CYBERSECURITYResearchers Devise a Way to Evaluate Cybersecurity Methods
A savvy hacker can obtain secret information, such as a password, by observing a computer program’s behavior, like how much time that program spends accessing the computer’s memory. Security approaches that completely block these “side-channel attacks” are so computationally expensive, so engineers often apply what are known as obfuscation schemes. MIT researchers have developed a system which analyzes the likelihood that an attacker could thwart a certain security scheme to steal secret information.
A savvy hacker can obtain secret information, such as a password, by observing a computer program’s behavior, like how much time that program spends accessing the computer’s memory.
Security approaches that completely block these “side-channel attacks” are so computationally expensivethat they aren’t feasible for many real-world systems. Instead, engineers often apply what are known as obfuscation schemes that seek to limit, but not eliminate, an attacker’s ability to learn secret information.
To help engineers and scientists better understand the effectiveness of different obfuscation schemes, MIT researchers created a framework to quantitatively evaluate how much information an attacker could learn from a victim program with an obfuscation scheme in place.
Their framework, called Metior, allows the user to study how different victim programs, attacker strategies, and obfuscation scheme configurations affect the amount of sensitive information that is leaked. The framework could be used by engineers who develop microprocessors to evaluate the effectiveness of multiple security schemes and determine which architecture is most promising early in the chip design process.
“Metior helps us recognize that we shouldn’t look at these security schemes in isolation. It is very tempting to analyze the effectiveness of an obfuscation scheme for one particular victim, but this doesn’t help us understand why these attacks work. Looking at things from a higher level gives us a more holistic picture of what is actually going on,” says Peter Deutsch, a graduate student and lead author of an open-access paper on Metior.
Deutsch’s co-authors include Weon Taek Na, an MIT graduate student in electrical engineering and computer science; Thomas Bourgeat PhD ’23, an assistant professor at the Swiss Federal Institute of Technology (EPFL); Joel Emer, an MIT professor of the practice in computer science and electrical engineering; and senior author Mengjia Yan, the Homer A. Burnell Career Development Assistant Professor of Electrical Engineering and Computer Science (EECS) at MIT and a member of the Computer Science and Artificial Intelligence Laboratory (CSAIL). The research was presented last week at the International Symposium on Computer Architecture.
