Proceedings on Privacy Enhancing Technologies 2014; 1 (11):1–16 Gorka Irazoqui, Mehmet Sinan İncİ, Thomas Eisenbarth, and Berk Sunar Know Thy Neighbor: Crypto Library Detection in Cloud Abstract: Software updates and security patches have mid scale companies such as Dropbox1 leverage the become a standard method to fix known and recently ability to outsource and scale computational needs to discovered security vulnerabilities in deployed software. cloud service providers (CSPs) such as Amazon AWS2 In server applications, outdated cryptographic libraries or Google Compute Engine. Other companies may build allow adversaries to exploit weaknesses and launch at- their computational infrastructure in the form of private tacks with significant security results. The proposed clouds, harnessing cost savings from resource sharing technique exploits leakages at the hardware level to and centralized resource management within the com- first, determine if a specific cryptographic library is run- pany. ning inside (or not) a co-located virtual machine (VM) Nevertheless, one of the main concerns that is slow- and second to discover the IP of the co-located target. ing the widespread usage of such Infrastructure as a To this end, we use a Flush+Reload cache side-channel Service (IaaS) technologies are potential security vul- technique to measure the time it takes to call (load) nerabilities and privacy risks of cloud computing. Usu- a cryptographic library function. Shorter loading times ally, CSPs employ virtual machines (VMs), allowing are indicative of the library already residing in mem- multiple tenants to share the same computing hard- ory and shared by the VM manager through dedupli- ware. While this resource sharing maximizes utilization cation. We demonstrate the viability of the proposed and hence drastically reduces cost, ensuring isolation technique by detecting and distinguishing various cryp- of potentially sensitive data between VMs instantiated tographic libraries, including MatrixSSL, PolarSSL, by different and untrusted tenants can be a challenge. GnuTLS, OpenSSL and CyaSSL along with the IP of the Indeed, the main security principle in the design and VM running these libraries. In addition, we show how implementation of virtual machine managers (VMMs) to differentiate between various versions of libraries to has been that of process and data isolation achieved better select an attack target as well as the applica- through sandboxing. Although logical isolation ensures ble exploit. Our experiments show a complete attack security at the software level, a malicious tenant might setup scenario with single-trial success rates of up to still extract private information due to leakage coming 90% under light load and up to 50% under heavy load from side channels such as shared hardware resources. for libraries running in KVM. In short, hardware sharing create an opening for vari- ous side channel attacks developed for non-virtualized Keywords: Cryptographic Libraries, Cross-VM attacks, environments. These powerful attacks are capable of ex- Virtualization, Deduplication tracting sensitive information, e.g. passwords and pri- vate keys, by profiling the victim process. ignoring leak- ages of information through subtle side-channels shared 1 Motivation by the processes running on the same physical hardware. In non-virtualized environments, a number of effective side-channel attacks were proposed that succeeded in Cloud computing has become a major building block in extracting sensitive data by targeting the software layer today’s computing infrastructure. Many start-up and only. As early as in 2003, D. Brumley and Boneh [22] demonstrated timing side-channel vulnerabilities in Gorka Irazoqui: Worcester Polytechnic Institute, E-mail: [email protected] OpenSSL 0.9.7 [44], in the context of sandboxed exe- Mehmet Sinan İncİ: Worcester Polytechnic Institute, E- cution in VMMs. The study recovers RSA private keys mail: [email protected] Thomas Eisenbarth: Worcester Polytechnic Institute, E- mail: [email protected] Berk Sunar: Worcester Polytechnic Institute, E-mail: 1 Dropbox grew from nil to an astounding 175 million users [email protected] from 2007 to 2013 [3]. 2 Amazon AWS generated $3.8 billion revenue in 2013 [1]. Know Thy Neighbor: Crypto Library Detection in Cloud 2 from an OpenSSL-based web server when victim and at- to mitigate these new attacks. It should be noted that tacker run in the same processor. Symmetric cryptog- side channel attacks are just one more threat to cryp- raphy is another popular target of side channel attacks, tographic libraries from a long list of vulnerabilities re- as demonstrated in 2005 by Bernstein [17] (and later gardless of whether the library is executed in VMs or in [20, 28, 36]). He was able to recover an AES key due natively. Therefore, it is crucial to use the most recent to micro-architectural timing variations in the cache. version of the cryptographic libraries where most of the Time leakage in branch prediction units give rise to discovered