Scribd
Upload
64 views51 pages

Unveiling Your Keystrokes

The document describes a cache-based side-channel attack on graphics libraries that can reveal a user's keystrokes. It discusses how an attacker can measure the timing of graphic rendering functions using a side-channel like the CPU cache to determine when text input is rendered on screen. It also addresses challenges like noise and discovering the side-channel by profiling how different letters are rendered across graphics libraries. The goal is to eavesdrop on sensitive text input like PINs and passwords.

Uploaded by

Prakash Chandra
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
64 views51 pages

Unveiling Your Keystrokes

The document describes a cache-based side-channel attack on graphics libraries that can reveal a user's keystrokes. It discusses how an attacker can measure the timing of graphic rendering functions using a side-channel like the CPU cache to determine when text input is rendered on screen. It also addresses challenges like noise and discovering the side-channel by profiling how different letters are rendered across graphics libraries. The goal is to eavesdrop on sensitive text input like PINs and passwords.

Uploaded by

Prakash Chandra
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 51

Unveiling your keystrokes: A

Cache-based Side-channel
Attack on Graphics Libraries
Daimeng Wang, Ajaya Neupane, Zhiyun Qian,
Nael Abu−Ghazaleh, Srikanth V. Krishnamurthy,
Edward J. M. Colbert † , Paul Yu‡
University of California Riverside, Virginia Tech † ,
U. S. Army Research Lab ‡
Introduction
Graphics is essential
Graphic rendering is complex
gdk, gtk, pixman, freetype, cairo, skia, hwui, …

2/26/2019 NDSS 2019 2


Introduction
Graphics is essential
Graphic rendering is complex
gdk, gtk, pixman, freetype, cairo, skia, hwui, …

0x53

2/26/2019 NDSS 2019 3


Example
static void D32_LCD32_Opaque(...) {
...
do {
blit_lcd32_opaque_row(dstRow, srcRow, color, width);
dstRow = (SkPMColor*)((char*)dstRow + dstRB);
srcRow = (const SkPMColor*)((const char*)srcRow + maskRB);
} while (--height != 0);
}

static void blit_lcd32_opaque_row(dst, src, color, width) {


...
for (int i = 0; i < width; i++) {
if (0 == src[i]) {
continue;
}
...
}
}

2/26/2019 NDSS 2019 4


Example
static void D32_LCD32_Opaque(...) {
...
do {
blit_lcd32_opaque_row(dstRow, srcRow, color, width);
dstRow = (SkPMColor*)((char*)dstRow + dstRB);
srcRow = (const SkPMColor*)((const char*)srcRow + maskRB);
} while (--height != 0);
}

static void blit_lcd32_opaque_row(dst, src, color, width) {


...
for (int i = 0; i < width; i++) {
if (0 == src[i]) {
continue;
}
...
}
}

2/26/2019 NDSS 2019 5


Exploiting the Side-channel
If an attacker can know when …
Text rendering procedure starts
Text rendering procedure ends
S

Render Render
Start Finish

2/26/2019 NDSS 2019 6


Potentially Vulnerable Apps

2/26/2019 NDSS 2019 7


Example: Onboard
Onscreen keyboard
Ubuntu 16.04

2/26/2019 NDSS 2019 8


Example: Onboard
Onscreen keyboard
Ubuntu 16.04

2/26/2019 NDSS 2019 9


Attack: Onboard

2/26/2019 NDSS 2019 10


Attack: Onboard

2/26/2019 NDSS 2019 11


Challenges
How to perform measurement?
Unprivileged attacker

Render Render
Start Finish

2/26/2019 NDSS 2019 12


Challenges
How to find start/end of rendering?
Millions of code. Multiple libraries.
Varies from application to application.

Render Render
Start Finish

2/26/2019 NDSS 2019 13


Challenges
Noise?
Victim’s noise
CPU cache, TLB, branch prediction, …
Attacker’s noise

Render Render
Start Finish

2/26/2019 NDSS 2019 14


Challenges
Perform measurement without privilege

Discover side-channel in graphic libraries

Noise-resistant key prediction

2/26/2019 NDSS 2019 15


Threat Model
Attacker’s goal
Eavesdrop sensitive text input that will be rendered on screen
PIN, passwd, etc

Attacker’s capabilities
Access to same model/version of victim’s hardware and graphic
libraries
Offline profiling
Launch unprivileged process alongside victim process
Online attack

