CRII: SaTC: Securing Internet of Things Against Cache-based Attacks

CRII：SaTC：保护物联网免受基于缓存的攻击

• 批准号: 1948175
• 负责人: Ziming Zhao
• 金额: $ 17.22万
• 依托单位: Rochester Institute of Tech
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2020
• 资助国家: 美国
• 起止时间: 2020-10-01 至 2020-10-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1948175&HistoricalAwards=false
• 关键词: CRII; SaTC; Securing; Internet; Things

The Internet of Things (IoT) is has fast become an integral part of everyday life. IoT devices ranging from insulin pumps, smart home devices, and driverless cars, to energy delivery systems are vastly improving the quality of life. Many of these devices use processors based on the ARM architecture. While decades of research and deployment have successfully reduced the attack surface of memory corruptions, a new attack surface, the CPU caches, has emerged. This project advances the frontiers of knowledge in defeating cache-based attacks on IoT systems that are based on ARM processors. In particular, the project will develop software mitigation to defeat the destructive cache side-channel attacks and cache resident malware. It integrates a comprehensive education plan with the research to train the next generation workforce in cybersecurity.This project consists of two complementary tasks, which can be deployed in tandem to provide comprehensive cache-based attack mitigation in IoT systems. First, the project develops software mitigation for all-level cache side-channel attacks. While software mitigation for cache side-channel attacks in cloud scenarios focus on last-level cache, novel attacks on L1 cache can also break the security guarantees of IoT systems. Based on the observation that the key to defending against all-level cache side-channel attacks is to take away attackers' ability to tell timing differences between used and unused data, this project develops new techniques to ensure a private space for each process by reserving the L1 cache for a sensitive operation’s exclusive use. Second, this project develops asynchronous cache resident malware mitigation to increase the performance and responsiveness of applications. Existing approaches in cache malware mitigation are slow because they are synchronous and the application requesting service will be suspended. This project divides an inspection task into two halves: one is urgent and not interruptible; the other is lengthy but interruptible. The longer half can be executed on another CPU core or can use deferred execution thus increasing the execution efficiency of the inspection task as a whole.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

物联网（IoT）已迅速成为日常生活中不可或缺的一部分。从胰岛素泵、智能家居设备、无人驾驶汽车到能源输送系统，物联网设备正在极大地改善生活质量。这些设备中的许多使用基于ARM架构的处理器。虽然数十年的研究和部署已经成功地减少了内存损坏的攻击面，但一种新的攻击面-CPU缓存已经出现。该项目推进了在基于ARM处理器的物联网系统上击败基于缓存的攻击的知识前沿。特别是，该项目将开发软件缓解措施，以击败破坏性的缓存侧通道攻击和缓存驻留恶意软件。它将全面的教育计划与研究相结合，以培训下一代网络安全工作人员。该项目包括两个互补的任务，可以协同部署，以在物联网系统中提供全面的基于缓存的攻击缓解。首先，该项目为所有级别的缓存侧信道攻击开发软件缓解。虽然云场景中缓存侧通道攻击的软件缓解主要集中在最后一级缓存上，但对L1缓存的新型攻击也可能破坏物联网系统的安全保证。基于这样的观察，即防御所有级别缓存侧信道攻击的关键是剥夺攻击者区分使用和未使用数据之间的时间差异的能力，该项目开发了新技术，通过保留L1缓存以供敏感操作专用，来确保每个进程的私有空间。其次，该项目开发异步缓存驻留恶意软件缓解，以提高应用程序的性能和响应能力。缓存恶意软件缓解中的现有方法是缓慢的，因为它们是同步的，并且请求服务的应用程序将被挂起。该项目将检查任务分为两部分：一部分是紧急的，不可中断的;另一部分是漫长的，但可中断的。较长的一半可以在另一个CPU核心上执行，也可以使用延迟执行，从而提高整个检测任务的执行效率。该奖项反映了NSF的法定使命，并通过使用基金会的智力价值和更广泛的影响审查标准进行评估，被认为值得支持。