sensitive UI state to steal private input
23
Foreground: Background:
UI State 1
UI State 2
UI State 3
Wait for Login UI state
Inject the phishing Login UI state!
Exploit UI preemption
No glitches as we disable the animation
+ precise attack
timing
Steal user name and password!
![Page 24: Storage Side Channel Attacks in Modern OS and Networking ...zhiyunq/teaching/cs153/lectures/lec25.pdf · UI State Hijacking Attack Demo 24 Video demo: UI state hijacking attack steals](https://reader035.vdocuments.us/reader035/viewer/2022071117/6002e249fa765b03ce1ba4dd/html5/thumbnails/24.jpg)
UI State Hijacking Attack Demo 24
Video demo: UI state hijacking attack steals your password in H&R Block app
![Page 25: Storage Side Channel Attacks in Modern OS and Networking ...zhiyunq/teaching/cs153/lectures/lec25.pdf · UI State Hijacking Attack Demo 24 Video demo: UI state hijacking attack steals](https://reader035.vdocuments.us/reader035/viewer/2022071117/6002e249fa765b03ce1ba4dd/html5/thumbnails/25.jpg)
Camera Peeking Attack Demo 25
![Page 26: Storage Side Channel Attacks in Modern OS and Networking ...zhiyunq/teaching/cs153/lectures/lec25.pdf · UI State Hijacking Attack Demo 24 Video demo: UI state hijacking attack steals](https://reader035.vdocuments.us/reader035/viewer/2022071117/6002e249fa765b03ce1ba4dd/html5/thumbnails/26.jpg)
UI State Leakage is Dangerous
Lead to both GUI integrity and confidentiality breaches
UI state information is not protected well
An unprivileged application can track another app’s UI states in real time
26
![Page 27: Storage Side Channel Attacks in Modern OS and Networking ...zhiyunq/teaching/cs153/lectures/lec25.pdf · UI State Hijacking Attack Demo 24 Video demo: UI state hijacking attack steals](https://reader035.vdocuments.us/reader035/viewer/2022071117/6002e249fa765b03ce1ba4dd/html5/thumbnails/27.jpg)
UI State Inference Attack
UI state: a mostly consistent UI at window level for certain functionality (e.g., log-in)
On Android: Activity (full-screen window)
Also called Activity inference attack
An unprivileged app can infer the foreground Activity in real time
Requires no permission
27
![Page 28: Storage Side Channel Attacks in Modern OS and Networking ...zhiyunq/teaching/cs153/lectures/lec25.pdf · UI State Hijacking Attack Demo 24 Video demo: UI state hijacking attack steals](https://reader035.vdocuments.us/reader035/viewer/2022071117/6002e249fa765b03ce1ba4dd/html5/thumbnails/28.jpg)
Underlying Causes
Android GUI framework design leaks UI state changes through a publicly-accessible side channel
A newly-discovered shared-memory side channel
Affects nearly all popular OSes
28
![Page 29: Storage Side Channel Attacks in Modern OS and Networking ...zhiyunq/teaching/cs153/lectures/lec25.pdf · UI State Hijacking Attack Demo 24 Video demo: UI state hijacking attack steals](https://reader035.vdocuments.us/reader035/viewer/2022071117/6002e249fa765b03ce1ba4dd/html5/thumbnails/29.jpg)
A single bit of information
Attack General Steps 29
Activity transition detection
Activity inference
UI state hijacking
Newly-discovered Shared-memory
side channel
Other side channels (e.g., CPU, network
activity)
UI state based attacks:
Camera peeking
![Page 30: Storage Side Channel Attacks in Modern OS and Networking ...zhiyunq/teaching/cs153/lectures/lec25.pdf · UI State Hijacking Attack Demo 24 Video demo: UI state hijacking attack steals](https://reader035.vdocuments.us/reader035/viewer/2022071117/6002e249fa765b03ce1ba4dd/html5/thumbnails/30.jpg)
Shared-Memory Side Channel
Finding: shared virtual memory size changes are correlated with Android window events
30
Shared virtual
memory size in
public file
/proc/pid/statm
Proportional
to window
size
Window
pop-up
Window
close
![Page 31: Storage Side Channel Attacks in Modern OS and Networking ...zhiyunq/teaching/cs153/lectures/lec25.pdf · UI State Hijacking Attack Demo 24 Video demo: UI state hijacking attack steals](https://reader035.vdocuments.us/reader035/viewer/2022071117/6002e249fa765b03ce1ba4dd/html5/thumbnails/31.jpg)
Shared-Memory Side Channel
Root cause for this correlation
Window manager design in Android
31
For better UI drawing
performance, Android uses
shared memory as IPC
The changed size is the
off-screen buffer size The root cause is
here
Confirmed that shared memory is used in GUI
design for many OSes, including
![Page 32: Storage Side Channel Attacks in Modern OS and Networking ...zhiyunq/teaching/cs153/lectures/lec25.pdf · UI State Hijacking Attack Demo 24 Video demo: UI state hijacking attack steals](https://reader035.vdocuments.us/reader035/viewer/2022071117/6002e249fa765b03ce1ba4dd/html5/thumbnails/32.jpg)
Activity Transition Detection
Detect shared-memory size change pattern
Nice properties:
32
Clean channel
Unique patterns
Fixed (Full screen)
Buffer allocation for
the new Activity
Buffer deallocation for
the previous Activity
+
+
![Page 33: Storage Side Channel Attacks in Modern OS and Networking ...zhiyunq/teaching/cs153/lectures/lec25.pdf · UI State Hijacking Attack Demo 24 Video demo: UI state hijacking attack steals](https://reader035.vdocuments.us/reader035/viewer/2022071117/6002e249fa765b03ce1ba4dd/html5/thumbnails/33.jpg)
Activity Signature Design 34
Content Provider feature
Network event
feature
Input method feature
CPU utilization time feature
• Consists of various features
Activity 1 Activity 2
![Page 34: Storage Side Channel Attacks in Modern OS and Networking ...zhiyunq/teaching/cs153/lectures/lec25.pdf · UI State Hijacking Attack Demo 24 Video demo: UI state hijacking attack steals](https://reader035.vdocuments.us/reader035/viewer/2022071117/6002e249fa765b03ce1ba4dd/html5/thumbnails/34.jpg)
Evaluation Methodology
Implementation: ~ 2300 lines of C++ code compiled with Android NDK
Data collection: using automated Activity transition tool on Samsung Galaxy S3 devices with Android 4.2
Experimented on 7 popular Android apps:
36
![Page 35: Storage Side Channel Attacks in Modern OS and Networking ...zhiyunq/teaching/cs153/lectures/lec25.pdf · UI State Hijacking Attack Demo 24 Video demo: UI state hijacking attack steals](https://reader035.vdocuments.us/reader035/viewer/2022071117/6002e249fa765b03ce1ba4dd/html5/thumbnails/35.jpg)
Evaluation Results
Activity transition detection, for all apps Detection accuracy ≥ 96.5%
FP and FN rates both ≤ 4%
Activity inference accuracy 80–90% for 6 out of 7 popular apps
Important features: CPU, network, transition model
Inference computation & delay Inference computation time: ≤ 10 ms
Delay (Activity transition inference result): ≤ 1.3 sec Improved to ≤ 500 ms for faster and more seamless Activity hijacking
Power overhead 2.2–6.0%
Status Working with Google now to fix the problem
37