This slide is modified from
http://www.cs.utexas.edu/~suman/publications/oakland12/Memento.pptx
Memento:
Learning Secrets from Process
Footprints
Suman Jana and Vitaly Shmatikov
The University of Texas at Austin
33rd Security & Privacy (May, 2012)
Best student paper award
Outline
 Introduction
 Side channels through /proc
 Memento
 Implementation
 Evaluation
 Variations of the attack
 Solutions?
 Summary
2
A Seminar at Advanced Defense Lab
2012/05/28
Introduction
 Implementing whole security mechanism at user mode is
very difficult.
3
A Seminar at Advanced Defense Lab
2012/05/28
Trends in software design
 Applications rely on OS abstractions to improve their safety and
reliability
 “Process”
 “User”
 Case study: Web browsers
Fork a new
process
Fork a new
process
www.xbank.com
4
www.quickdate.com
OS isolation
2012/05/28
Unintended consequences
Good
 Better isolation
 Better reliability
 Others not affected if one
process crashes
Bad
Leaks more info to
concurrent processes
 Better safety
Topic of this talk
5
A Seminar at Advanced Defense Lab
2012/05/28
ProcFS:
Process info in multi-user OS
ps
cat
/proc/1/st
atus
top –p 1
6
introduced in the
1980s
Tom Killian
"Processes as Files"
(1984)
What can one learn from ProcFS?
•
7
IP addrs of websites other users are visiting
A Seminar at Advanced Defense Lab
2012/05/28
Side channels through /proc
•
"Peeping Tom in the Neighborhood: Keystroke Eavesdropping
on Multi-User Systems" - Usenix Security 2009
o
Keystroke timing leak through ESP/EIP values from
/proc/<pid>/stat
Kehuan Zhang
8
A Seminar at Advanced Defense Lab
XiaoFeng Wang
2012/05/28
The story of "Peeping Tom"
NDSS '09
program committee:
"Nobody uses multi-user
computers anymore"
9
A Seminar at Advanced Defense Lab
Shout-out to
XiaoFeng ;)
2012/05/28
The story of "Peeping Tom"
Oakland '09
program committee:
"Nobody uses multi-user
computers anymore"
10
A Seminar at Advanced Defense Lab
Shout-out to
XiaoFeng ;)
2012/05/28
Nobody uses multi-user computers
anymore???
11
A Seminar at Advanced Defense Lab
2012/05/28
Android sandboxing =
UNIX multi-user isolation
ps
top –p 1
cat
/proc/1/st
atus
UNIX multi-users in the 1980s
12
A Seminar at Advanced Defense Lab
2012/05/28
Android sandboxing =
UNIX multi-user isolation
ps
top –p 1
cat
/proc/1/st
atus
Android “multi-users” in 2012
13
A Seminar at Advanced Defense Lab
2012/05/28
Android sandboxing =
UNIX multi-user isolation
 Different apps run as different users
Android uses OS
“user” abstraction to
isolate applications
14
2012/05/28
Android sandboxing =
UNIX multi-user isolation
ProcFS API is still unchanged!!
ps
top –p 1
cat
/proc/1/st
atus
Android “multi-users” in 2012
15
A Seminar at Advanced Defense Lab
2012/05/28
What can a zero-permission app do?
 Can read all world-readable files in /proc
•
•
… but “Peeping Tom” attack does not work 
o
Introducing “Memento” attacks

