Secure computers aren't so secure
(麻豆淫院Org.com) -- Even well-defended computers can leak shocking amounts of private data. MIT researchers seek out exotic attacks in order to shut them down.
You may update your antivirus software religiously, immediately download all new Windows security patches, and refuse to click any e-mail links ostensibly sent by your bank, but even if your computer is running exactly the way it鈥檚 supposed to, a motivated attacker can still glean a shocking amount of private information from it. The time it takes to store data in memory, fluctuations in power consumption, even the sounds your computer makes can betray its secrets. MIT researchers centered at the Computer Science and Artificial Intelligence Lab鈥檚 Cryptography and Information Security Group (CIS) study such subtle security holes and how to close them.
In 2005, Eran Tromer, now a postdoc at CIS, and colleagues at the Weizmann Institute in Rehovot, Israel, showed that without any breach of security in the ordinary sense, a seemingly harmless computer program could eavesdrop on other programs and steal the type of secret cryptographic key used by one of the most common Internet encryption schemes. Armed with the key, an attacker could steal a computer user鈥檚 credit card number, bank account password 鈥 whatever the encryption scheme was invoked to protect.
Computer operating systems are supposed to prevent any given program from looking at the data stored by another. But when two programs are running at the same time, they sometimes end up sharing the same cache 鈥 a small allotment of high-speed memory where the operating system stores frequently used information. Tromer and his colleagues showed that simply by measuring how long it took to store data at a number of different cache locations, a malicious program could determine how frequently a cryptographic system was using those same locations. 鈥淭he memory access patterns 鈥 that is, which memory addresses are accessed 鈥 are heavily influenced by the specific secret key being used in that operation,鈥 Tromer says. 鈥淲e demonstrated a concise and efficient procedure for learning the secret keys given just this crude information about the memory access patterns.鈥 Complete extraction of the private key, Tromer says, 鈥渢akes merely seconds, and the measurements that are needed, of the actual cryptographic process being attacked, can be carried out in milliseconds.鈥
The encryption system that Tromer was attacking, called AES, was particularly vulnerable because it used tables of precalculated values as a computational short cut, so that encoding and decoding messages wouldn鈥檛 be prohibitively time consuming. Since Tromer and his colleagues published their results, Intel has added hardware support for AES to its chips, so that Internet encryption software won鈥檛 have to rely on such 鈥渓ookup tables.鈥
In a statement, Intel told the MIT News Office that its decision 鈥渨as mainly motivated by the performance/efficiency benefits achieved,鈥 but that 鈥渋n addition, there is a potential security benefit since these new instructions can mitigate the possibility of software side channel attacks on AES that have been described in research papers, including those discovered by Tromer, Percival, and Bernstein.鈥
鈥淚 think it鈥檚 fair to say that it鈥檚 a direct response to the cache-timing attacks against AES,鈥 Pankaj Rohatgi, director of hardware security at the data security firm Cryptography Research, says of Intel鈥檚 move.
Together with CIS cofounder Ron Rivest and CSAIL鈥檚 Saman Amarasinghe, Tromer is trying to develop further techniques for thwarting cache attacks by disrupting the correlations between encryption keys and memory access patterns. A couple weeks ago, at the Association for Computing Machinery鈥檚 Symposium on Operating Systems Principles, the researchers announced that they had a 鈥減roof-of-concept prototype鈥 of a defense system, but they plan to continue testing and refining it before publishing any papers.
Tromer has also been investigating whether cloud computing 鈥 the subcontracting of computational tasks to networked servers maintained by companies like Amazon and Google 鈥 is susceptible to cache attacks. Many web sites rely on cloud computing to handle sudden surges in their popularity: renting added server space for a few hours at a time can be much cheaper than maintaining large banks of proprietary servers that frequently stand idle.
The word 鈥渃loud鈥 is supposed to suggest that this vast agglomeration of computing power is amorphous and constantly shifting, but Tromer and colleagues at the University of California, San Diego, were able to load their eavesdropping software onto precisely the same servers that were hosting websites they鈥檇 targeted in advance. In part, their approach involved spreading their software across a number of servers, then assailing a targeted website with traffic. By spying on the caches of the servers hosting their software, they could determine which were also trying to keep pace with their fake traffic spikes. Once they鈥檇 identified the target site鈥檚 servers, they could use cache monitoring to try to steal secrets.
鈥淚magine a stock broker that specializes in a specific company,鈥 Tromer says. 鈥淚f you observe that his virtual machine is particularly active, that could be valuable information. Or you may want to know how popular your competitors鈥 website is. We鈥檝e actually demonstrated that we can very robustly estimate web server popularity.鈥
鈥淭his has sparked the imagination of both the research community and industry,鈥 Rohatgi says. 鈥淚 interact with a lot of people in industry, and when they say, 鈥楪ive me the technical basis for this,鈥 I point to [Tromer and colleagues鈥橾 papers.鈥
Finally, Tromer is continuing work he began as a graduate student, on the use of a 鈥渉undred-dollar commodity microphone鈥 to record the very sounds emitted by a computer and analyze them for information about cryptographic keys. So far, Tromer hasn鈥檛 been able to demonstrate complete key extraction, but he believes he鈥檚 getting close.
Any information at all about a computer鈥檚 internal workings 鈥渋s actually fairly damaging,鈥 Rohatgi says. 鈥淚n some sense, some of these cryptographic algorithms are fairly brittle, and with a little extra information, you can break them.鈥
Provided by Massachusetts Institute of Technology ( : )
