Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems

TLDR

Many commodity operating systems contain numerous security vulnerabilities, prompting efforts to exclude them from the trusted computing base while still allowing legacy applications to run via a small hypervisor or trusted hardware that blocks OS memory access. This paper introduces controlled‑channel attacks, a novel side‑channel that lets an untrusted operating system extract large amounts of sensitive data from protected applications on systems such as Overshadow, Ink Tag, and Haven. The attacks exploit deterministic side‑channel mechanisms in the OS to leak data from protected applications. When implemented on Haven and Ink Tag, the attacks extracted entire text documents and JPEG outlines from common application libraries, casting doubt on Overshadow’s feasibility.

Abstract

The presence of large numbers of security vulnerabilities in popular feature-rich commodity operating systems has inspired a long line of work on excluding these operating systems from the trusted computing base of applications, while retaining many of their benefits. Legacy applications continue to run on the untrusted operating system, while a small hyper visor or trusted hardware prevents the operating system from accessing the applications' memory. In this paper, we introduce controlled-channel attacks, a new type of side-channel attack that allows an untrusted operating system to extract large amounts of sensitive information from protected applications on systems like Overshadow, Ink Tag or Haven. We implement the attacks on Haven and Ink Tag and demonstrate their power by extracting complete text documents and outlines of JPEG images from widely deployed application libraries. Given these attacks, it is unclear if Over shadow's vision of protecting unmodified legacy applications from legacy operating systems running on off-the-shelf hardware is still tenable.

References

Page 1

	Year	Citations

Page 1