Secure Computer Systems Final Project

Secure Computer Systems Final Project

This project is to implement a protection mechanism against the Prime+Probe attack. There are two parts to this project. First is the show-case of attempted Prime+Probe attack on a x86_64 Linux system with/without the protection in place. Second part is to implement this protection into a real-world production encryption library and see what the performance impact is.

The protection mechanism is to artificially increase the noise of a Spectre-type memory side-channel attack without compromising ANY functionality or performance. To do this, the program would first to be able to run on multiple threads. If the program can multi-thread, then by running many threads on the same physical core, the noise of a Spectre attack would be dramatically increased, thus providing protection against Prime+Probe attack.

The next part is showing the worst case scenario of a Prime+Probe attack. And how this protection method can help.

The Worse Case Scenario Prime+Probe Attack

The highlighted columns are the sets each vault is running on.

Performance of Multi-Threaded Encryption Program (ChaCha20) Using This Protection Mechanism

Due to the nature of the ChaCha20 algorithm, it is able to encrypt on arbitrary number of threads. I implemented the encryption algorithm used in this command line program; thus it is easier to implement this protection method.

The expectation is that using the protection method described above, the performance of the encryption program will not be affected than the single thread performance.

The multi-threading mechanism is rewritten to be able to run all threads on a chosen physical core on Linux. This graph below is the performance of the encryption program running on 1 to 30 threads of both normal multi-threading and all threads on the same core.

Line 401 of cc20_multi.cpp in source. The worker threads can run on a specific thread.

... 
void Cc20::worker::multi_enc_pthrd() {
  size_t tracker = 0; 

#ifdef __linux__
  if (coreId!=-1) {
    // Set the affinity of the thread to the specified core
    cpu_set_t cpuSet;
    CPU_ZERO(&cpuSet);
    CPU_SET(coreId, &cpuSet);
    pthread_setaffinity_np(pthread_self(), sizeof(cpu_set_t), &cpuSet);
  }
#endif // __linux__
...

enc_output.png

htop_screen_shot.jpg

Related