2/26/2019 NDSS 2019 16


Performing Measurement

… …

libA.so

renderStart()

renderEnd() libA.so

renderStart()

renderEnd()
… …
2/26/2019 NDSS 2019 17
Performing Measurement
Physical Memory

… …

libA.so renderStart()

renderStart() renderEnd()

renderEnd() libA.so

renderStart()

renderEnd()
… …
2/26/2019 NDSS 2019 18
Performing Measurement
Physical Memory

… …

libA.so renderStart()

renderStart() renderEnd()

renderEnd() libA.so

renderStart()

renderEnd()
CPU LLC …

2/26/2019 NDSS 2019 19
Flush+Reload
Physical Memory

libA.so renderStart()

renderStart() renderEnd()

renderEnd() libA.so

renderStart()

renderEnd()
CPU LLC
… …
2/26/2019 NDSS 2019 20
Flush+Reload 𝑡𝑠𝑡𝑎𝑟𝑡
Physical Memory

libA.so renderStart()

renderStart() renderEnd()

renderEnd() libA.so

renderStart()

renderEnd()
CPU LLC
… …
2/26/2019 NDSS 2019 21
Flush+Reload 𝑡𝑠𝑡𝑎𝑟𝑡 𝑡𝑒𝑛𝑑
Physical Memory 𝑡𝑟𝑒𝑛𝑑𝑒𝑟 = 𝑡𝑒𝑛𝑑 − 𝑡𝑠𝑡𝑎𝑟𝑡


libA.so renderStart()

renderStart() renderEnd()

renderEnd() libA.so

renderStart()

renderEnd()
CPU LLC
… …
2/26/2019 NDSS 2019 22
Measurement Resolution
Onboard
~ 600ns per round
~ 350,000ns rendering

Render Render
Start Finish

2/26/2019 NDSS 2019 23


Side-channel Discovery
Instrument graphic libraries & collect victim trace

a
𝑎0 𝑎1 𝑎2 𝑎3 𝑎4 𝑎5

2/26/2019 NDSS 2019 24


Side-channel Discovery
Instrument graphic libraries & collect victim trace

a
𝑎0 𝑎1 𝑎2 𝑎3 𝑎4 𝑎5
a
𝑎0 𝑎1 𝑎2 𝑎3 𝑎4 𝑎5

b
𝑎0 𝑎1 𝑎2 𝑎3 𝑎4 𝑎5
b
𝑎0 𝑎1 𝑎2 𝑎3 𝑎4 𝑎5

2/26/2019 NDSS 2019 25


Side-channel Discovery
Instrument graphic libraries & collect victim trace

a
𝑎0 𝑎1 𝑎2 𝑎3 𝑎4 𝑎5
a
𝑎0 𝑎1 𝑎2 𝑎3 𝑎4 𝑎5

b
𝑎0 𝑎1 𝑎2 𝑎3 𝑎4 𝑎5
b
𝑎0 𝑎1 𝑎2 𝑎3 𝑎4 𝑎5

2/26/2019 NDSS 2019 26


Side-channel Discovery
Instrument graphic libraries & collect victim trace

a
𝑎0 𝑎1 𝑎2 𝑎3 𝑎4 𝑎5
a
𝑎0 𝑎1 𝑎2 𝑎3 𝑎4 𝑎5

b
𝑎0 𝑎1 𝑎2 𝑎3 𝑎4 𝑎5
b
𝑎0 𝑎1 𝑎2 𝑎3 𝑎4 𝑎5

2/26/2019 NDSS 2019 27


Side-channel Discovery
Instrument graphic libraries & collect victim trace

a
𝑎0 𝑎1 𝑎2 𝑎3 𝑎4 𝑎5
a
𝑎0 𝑎1 𝑎2 𝑎3 𝑎4 𝑎5

b
𝑎0 𝑎1 𝑎2 𝑎3 𝑎4 𝑎5
b
𝑎0 𝑎1 𝑎2 𝑎3 𝑎4 𝑎5

2/26/2019 NDSS 2019 28


Side-channel Discovery
Instrument graphic libraries & collect victim trace

a
𝑎0 𝑎1 𝑎2 𝑎3 𝑎4 𝑎5
a
𝑎0 𝑎1 𝑎2 𝑎3 𝑎4 𝑎5

b
𝑎0 𝑎1 𝑎2 𝑎3 𝑎4 𝑎5
b
𝑎0 𝑎1 𝑎2 𝑎3 𝑎4 𝑎5

2/26/2019 NDSS 2019 29


Side-channel Discovery
Select pairs of addresses 𝑎𝑥 , 𝑎𝑦 > 6 million pairs

𝑑𝑖𝑠𝑡 𝑎𝑥 , 𝑎𝑦 is long enough for flush+reload to measure


𝑑𝑖𝑠𝑡 𝑎𝑥 , 𝑎𝑦 is stable across the same input
𝑑𝑖𝑠𝑡 𝑎𝑥 , 𝑎𝑦 has high information gain ~1000 pairs
𝑎𝑥 , 𝑎𝑦 not affected by cache architecture

