Context-Based Mitigations for Side-Channel Attacks via Kernel Address-Space Views in Linux
- Typ der Arbeit: Masterarbeit
- Status der Arbeit: abgeschlossen
- Projekte: ParPerOS
- Betreuer: Florian Rommel, Daniel Lohmann
The increasing threat of side-channel attacks on computer systems has necessitated the use of expensive mitigation techniques, such as kernel page-table isolation (KPTI) for the Meltdown vulnerability. These mitigations, which are applied globally across all tasks in the system, can lead to performance overheads and reduced overall usability. To address this problem, in this master's thesis, you will explore an innovative approach that uses kernel address-space views to adaptively configure side-channel mitigations on a per-task basis.
Kernel address-space views are a new mechanism that we explore in the ATLAS project. They are synchronized variants of the kernel address space that only differ in explicitly specified parts in the executable kernel code. Each task can switch between the different kernel address- space views, thereby allowing context-based code variation. In this thesis, kernel address-space views are used to facilitate thread-based application of mitigation techniques.
The proposed mechanism allows the user to specify which tasks are not trusted and may execute malicious code. Only these tasks use a sepecialized kernel address-space view that applies the appropriate mitigations. The trusted tasks, on the other hand, use a kernel view that does not apply any mitigations. The goal is to enable mitigation of side-channel attacks on a per-task basis without incurring unnecessary overheads for tasks that do not execute untrusted code.
To evaluate the effectiveness of the proposed approach, the performance improvement of task-based mitigations should be shown via microbenchmarks. Additionally, the impact of the approach on real-world applications is to be evaluated by end-to-end benchmarks.
Related Publications