Award Abstract # 1526455
TWC: TTP Option: Small: Differential Introspective Side Channels --- Discovery, Analysis, and Defense

NSF Org: CNS
Division Of Computer and Network Systems
Recipient: REGENTS OF THE UNIVERSITY OF MICHIGAN
Initial Amendment Date: September 15, 2015
Latest Amendment Date: August 25, 2020
Award Number: 1526455
Award Instrument: Standard Grant
Program Manager: Phillip Regalia
pregalia@nsf.gov
 (703)292-2981
CNS
 Division Of Computer and Network Systems
CSE
 Directorate for Computer and Information Science and Engineering
Start Date: October 1, 2015
End Date: September 30, 2021 (Estimated)
Total Intended Award Amount: $605,282.00
Total Awarded Amount to Date: $605,282.00
Funds Obligated to Date: FY 2015 = $605,282.00
History of Investigator:
  • Zhuoqing Mao (Principal Investigator)
    zmao@umich.edu
Recipient Sponsored Research Office: Regents of the University of Michigan - Ann Arbor
1109 GEDDES AVE STE 3300
ANN ARBOR
MI  US  48109-1015
(734)763-6438
Sponsor Congressional District: 06
Primary Place of Performance: University of Michigan
2260 Hayward Street
Ann Arbor
MI  US  48105-2121
Primary Place of Performance
Congressional District:
06
Unique Entity Identifier (UEI): GNJ7BBP73WE9
Parent UEI:
NSF Program(s): CSR-Computer Systems Research,
Secure &Trustworthy Cyberspace
Primary Program Source: 01001516DB NSF RESEARCH & RELATED ACTIVIT
Program Reference Code(s): 7434, 7923, 9102
Program Element Code(s): 735400, 806000
Award Agency Code: 4900
Fund Agency Code: 4900
Assistance Listing Number(s): 47.070

ABSTRACT

Side channels in the security domain are known to be challenging to discover and eliminate systematically. Nevertheless, they can lead to a variety of stealthy attacks seriously compromising cybersecurity. This work focuses on an important class of side channels that are fundamental to the operations of networked systems. Rather than constantly reacting to newly discovered side channels because of security breaches with ad-hoc patches, this work enables the automated discovery of an important class of side channels that exist due to the inherent goal of exposing information to enable debugging and management of computing systems. This project is expected to bring a paradigm shift to the security area of side channel investigation that can bring significant economic benefits of preventing a diverse set of cyberattacks. This project also has important educational and workforce training benefits for both undergraduate and graduate students, in addition to the broader dissemination of the findings through applicable standards processes to ensure operational adoption.

This research investigates an entirely new class of side channel attacks against networked systems such as network stacks that can lead to significant damage to user privacy, network security, and application integrity. An example feature about this class of attacks is the requirement of actively injecting carefully crafted and potentially incorrect events to trigger error conditions in a program so as to reveal their internal sensitive states, which can indirectly expose critical information. Interestingly, the attacks are inherent byproducts of network and operating system design and implementation, which are fundamentally hard to modify. In contrast to other well-known side channels that can be directly observed through passive monitoring, e.g., power and timing, this class of side channels is much more subtle to discover and also more challenging to defend against. The proposed security work helps introduce a more rigorous approach to discovering a new class of side channels, that have direct impact on the security assurance of both small systems such as mobile devices as well as large network systems such as enterprise networks. This research develops methods to systematically and rigorously detect and eliminate such side channels by leveraging both program analysis and network measurement science. The investigation to understand the tradeoffs between security guarantee and manageability of network systems leads to more practical and usable security solutions that can be deployed in practice.

PROJECT OUTCOMES REPORT

Disclaimer

This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.

We propose to investigate an entirely new class of side channel
attacks against networked systems such as network stacks that can lead
to significant damage to user privacy, network security, and
application integrity, which we name ?differential introspective side
channel attacks?. A unique feature about this class of attacks is the
requirement of actively injecting carefully crafted and potentially
incorrect events to trigger error conditions in a program so as to
reveal their internal sensitive states, which can indirectly expose
critical information. In contrast to other well-know side channels
that can be directly observed through passive monitoring, e.g., power
and timing, this class of side channels is much more subtle to
discover and also more challenging to defend against.

We build upon our past work of finding examples of such side channel
based attack to generalize defense solutions systematically. In
particular, we have demonstrated that an off-path attacker can hijack
both short-lived and long-lived TCP connections as well as create TCP
connections using spoofed IP addresses. This enables us to achieve
many attacks, including replacing the Facebook login page, launch
massive denial of service against popular Android system services, and
sending spam emails with spoofed IP addresses. Interestingly, the
attacks are inherent byproducts of network and operating system design
and implementation, which are fundamentally hard to eliminate. We
propose methods to systematically detect and eliminate such side
channels by leveraging both program analysis and network measurement
science.

In this project, we develop a novel and general system, CSI (Chunk Sequence Inferencer), that provides the capability to independently conduct active measurements and infer the adaptation behavior and delivered QoE of third party mobile video services, for the increasingly common but challenging use case where these services use encrypted (HTTPS/QUIC) communications between the client and the server. Such video streaming systems are typically complex, highly customized and closed source, making it challenging to understand their adaptation designs. To address this, for a specific streaming service and video asset, CSI streams the video under specific network conditions of interest. It then analyzes the associated network traffic to infer (1) the identity of each downloaded chunk, i.e., the index, the track it belongs to, whether it is an audio or video chunk and (2) the time when each chunk is downloaded. From such information, QoE metrics including displayed video quality and stall occurrences can be further analyzed.

? Foundational insights. We perform extensive measurements and develop two key insights that demonstrate the feasibility of inferring chunk identities from encrypted traffic. (1) Downloaded object sizes can be accurately inferred from associated encrypted packets. (2) For the increasingly commonly used Variable Bitrate (VBR) encoding, even with a relatively short sequence of chunk sizes, consisting of a mixture of chunks from different tracks, the identity of each chunk in the sequence can still be identified with high accuracy.

? Design of CSI. CSI enables automated and repeated active measurements for understanding the adaptation behavior and delivered QoE of commercial mobile video streaming under various network conditions. CSI automates the measurement process including performing network emulation, player UI instrumentation, data collection and analysis.

? Inference algorithm that is a key component of CSI. It is designed to cover a range of common ABR system designs. To efficiently identify the chunk sequence that matches size information from the traffic, CSI formulates the matching problem as a shortest path graph search. CSI also addresses additional challenges introduced by QUIC?s unique properties, such as the stream multiplexing feature.

? Evaluation. We perform extensive evaluations and demonstrate that CSI achieves high inferencing accuracy (1) across different chunk size variability across 6 popular services (2) across ABR systems with different designs. In addition, the analysis is fast, typically taking only a few seconds to analyze a 10 min long video session.

? Use case. We use Hulu as an example service and illustrate how CSI can be used in practice to help understand the QoE implications of parameter settings in token-bucket based traffic shaping policies and derive optimized shaping policies for mobile networks.


Last Modified: 10/03/2021
Modified by: Zhuoqing M Mao

Please report errors in award information by writing to: awardsearch@nsf.gov.

Print this page

Back to Top of page