• No se han encontrado resultados

2.2.2. LA PÉRDIDA DENTARIA Y ALTERACIONES FUNCIONALES

2.2.2.1. Causas De Edentulismo Parcial

In this section, we evaluate the capability ofdpprocfsto defend against side-channel at- tacks discussed in Section 2.1.1. Specifically, we measure the extent to which theprocfsfea- tures used by the attacker in selected attacks are still effective attack features indpprocfs. Rather than trying to replicate each attack from previous work exactly, we adopt a more general framework for evaluation in which the attacker’s task is detecting one ofmclasses of activities.

We perform this measurement of the attacker’s likely success by building a multiclass clas- sifier for classifyingprocfsfeatures (which are attack-dependent) into one ofmclasses. We use thescikit-learn5support-vector-machine (SVM) implementation to build the multiclass classifier. We then report theaccuracyof the classifier in a testing phase, namely the fraction of test instances that it classifies correctly.

2.4.1.1 Defending Against Keystroke Timing Attacks

A user’s interactions with the hardware keyboard can trigger context switches from the user- space application to the operating system kernel to handle keystrokes. The voluntary context switch counter (nvcswin Table 2.2) can be exploited to identify a user’s keystroke actions and hence the timing characteristics of those keystrokes. These timing characteristics can then leak information about what those keystrokes were (e.g., [146]). To approximate the defense that dpprocfsoffers against this attack, we consider an adversary that consecutively reads the

nvcswfield fromprocfssix times, and then the adversary classifies this vector of readings to determine when the keystroke occurred. (We only inject one keystroke during these six readings.) As such, we model the attacker as a multi-class classifier, which classifies the vector of six read- ings (i.e., a vector inN6) intom = 5classes; classifying a vector as classiindicates that the keystroke occurred between readsiandi+ 1.

To perform these experiments, we used a tool calledxdotoolto simulate the keystroke ac- tions at a specified time. During each experiment run, we started abashterminal and injected

one keystroke, at a time distributed normally with mean2.5sand standard deviation0.83s(i.e., 0.0sis three standard deviations from the mean). Beginning with the launch of thebashprocess, the attacker process read the/proc/<pid>/statusfile of thebashprocess every second6 to obtain the voluntary context switch counternvcsw, yielding six readings (a vector inN6). In-

variant enforcement (Section 2.3.3) provided thenearestsolution to the needed invariants. To allow for a powerful attacker, we provided to it the underlying normal distribution imposed on the keystroke timing. The attacker used this distribution to estimate the true (unnoised)nvcswvalue corresponding to each vector element (adapting [111, Eqn. 10]), yielding an estimated true vector per collected vector. We repeated this experiment 440 times to get 440 estimated true vectors. When training and testing the SVM classifier, we used 75% of the vectors from each class for training and 25% for testing.

The accuracy of the resulting classifier on the testing examples is shown in Figure 2.1a. The horizontal axis shows various values of; the vertical axis shows classifier accuracy. Because of the form of the distribution imposed on keystroke timings, the most likely class occurred roughly 44%of the time, and so this baseline (shown by the horizontal dashed line) is the accuracy that the adversary could achieve simply by blindly guessing based on that distribution. As shown in the graph, setting∈[1,3]suffices to reduce the classifier to this baseline accuracy. By compari- son, the classifier was perfect (an accuracy of1.0) when no noise was added.

2.4.1.2 Mitigating Website Inference

The memory footprint of a browser can leak the website it visits (as discussed in Section 2.1.1). In this experiment, we instrumented the Google Chrome browser with a script to visit a target website, chosen uniformly from the Alexa top-10 websites. While this occurred, an attacker pro- cess repeatedly sampled the data resident size fielddrs, calculated astotalVM−sharedVM(using 6This interval is much longer than in the demonstrated attack of Jana et al. [82], but we lengthened this interval to

minimize ambiguity regarding the classi ∈ {1. . .5}to which each vector should be assigned for training. By increasing this interval, we believe we produced classification results that are conservative (i.e., advantageous for the attacker).

0 3 6 9 12 15 ǫ 0.0 0.2 0.4 0.6 0.8 1.0 A cc u ra cy

(a) Keystroke timing attack

0.00 0.02 0.04 0.06 0.08 0.10 ǫ 0.0 0.2 0.4 0.6 0.8 1.0 A cc u ra cy

(b) Website inference attack

Figure 2.1: Multi-class classifier accuracy under differentsettings; dashed horizontal lines show accuracies of blind guesses based only on knowledge of the likelihood of each class

the labels defined in Table 2.2), by reading the/proc/<pid>/statmof the browser process every 500µs. To support this rate of sampling,dpprocfsemployed theheuristicmethod of invariant reestablishment (Section 2.3.3), which returned results in roughly 50µs(in comparison to 8msfor the nearest solution). The sampling period lasted for 3s, during which the attack pro- cess recorded all thedrsfield values read. As in Section 2.4.1.1, the attacker estimated the true (unnoised)drsvalue corresponding to thej-th read value in each 3sinterval, using an empirical distribution observed for thesej-th values gathered by accessing each of these 10 websites an equal number of times. The attacker then constructed a histogram of these estimateddrsvalues binned into seven equal-width bins, and the vector of bin counts (inN7) was used as a feature

vector for classification. Each of the Alexa top-10 websites were visited 100 times; when used to train and test the SVM classifier (withm = 10classes), 70% were used for training and 30% were used for testing.

The resulting accuracy of the classifier is shown in Figure 2.1b. The most important distinc- tion from the graph in Figure 2.1a is that the values ofneeded to interfere with the website inference attack are much smaller, meaning that the noise added was greater. This is primarily a function of the size differences betweendrsreadings from themclasses, which were generally much greater than the differences between the readings of the voluntary context switch counter

nvcswwith and without a keystroke. In terms ofd∗, the distances between the classes in the web- site inference attack were much greater than the distances between classes in the keystroke attack. This is noteworthy because it implies that the settings ofneeded for privacy will differ per-field and per-application and, to some extent, will need to be informed by known attacks. Still, how- ever, several values tested fordecayed classification accuracy to a significant extent; with no noise added, the classifier reached0.915accuracy.

Documento similar