It’s been some time since the explosion of awareness in 2019, but side-channel attack prevention remains an important part of cybersecurity. Bizarre approaches to information theft, side-channel attacks undermined both AMD’s and Intel’s CPU designs, and the vulnerabilities proved to be serious enough that companies would rather have their customers run on insecure hardware. , chose to deploy a performance-degrading patch. now, A new MIT framework named Metior It aims to improve the world’s ability to better understand side-channel attacks and possibly improve how to defend against them.
Metior is an analytics framework Built by the Massachusetts Institute of Technology, it aims to simplify hardware and software design frameworks and improve defenses against known (and unknown) side-channel attacks. Essentially, Metior allows engineers to quantitatively assess how much information an attacker can steal with a given side-channel attack.
This is essentially a simulation sandbox, allowing chip designers and other engineers to find combinations of defenses that maximize protection against side-channel attacks, depending on the use case. Since the amount of information stolen can be quantitatively measured, the impact of being stolen can be calculated (depending on system, program, and all other variables). This means you can decide to build in protection from the most impactful types of attacks. .
By noting the underlying problem (that side-channel attacks are enabled by simple manipulation of computer systems, that hardware mitigations are costly and not necessarily redundant), MIT We have successfully matched an equivalent set of design rules.
These design rules aim to maximize hardware-level defenses against various side-channel attack techniques while also trying to emulate them for better understanding. This is in contrast to the somewhat haphazard defenses employed by companies (such as Intel) whose products are vulnerable to side-channel attacks. To be fair, its approach of providing hardware mitigations against certain side-channel attack vectors was necessary to stem the trust erosion caused by being vulnerable to exploits in the first place. . But these solutions are like bandaging an open wound and cost too much in performance (such as 35% for certain Spectre-v2 vulnerabilities), the side-channel defense needs something more robust and multifaceted.
Conversation with SciTechDailyPeter Deutsch, a graduate student, Open access paper on Metiorexplains. “Metior helps us realize that these security schemes should not be considered in isolation. Analyzing the effectiveness of obfuscation schemes against a particular victim is very tempting, but It doesn’t help us understand why these attacks work.” He said. “By looking at things from a higher level, you get a more holistic view of what is really going on.” he concluded.
Side-channel attacks are a particularly superstitious type. Through side-channel attacks, an attacker does not even need access to a particular application’s logic to steal information, but simply observe its behavior. How long did it take to access the computer’s memory? How deep was that flash of memory? Also, remember that this happens in various components within your PC. Even GPUs are vulnerable to this kind of attack.
It’s almost like putting your finger on your wrist and feeling your pulse. You know your heart rate, but you’re estimating it from other sources. You don’t need to look inside your vessel (heart, body) or see your blood flow directly. Side-channel attacks generally work in the same way. Attackers can steal valuable information simply by observing the traffic and flow at key moments in a particular program’s behavior.
You can imagine how difficult and expensive it would be to hide someone’s heartbeat or whatever. That’s part of the difficulty in protecting against side-channel attacks. However, protection from these data-stealing attacks is usually ensured through obfuscation by hiding the equivalent of a computer system’s pulses (information passed between memory and CPU).
So, for example, if a side-channel attack is looking for patterns in memory accesses, one way to obfuscate it is to change the way your program accesses memory. Letting the program fetch or flush and cache other unnecessary memory bits. More information cycles…it could be anything. The goal is simply to interrupt a predictable bitstream that gives the side-channel attacker the information he needs.
This is difficult and cost effective. Security is achieved by actively “scrambling” the information that continues to be generated and leaked simply by running the program itself. Also, there are development costs. Because most of these “organic” computing signal scrambling techniques require other extra operations to be performed in order to “obfuscate” the actual pattern the attacker is looking for. is. Anything in computing that costs energy and compute cycles will ultimately hurt performance.
“Development of any kind of microprocessor is very expensive and complex, and design resources are very scarce. It’s very important that you do that, and that’s something that Metior allows you to do in a very generic way.” Emel says.
And in a very general sense, it is also what every living thing and organization on Earth wants to achieve. It’s not about working harder, it’s about working smarter.