WebAssembly-based microarchitectural covert channel attacks: capabilities, proof-of-concept, and implications (completed)

Starting Date: June 2020
Prerequisites: good programming skills
Will results be assigned to University:

WebAssembly-based microarchitectural covert channel attacks: capabilities, proof-of-concept, and implications

 

Microarchitectural covert channels are a threat to data confidentiality in multi-tenant environments (cloud platform, mobile phone, etc.). This type of leakage channel aims at tunnelling information across isolation boundaries (sandboxing, censorship, etc.) by exploiting timing variations during program execution. Indeed, the state of microarchitectural components (cache, memory bus, etc.) changes at runtime due to a program’s interaction with processor resources. These timing variations can be observed by a concurrent program running on the same hardware platform. These observation can in turn be used to infer binary values transmitted by the sending-end (see example algorithm below).

 

Sender Receiver
N: number of bits in send buffer

send: buffer containing bits to transmit

recv: buffer containing bits received

shared_ressource: microarchitectural element shared by the sender and the receiver (e.g. memory bus, memory controller, cache set, etc.)

threshold: limit between high and low memory access latency

for j = 0 : N

if send[ j ] == 1

Access( shared_ressource );

else

Sleep( );

end if

end for

for j = 0 : N

t = Probe( Access ( shared_ressource ) );

if t > threshold

recv[ j ] = 1;

else

recv[ j ] = 0;

end if

end for

 

Microarchitectural covert channels have shown to be able to leak information across virtual machines when the communicating entities (sender and receiver processes) are executed natively. In this configuration, the attack can be implemented in C, C++, or platform-specific assembly, making it trivial to manipulate hardware resources. However, very few works have addressed microarchitectural leakage channels using the browser as an attack vector. WebAssembly allows running native code inside the browser, offering the capabilities of C/C++ program independently of the platform’s hardware and operating system. The goal of this project is threefold:

 

  • Identify research gaps by realizing a literature review over web-based microarchitectural leakage channels
  • Design a proof-of-concept attack where the sending-end is written with WebAssembly, and propose alternative implementation strategies
  • Discuss countermeasures to mitigate the covert channel

 

Concretely, you are being asked to implement a cross-VM covert channel, where the sending-end is running in the victim’s browser, and the receiving-end is running either in the attacker’s browser or directly as a C/C++ native program in the attacker’s VM. The lab currently has a strong expertise in implementing cross-VM microarchitectural covert channel attacks. Your contribution lies in the usage of WebAssembly, and the background research. This project suits any candidate interested in cloud security, OWASP, or hardware/OS security. It requires the ability to write C or C++ code (see https://github.com/bsepage/mc2c.git). This project can lead to a co-authorship opportunity in a publication in an international conference. Note that this does not commit you to taking on an academic career, and that completing a project on a “hot topic” such as this one will significantly raise your profile as a security expert for industrial positions (pentest, security architecture, consulting, development, etc.).