KeyDrown: Eliminating Software-Based Keystroke Timing Side-Channel Attacks

Besides cryptographic secrets, software-based sidechannel attacks also leak sensitive user input. The most accurate attacks exploit cache timings or interrupt information to monitor keystroke timings and subsequently infer typed words and sentences. These attacks have also been demonstrated in JavaScript embedded in websites by a remote attacker. We extend the stateof-the-art with a new interrupt-based attack and the first Prime+ Probe attack on kernel interrupt handlers. Previously proposed countermeasures fail to prevent software-based keystroke timing attacks as they do not protect keystroke processing through the entire software stack. We close this gap with KeyDrown, a new defense mechanism against software-based keystroke timing attacks. KeyDrown injects a large number of fake keystrokes in the kernel, making the keystroke interrupt density uniform over time, i.e., independent of the real keystrokes. All keystrokes, including fake keystrokes, are carefully propagated through the shared library to make them indistinguishable by exploiting the specific properties of software-based side channels. We show that attackers cannot distinguish fake keystrokes from real keystrokes anymore and we evaluate KeyDrown on a commodity notebook as well as on Android smartphones. We show that KeyDrown eliminates any advantage an attacker can gain from using software-based sidechannel attacks. 1) Any classifier based on a single-trace side-channel attack may not provide any advantage over a random classifier. 2) The number of side-channel traces a classifier requires to detect all keystrokes correctly must be impractically high. 3) The implementation of the countermeasure may not leak information about its activity or computations. Based on the identified requirements, we present KeyDrown, a new defense mechanism against keystroke timing attacks exploiting software-based side channels. KeyDrown covers the entire software stack, from the interrupt source to the user space buffer storing the keystroke, both on x86 systems and on ARM devices. We cover both the general case where an attacker can only obtain a single trace, and the case of password input where an attacker can obtain multiple traces. KeyDrown works in three layers: 1) To mitigate interrupt-based attacks, KeyDrown injects a large number of fake keyboard interrupts, making the keystroke interrupt density uniform over time, i.e., independent of the real keystrokes. Prime+Probe attacks on the kernel module are mitigated by unifying the control flow and data accesses of real and fake keystrokes such that there is no difference visible in the cache or in the execution time. 2) To mitigate Flush+Reload and Prime+Probe attacks on shared libraries, KeyDrown runs through the same code path in the shared library for all, fake and real, keystrokes. 3) To mitigate Prime+Probe attacks on password entry fields, KeyDrown updates the widget buffer for every fake and real keystroke. We evaluate KeyDrown on several state-of-the-art attacks as well as our two novel attacks. In all cases, KeyDrown eliminates any advantage an attacker can gain from the side channels, i.e., the attacker cannot deduce sensitive information from the side channel. We provide a proof-of-concept implementation, which can be installed as a Debian package compatible with the latest long-term support release of Ubuntu (16.04). It runs on commodity operating systems with unmodified applications and unmodified compilers. KeyDrown is started automatically and is entirely transparent to the user, i.e., requires no user interaction. Although our countermeasure inherently executes more code than an unprotected system, it has no noticeable effect on keystroke latency. Finally, we also define what KeyDrown cannot protect against, such as word completion lookups or immediate forwarding of single keystrokes over the network. Contributions. The contributions of this work are: 1) We present two novel attacks to recover keystroke timings, that work in environments where previous attacks fail [14], [25] . 2) We identify three essential requirements for an effective countermeasure against keystroke attacks. 3) We propose KeyDrown, a multi-layered solution to mitigate keystroke timing attacks. 1 4) We evaluate KeyDrown and show that it eliminates all known attacks.