CRII: SaTC: Securing Internet of Things Against Cache-based Attacks

CRII：SaTC：保护物联网免受基于缓存的攻击

• 批准号: 1948175
• 负责人: Ziming Zhao
• 金额: $ 17.22万
• 依托单位: Rochester Institute of Tech
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2020
• 资助国家: 美国
• 起止时间: 2020-10-01 至 2020-10-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1948175&HistoricalAwards=false
• 关键词: CRII; SaTC; Securing; Internet; Things

The Internet of Things (IoT) is has fast become an integral part of everyday life. IoT devices ranging from insulin pumps, smart home devices, and driverless cars, to energy delivery systems are vastly improving the quality of life. Many of these devices use processors based on the ARM architecture. While decades of research and deployment have successfully reduced the attack surface of memory corruptions, a new attack surface, the CPU caches, has emerged. This project advances the frontiers of knowledge in defeating cache-based attacks on IoT systems that are based on ARM processors. In particular, the project will develop software mitigation to defeat the destructive cache side-channel attacks and cache resident malware. It integrates a comprehensive education plan with the research to train the next generation workforce in cybersecurity.This project consists of two complementary tasks, which can be deployed in tandem to provide comprehensive cache-based attack mitigation in IoT systems. First, the project develops software mitigation for all-level cache side-channel attacks. While software mitigation for cache side-channel attacks in cloud scenarios focus on last-level cache, novel attacks on L1 cache can also break the security guarantees of IoT systems. Based on the observation that the key to defending against all-level cache side-channel attacks is to take away attackers' ability to tell timing differences between used and unused data, this project develops new techniques to ensure a private space for each process by reserving the L1 cache for a sensitive operation’s exclusive use. Second, this project develops asynchronous cache resident malware mitigation to increase the performance and responsiveness of applications. Existing approaches in cache malware mitigation are slow because they are synchronous and the application requesting service will be suspended. This project divides an inspection task into two halves: one is urgent and not interruptible; the other is lengthy but interruptible. The longer half can be executed on another CPU core or can use deferred execution thus increasing the execution efficiency of the inspection task as a whole.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

物联网（物联网）已经快速成为日常生活中不可或缺的一部分。物联网设备从胰岛素泵，智能家居设备和无人驾驶汽车到能源输送系统，都极大地改善了生活质量。这些设备中的许多设备都基于ARM架构使用处理器。尽管数十年的研究和部署已成功地减少了记忆损坏的攻击表面，但出现了新的攻击表面，即CPU缓存。该项目在击败基于基于ARM处理器的物联网系统的攻击方面了解了了解的前沿。特别是，该项目将开发软件缓解措施，以打败破坏性的高速缓存侧通道攻击和缓存居民恶意软件。它将一项综合教育计划与研究融合，以在网络安全方面培训下一代劳动力。该项目由两个完整的任务组成，可以同时部署这些任务，以在物联网系统中提供全面的基于缓存的攻击缓解。首先，项目开发软件缓解全级高速缓存侧通道攻击。尽管云场景中的缓存侧通道攻击的软件缓解量重点介绍了最后级别的缓存，但对L1缓存的新颖攻击也可以破坏物联网系统的安全保证。基于这样的观察，即防御全级高速缓存侧通道攻击的关键是消除攻击者在使用和未使用的数据之间说出时间差异的能力，该项目开发了新技术，以通过预留L1 CACHE为敏感操作的独家使用来确保每个过程的私人空间。其次，该项目开发出异步的缓存居民恶意软件缓解措施，以提高应用程序的性能和响应能力。缓存恶意软件缓解措施的现有方法很慢，因为它们是同步的，并且申请请求服务将被暂停。该项目将检查任务划分为两半：一个是紧急的，不可中断；另一个是冗长但可中断的。较长的一半可以在另一个CPU核心上执行，也可以使用递延执行，从而提高检查任务的执行效率整体。该奖项反映了NSF的法定任务，并被认为是通过基金会的智力优点和更广泛的影响来通过评估来获得的支持。