I Know What You Sync: Covert and Side Channel Attacks on File Systems via syncfs

• URL: http://arxiv.org/abs/2411.10883v1
• Date: Sat, 16 Nov 2024 20:40:08 GMT
• Title: I Know What You Sync: Covert and Side Channel Attacks on File Systems via syncfs
• Authors: Cheng Gu, Yicheng Zhang, Nael Abu-Ghazaleh,
• Abstract summary: We show new types of side channels through the file system that break logical isolation. The file system plays a critical role in the operating system, managing all I/O activities between the application layer and the physical storage device. We construct three side-channel attacks targeting both Linux and Android devices.
• Score: 5.556839719025154
• License:
• Abstract: Operating Systems enforce logical isolation using abstractions such as processes, containers, and isolation technologies to protect a system from malicious or buggy code. In this paper, we show new types of side channels through the file system that break this logical isolation. The file system plays a critical role in the operating system, managing all I/O activities between the application layer and the physical storage device. We observe that the file system implementation is shared, leading to timing leakage when using common I/O system calls. Specifically, we found that modern operating systems take advantage of any flush operation (which saves cached blocks in memory to the SSD or disk) to flush all of the I/O buffers, even those used by other isolation domains. Thus, by measuring the delay of syncfs, the attacker can infer the I/O behavior of victim programs. We then demonstrate a syncfs covert channel attack on multiple file systems, including both Linux native file systems and the Windows file system, achieving a maximum bandwidth of 5 Kbps with an error rate of 0.15% on Linux and 7.6 Kbps with an error rate of 1.9% on Windows. In addition, we construct three side-channel attacks targeting both Linux and Android devices. On Linux devices, we implement a website fingerprinting attack and a video fingerprinting attack by tracking the write patterns of temporary buffering files. On Android devices, we design an application fingerprinting attack that leaks application write patterns during boot-up. The attacks achieve over 90% F1 score, precision, and recall. Finally, we demonstrate that these attacks can be exploited across containers implementing a container detection technique and a cross-container covert channel attack.

Related papers

• MeMoir: A Software-Driven Covert Channel based on Memory Usage [7.424928818440549]
  MeMoir is a novel software-driven covert channel that, for the first time, utilizes memory usage as the medium for the channel. We implement a machine learning-based detector that can predict whether an attack is present in the system with an accuracy of more than 95%. We introduce a noise-based countermeasure that effectively mitigates the attack while inducing a low power overhead in the system.
  arXiv  Detail & Related papers  (2024-09-20T08:10:36Z)
• RelayAttention for Efficient Large Language Model Serving with Long System Prompts [59.50256661158862]
  This paper aims to improve the efficiency of LLM services that involve long system prompts. handling these system prompts requires heavily redundant memory accesses in existing causal attention algorithms. We propose RelayAttention, an attention algorithm that allows reading hidden states from DRAM exactly once for a batch of input tokens.
  arXiv  Detail & Related papers  (2024-02-22T18:58:28Z)
• Fight Hardware with Hardware: System-wide Detection and Mitigation of Side-Channel Attacks using Performance Counters [45.493130647468675]
  We present a kernel-level infrastructure that allows system-wide detection of malicious applications attempting to exploit cache-based side-channel attacks. This infrastructure relies on hardware performance counters to collect information at runtime from all applications running on the machine. High-level detection metrics are derived from these measurements to maximize the likelihood of promptly detecting a malicious application.
  arXiv  Detail & Related papers  (2024-02-18T15:45:38Z)
• GuardFS: a File System for Integrated Detection and Mitigation of Linux-based Ransomware [8.576433180938004]
  GuardFS is a file system-based approach to investigate the integration of detection and mitigation of ransomware. Using a bespoke overlay file system, data is extracted before files are accessed. Models trained on this data are used by three novel defense configurations that obfuscate, delay, or track access to the file system.
  arXiv  Detail & Related papers  (2024-01-31T15:33:29Z)
• SYNC+SYNC: Software Cache Write Covert Channels Exploiting Memory-disk Synchronization [6.6639205139634115]
  SYNC+SYNC is a group of attacks that exploit the memory-disk synchronization primitives. We present the principles of SYNC+SYNC through the implementation of two write covert channel protocols. Results show that, the average rate can reach 2.036 Kb/s (with a peak rate of 14.762 Kb/s) and the error rate is 0% on Linux.
  arXiv  Detail & Related papers  (2023-12-08T15:11:26Z)
• SYSPART: Automated Temporal System Call Filtering for Binaries [4.445982681030902]
  Recent approaches automatically identify the system calls required by programs to block unneeded ones. SYSPART is an automatic system-call filtering system designed for binary-only server programs.
  arXiv  Detail & Related papers  (2023-09-10T23:57:07Z)
• Recurrent Dynamic Embedding for Video Object Segmentation [54.52527157232795]
  We propose a Recurrent Dynamic Embedding (RDE) to build a memory bank of constant size. We propose an unbiased guidance loss during the training stage, which makes SAM more robust in long videos. We also design a novel self-correction strategy so that the network can repair the embeddings of masks with different qualities in the memory bank.
  arXiv  Detail & Related papers  (2022-05-08T02:24:43Z)
• Efficient video integrity analysis through container characterization [77.45740041478743]
  We introduce a container-based method to identify the software used to perform a video manipulation. The proposed method is both efficient and effective and can also provide a simple explanation for its decisions. It achieves an accuracy of 97.6% in distinguishing pristine from tampered videos and classifying the editing software.
  arXiv  Detail & Related papers  (2021-01-26T14:13:39Z)
• Adversarial EXEmples: A Survey and Experimental Evaluation of Practical Attacks on Machine Learning for Windows Malware Detection [67.53296659361598]
  adversarial EXEmples can bypass machine learning-based detection by perturbing relatively few input bytes. We develop a unifying framework that does not only encompass and generalize previous attacks against machine-learning models, but also includes three novel attacks. These attacks, named Full DOS, Extend and Shift, inject the adversarial payload by respectively manipulating the DOS header, extending it, and shifting the content of the first section.
  arXiv  Detail & Related papers  (2020-08-17T07:16:57Z)
• Near-chip Dynamic Vision Filtering for Low-Bandwidth Pedestrian Detection [99.94079901071163]
  This paper presents a novel end-to-end system for pedestrian detection using Dynamic Vision Sensors (DVSs) We target applications where multiple sensors transmit data to a local processing unit, which executes a detection algorithm. Our detector is able to perform a detection every 450 ms, with an overall testing F1 score of 83%.
  arXiv  Detail & Related papers  (2020-04-03T17:36:26Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.