16
ESP/EIP too unpredictable - JVM, GUI etc.
Works on all major OSs (except iOS)
A Seminar at Advanced Defense Lab
2012/05/28
This is not just about Android!
17
A Seminar at Advanced Defense Lab
2012/05/28
Completely
new attack!
Process resource usage =
big-time side channel
 Memory usage leaks inputs and user actions
 Reveals webpages visited in Chrome, Firefox, Android browser,
any WebKit-based browser
 Reveals state of Web applications
 Membership in dating sites, specific interests on medical sites, etc.
 CPU usage leaks keystroke timing
 For bash, ssh, Android on-screen keyboard handler
 Yields a better, much more robust “Peeing Tom”
18
A Seminar at Advanced Defense Lab
2012/05/28
“Memento” (2000):
putting together “memory streams”
19
A Seminar at Advanced Defense Lab
2012/05/28
“Memento” (2000):
putting together “memory streams”
20
A Seminar at Advanced Defense Lab
2012/05/28
Memprint: stream of memory usage
10568 KB
65948 KB
60280 KB
21
15976 KB
49380 KB
11632 KB
48996 KB
60820 KB
A Seminar at Advanced Defense Lab
59548 KB
2012/05/28
Sniffing memory footprints
browser
process
alloc 1
alloc 2
OS free page pool
OS isolation
2050
memprint
zero-permission
malicious process
22
used page count
2050
A Seminar at Advanced Defense Lab
2012/05/28
Sniffing memory footprints
browser
process
alloc 1
alloc 2
brk/mmap
OS free page pool
OS isolation
2056
memprint
zero-permission
malicious process
23
used page count
2050 2056
A Seminar at Advanced Defense Lab
2012/05/28
Sniffing memory footprints
browser
process
alloc 1
alloc 2
brk/mmap
OS free page pool
OS isolation
2080
memprint
zero-permission
malicious process
24
used page count
2050 2056 2080
A Seminar at Advanced Defense Lab
2012/05/28
Memprint for Chrome loading
benaughty.com
25
A Seminar at Advanced Defense Lab
2012/05/28
Memprint for Chrome loading
benaughty.com
26
A Seminar at Advanced Defense Lab
2012/05/28
Memprint for Chrome loading
benaughty.com
27
A Seminar at Advanced Defense Lab
2012/05/28
Full attack
zero-permission
app
browser
memprint
memprint
/proc/pid/statm database
28
OS isolation
A Seminar at Advanced Defense Lab
2012/05/28
Implementation
 Measuring the target’s memory footprint
 Linux and Anddroid
 /proc/<pid>/statm  drs (data resident size) [link]
 FreeBSD
 kvm_getprocs [link]
 Windows
 Performance Data Helper (PDH) library [link]
29
A Seminar at Advanced Defense Lab
2012/05/28
Environment
 Chrome
 Version: 13.0.782.220
 Measure the render process
 Firefox
 Version: 3.6.23
 Monolithic browser
 Using fresh browser
 Android
 Version: 2.2 Froyo in the x86 simulator
 The results are the same for 3.1 Honeycomb in Google’s ARM
simulator.
30
A Seminar at Advanced Defense Lab
2012/05/28
Building the signature database
 A memprint is a set of (E, c) tuples.
 E is an integer representing a particular footprint size
 c is how often it was observed during measurement.
 Ex:
 ALEXA TOP 1,000:
31
A Seminar at Advanced Defense Lab
2012/05/28
Similarity
E , c1   m1   E , c2   m2   E , minc1 , c2   m1  m2
E , c1   m1   E , c2   m2   E , maxc1 , c2   m1  m2
m1  m2
Jaccard _ index: J m1 , m2  
m1  m2
32
A Seminar at Advanced Defense Lab
2012/05/28
Why the attack works
•
•
Memprints are unique
•
Can tune recognition to achieve zero false positives
Memprints are stable
•
… across repeated visits to the same page
memprints are
OS/browserdependent but
machineindependent
33
(for up to 43% of webpages)
Cross-page similarity for 100
random pages out of Alexa top 1000
web page ID
similarity =
Jaccard index of
memprints
Similar to
themselves
34
A Seminar at Advanced Defense Lab
web page ID
Different from others
Evaluation
 Distinguishability

Origin distinguishability target   target   neighbor   neighbor ,
 is themean of similarityvalues,
 is thestandarddeviationof similarityvalues.
origin dis tinguishab ility
 Distinguis hability(n ormalize) 
Max  Min
 A page is distinguishable
 Distinguishability > 0
35
A Seminar at Advanced Defense Lab
2012/05/28
100 random pages,
1,000-page ambiguity set
36
A Seminar at Advanced Defense Lab
2012/05/28
If the threshold makes no false positive
 100 random distinguishable pages
37
A Seminar at Advanced Defense Lab
2012/05/28
Variations of the attack
 Only focus changes caused by allocating or de-allocating large
images.
 Inferring the state f Web sessions.
 Add secondary side channel information
 Ex : CPU scheduling statistics
38
A Seminar at Advanced Defense Lab
2012/05/28
Fine-grained info leak: OkCupid
no
is login
successful?
yes
new flash player
plugin process to
display ads
39
yes
A Seminar at Advanced Defense Lab
memory usage
increases by
27-36 MB
no
is a paid
customer ?
memory usage
increases by
1-2 MB
no new flash
player plugin
process
2012/05/28
Concurrent processes don't hurt,
sometimes make it even better!!
40
A Seminar at Advanced Defense Lab
2012/05/28
Memento attacks: CPU usage info
•
Monitor /proc/<pid>/status for number of context switches
 Infer inter-keystroke timing for bash, ssh, Android on-screen
keyboard handler etc.
o
o
Processing each keystroke requires a predictable number of
context switches
Keystroke processing time << keystroke interval
sufficient to
reconstruct typed text
[Zhang and Wang]
41
2012/05/28
Keystroke timing
(Android MMS app)
42
A Seminar at Advanced Defense Lab
2012/05/28
Solutions?

•
Increasing reliance on OS isolation makes these attacks easier

OS problem, not an application problem
Disable /proc
o FreeBSD: no /proc, but attacker can still measure victim's
memory footprint via kvm_getprocs

Stop reporting fine-grained resource usage across “user”
boundary
 Only report info for user's own processes
 Breaks tools like ps, top etc.
43
A Seminar at Advanced Defense Lab
2012/05/28
Summary
•
Process info API
o
o
o
o

A legacy of the 1980s
Reveals process's resource usage - CPU, mem, netw
A single measurement is harmless (most of the time)
Dynamics of processes’ resource usage =
high-bandwidth side channel
Memento attacks
o OS designers must rethink
process info API
44
needed
does
NOT
thethe
APIAPI
need
2012/05/28