2/26/2019 NDSS 2019 30


Side-channel Discovery
Select pairs of addresses 𝑎𝑥 , 𝑎𝑦 > 6 million pairs

𝑑𝑖𝑠𝑡 𝑎𝑥 , 𝑎𝑦 is long enough for flush+reload to measure


𝑑𝑖𝑠𝑡 𝑎𝑥 , 𝑎𝑦 is stable across the same input
𝑑𝑖𝑠𝑡 𝑎𝑥 , 𝑎𝑦 has high information gain ~1000 pairs
𝑎𝑥 , 𝑎𝑦 not affected by cache architecture

Sanity Check: Run attack offline


Filter out addressed affected system noise <100 pairs
Filter out addressed affected by instrumentation

2/26/2019 NDSS 2019 31


Keypress Prediction
Machine Learning Model Construction
Collect measurements for all different user inputs
Random Forest with 100 estimators
s:0.70, a:0.15
n:0.12, m:0.03

Keypress Prediction
Classify measurement with confidence

2/26/2019 NDSS 2019 32


Challenges
Perform measurement without privilege

Discover side-channel in graphic libraries

Noise-resistant key prediction

2/26/2019 NDSS 2019 33


Attack 1: Onboard
Ubuntu 16.04, Intel Core i7-4770
# Address Library Function
1 0x75a40 libcairo.so _cairo_surface_create_scratch
0x69e40 libcairo.so _cairo_scaled_font_map_lock
2 0x69e40 libcairo.so _cairo_scaled_font_map_lock
0x41f40 libcairo.so _cairo_intern_string
3 0x24440 libcairo.so _cairo_clip_copy_with_translation
0xbe000 libcairo.so _cairo_ft_unscaled_font_lock_face
4 0x6b900 libcairo.so _cairo_path_fixed_approximate_stroke_extents
0x41700 libcairo.so _intern_string_pluc
5 0x6a5c0 libcairo.so _cairo_scaled_font_thaw_cache
0x41700 libcairo.so _intern_string_pluc

2/26/2019 NDSS 2019 34


Attack 1: Onboard
Single keypress prediction

2/26/2019 NDSS 2019 35


Attack 1: Onboard
Single keypress prediction
Augment 1: Multiple logins

2/26/2019 NDSS 2019 36


Attack 1: Onboard
Single keypress prediction
Augment 1: Multiple logins

2/26/2019 NDSS 2019 37


Attack 1: Onboard
Single keypress prediction
Augment 1: Multiple logins
Augment 2: Dictionary

2/26/2019 NDSS 2019 38


Attack 2: Capital One
Huawei Nexus 6P. Android 8.0
Flush+reload => Evict+reload
Resolution 20x lower than Intel

2/26/2019 NDSS 2019 39


Attack 2: Capital One
Huawei Nexus 6P. Android 8.0
Flush+reload => Evict+reload
Resolution 20x lower than Intel

2/26/2019 NDSS 2019 40


Attack 2: Capital One
Huawei Nexus 6P. Android 8.0
Flush+reload => Evict+reload
Resolution 20x lower than Intel

2/26/2019 NDSS 2019 41


Attack 2: Capital One
Huawei Nexus 6P. Android 8.0
Flush+reload => Evict+reload
Resolution 20x lower than Intel
Pre-render triggered only once
# Library Function
1 libskia.so SkScalerContext_FreeType_Base
::generateGlyphImage
libskia.so SkMask::getAddr
2 libskia.so SkGlyph::computeImageSize
libskia.so SkAAClipBlitter::~SkAAClipBlitter

2/26/2019 NDSS 2019 42


Attack 2: CapitalOne
Augment 1: 10 logins

2/26/2019 NDSS 2019 43


Attack 2: CapitalOne
Augment 1: 10 logins

2/26/2019 NDSS 2019 44


Attack 2: CapitalOne
Augment 1: 10 logins
Augment 2: Dictionary

2/26/2019 NDSS 2019 45


Other Apps

2/26/2019 NDSS 2019 46


Discussion
Measurement challenge
Measurement resolution
Extensions
Mitigations

2/26/2019 NDSS 2019 47


Discussion
Measurement challenge
Extensions
Inter-keystroke timing
Combining with other side-channels
Examine other libraries
Mitigations

2/26/2019 NDSS 2019 48


Discussion
Measurement challenge
Extensions
Mitigations
Prevent flush+reload
Constant-time rendering

2/26/2019 NDSS 2019 49


Conclusion
Effective execution time measurement

Exposing side-channels in graphics libraries

Evaluations on real-world applications

Acknowledgement
U.S. Army Research Laboratory Cyber Security Collaborative
Research Alliance

2/26/2019 NDSS 2019 50


Thanks!
Q&A

You might also like