vulnerabilities have been already mitigated another class of side channel attacks as demonstrated via series of patches. Using an outdated cryptographic by Acıiçmez et al. where the authors exploited key library renders the server vulnerable with potentially dependent branches in a RSA computation of Open- devastating consequences. Good examples of recently SSL [13–15]. Recently B.B. Brumley and Tuveri [21] outdated cryptographic libraries are the ones suscep- demonstrated that the ladder computation in the pop- tible to Lucky Thirteen and the infamous Heartbleed ular ECDSA implementation of OpenSSL 0.9.8o is vul- attacks. In 2013, AlFardan et al. discovered that most nerable to timing attacks by extracting the private key cryptographic libraries were vulnerable to a padding or- used in a TLS handshake. acle attack that they named Lucky 13 attack [27]. The Until fairly recently, the common belief was that attack was able to recover the messages sent in TLS con- side-channel attacks were not realistic in the cloud set- nections by just looking at the time difference caused ting due to the level of access required to the cloud by invalid padding in digest operations. Although they server, e.g. control of process execution and more specif- showed only results in OpenSSL and GnuTLS, most of ically the difficulty in co-locating the attack process on the cryptographic libraries were affected by it. Patches the machine executing the victim’s process. This belief were released immediately by library developers. But us- was overturned in 2009 by Ristenpart et al. [39] who ing a non-patched version of any of these libraries would demonstrated that it is possible to solve the co-residency still leave the door open to this MEE attack. problem and extract sensitive data across VMs. Using In 2014, Neel Mehta from the Google security team the Amazon Elastic Compute Cloud (EC2) service as discovered a dangerous security bug called the Heart- a case study, Ristenpart et al. demonstrated that it is bleed bug in the popular OpenSSL cryptographic li- possible to identify when an attacker VM is co-located brary [4]. In a nutshell, the Heartbleed vulnerability on the same server with a potential victim and therefore allows a malicious attacker to read more data in the using the same hardware as the attacker VM. The work victim’s memory than it should, exposing sensitive in- further shows that—once co-located—cache contention formation like secret keys. The attack quickly became between the VMs can be exploited to recover key strokes popular in the media, and caused grave concern among across VM boundaries. By solving the co-location prob- security researchers for such a simple yet severe vulner- lem, this initial result fueled further research in Cross- ability to go undetected for many years. The cybersecu- VM side-channel attacks. Zhang et al. [53] utilized a rity columnist Joseph Steinberg argued that the Heart- cache side channel attack implemented across Xen VMs bleed bug is the worst vulnerability found since com- to recover an ElGamal decryption key from a victim mercial traffic began to flow on internet. Indeed, 17% of VM. The authors applied a hidden Markov model to supposedly secure web servers were found to be vulner- process the noisy but high-resolution information across able to the attack. Soon after instances of Heartbleed VMs. Shortly thereafter, Yarom and Falkner showed attack were discovered in the wild. For instance, the in [51] that RSA is also vulnerable, as well as ECDSA, Canada Revenue Agency reported the theft of 900 so- as shown by Yarom and Benger in [50]. Both attacks use cial security numbers [23]. Most of the websites patched the Flush+Reload technique that exploits the shared L3 the bug within days of its release, but it remains unclear cache. It is important to note that since the L3 cache is whether the vulnerability has been exploited before its shared among cores, the attack works even if the victim public announcement. It is believed that some attack- and the attack processes are located on different cores. ers might have been exploiting the vulnerability for five At the system level, another significant consequence months before Mehta’s discovery. of these new high resolution cache attacks is that they The Heartbleed vulnerability presents a striking ex- exposed new vulnerabilities in popular cryptographic li- ample on the severe consequences of using an outdated braries such as OpenSSL, which were previously consid- cryptographic library and a striking example of how ered secure. This forced the cryptographic library devel- people ignore up-to-date software. One month after the opers to fix their implementations and release patches Heartbleed bug was discovered, 300k of 600k systems Know Thy Neighbor: Crypto Library Detection in Cloud 3 were patched [43]. But the month after that only 9k – Our results imply that a co-located VM can discover additional systems were patched leaving the remaining use of outdated vulnerable versions of a library; 300k systems still vulnerable.