# **Time Protection Principled Prevention of Timing Channels**

Gernot Heiser | gernot.heiser@data61.csiro.au | @GernotHeiser
IFIP WG 10.4, Reggio di Calabria, 2020-01-31

https://trustworthy.systems

**CSIRO** 

DATA

61





# Cause: Competition for HW Resources



# Low

#### Shared hardware

#### **Affect execution speed**

- Inter-process interference
- Competing access to microarchitectural features
- Hidden by the HW-SW contract!



SP

# **Sharing 1: Stateless Interconnect**



### Memory

#### H/W is bandwidth-limited

- Interference during concurrent access
- Generally reveals no data or addresses
- Must encode info into access patterns
- Only usable as covert channel, not side channel

#### No effective defence with present hardware!



SP

# **Sharing: Stateful Hardware**



#### HW is capacity-limited

- Interference during
  - concurrent access
  - time-shared access
- Collisions reveal addresses
- Usable as side channel

Any state-holding microarchitectural feature:cache, branch predictor, pre-fetcher state machine



5 | IFIP WG10.4 Jan'20

## **Systematic Defence: Time Protection**



A collection of OS mechanisms which collectively prevent interference between security domains that make execution in one domain dependent on the activities of another. [Ge et al. EuroSys'19]



<u>SP</u>

6 | IFIP WG10.4 Jan'20

# **Time Protection: Prevent Interference**





#### Shared hardware

#### Affect execution speed

Interference results from sharing  $\Rightarrow$  Partition hardware:

- spatially
- temporally (time shared)



DATA 61

**S**A



# What is seL4?

SA

DATA 61

# seL4: Security, Safety, Performance

The world's first operatingsystem kernel with provable security enforcement

World's most advanced mixedcriticality OS

The world's only protected-mode OS with complete, sound timeliness analysis

The world's fastest microkernel, designed for real-world use



10 | IFIP WG10.4 Jan'20



# Implementing Time Protection

9

# **Spatially Partition: Cache Colouring**



<u>SA</u>

# Temporal Partitioning: Flush on Switch o

Must remove any history dependence!

- 1.  $T_0 = current_time()$
- 2. Switch user context
- 3. Flush on-core state
- 4. Touch all shared data needed for return
- 5. while (T<sub>0</sub>+WCET < current\_time());
- 6. Reprogram timer
- 7. return

Ensure deterministic execution

Latency depends

on prior execution!

Time padding to Remove dependency

SA



# **Challenge: Broken Hardware**

#### Systematic study of COTS hardware (Intel and Arm) [Ge et al, APSys'18]:

SA

contemporary processors hold state that cannot be reset



# Way Out: New HW-SW Contract!

ISA is purely functional contract, abstracts too much away

#### New contract (augmented ISA):

All shared HW resources must be spatially or temporally partitionable by OS [Ge et al, APSys'18]



RISC-V to the rescue: Strong commitment to making it happen!

