Xingjian Zhang,Ziqi Yuan,Rui Chang,Yajin Zhou

DOI: https://doi.org/10.1109/seed51797.2021.00014

2021-01-01

Abstract:Cache side-channel attacks can leak critical information from the target programs. The cache randomization methodology has proven to be an efficient way to mitigate such attacks. However, existing works do not take the cache hierarchy into consideration, failing to address the issue that different levels of caches have different performance and security requirements. In this work, we propose and implement a hybrid randomization scheme, named H(2)Cache, to mitigate cache side-channel attacks. H(2)Cache leverages two randomization approaches and applies them to different levels of caches. It strengthens the security of cache modules, while satisfying the performance and resource utilization requirements. Specifically, we design a table-based randomization method for the L1 cache, which uses a hashed virtual index to look up the actual cache set index. The L2 cache in H(2)Cache takes a computation-based randomization function to calculate the cache set index. We have implemented a prototype of H(2)Cache and extensively evaluated it using a self-designed RISC-V processor on the FPGA platform. We demonstrate the security of H(2)Cache through simulated attack programs and quantitative analysis. Meanwhile, the evaluation results of performance and resource utilization have shown its efficacy.

Dehua Wu,Wan'ang Xiao,Wanlin Gao

DOI: https://doi.org/10.23919/jcc.ea.2021-0720.202401

2024-01-01

China Communications

Abstract:The cache-based covert channel is one of the common vulnerabilities exploited in the Spectre attacks. Current mitigation strategies focus on blocking the eviction-based channel by using a random/encrypted mapping function to translate memory address to the cache address, while the updated-based channel is still vulnerable. In addition, some mitigation strategies are also costly as it needs software and hardware modifications. In this paper, our objective is to devise low-cost, comprehensive-protection techniques for mitigating the Spectre attacks. We proposed a novel cache structure, named EBCache, which focuses on the RISC-V processor and applies the address encryption and blacklist to resist the Spectre attacks. The addresses encryption mechanism increases the difficulty of pruning a minimal eviction set. The blacklist mechanism makes the updated cache lines loaded by the malicious updates invisible. Our experiments demonstrated that the EBCache can prevent malicious modifications. The EBCache, however, reduces the processor's performance by about 23% but involves only a low-cost modification in the hardware.

Haifeng Gu,Mingsong Chen,Yanzhao Wang,Fei Xie

DOI: https://doi.org/10.1109/icess49830.2020.9301601

2020-01-01

Abstract:Speculative execution has been widely used in modern CPU designs. This technique improves the CPU performance significantly. However, it may introduce the speculative execution side channels which can be exploited by attackers maliciously, such as the well-known Spectre attack. Although Spectre can expose the speculative execution side channels in data cache, it relies heavily on the training of branch predictors and timing analysis of the target physical processor. Thereby, it is difficult to predict if Spectre attack on processors that are under design in the early stage can succeed or not. For future white-box processors under design, how to identify the speculative execution side channels in data cache in the early stage is an important issue. To address this problem, we propose an approach to generating branch directions (including mis-predictions) of conditional branch instructions based on Instruction Set Architecture simulation. The predictions of the branch predictor in the processor under design will be guided by these branch directions to trigger the speculative execution side channels in data cache for detection. In our experiments, the RISC-V BOOM processor is used as a case study where the speculative execution side channel in data cache can be detected by our approach.

Junpeng Wan,Yanxiang Bi,Zhe Zhou,Zhou Li

DOI: https://doi.org/10.48550/arXiv.2103.04533

2021-03-08

Abstract:Cache side-channel attacks lead to severe security threats to the settings that a CPU is shared across users, e.g., in the cloud. The existing attacks rely on sensing the micro-architectural state changes made by victims, and this assumption can be invalidated by combining spatial (\eg, Intel CAT) and temporal isolation (\eg, time protection). In this work, we advance the state of cache side-channel attacks by showing stateless cache side-channel attacks that cannot be defeated by both spatial and temporal isolation. This side-channel exploits the timing difference resulted from interconnect congestion. Specifically, to complete cache transactions, for Intel CPUs, cache lines would travel across cores via the CPU mesh interconnect. Nonetheless, the mesh links are shared by all cores, and cache isolation does not segregate the traffic. An attacker can generate interconnect traffic to contend with the victim's on a mesh link, hoping that extra delay will be measured. With the variant delays, the attacker can deduce the memory access pattern of a victim program, and infer its sensitive data. Based on this idea, we implement Volcano and test it against the existing RSA implementations of JDK. We found the RSA private key used by a victim process can be partially recovered. In the end, we propose a few directions for defense and call for the attention of the security community.

Cryptography and Security

Han Wang,Ming Tang,Ke Xu,Quancheng Wang

DOI: https://doi.org/10.23919/date58400.2024.10546529

2024-01-01

Abstract:In the modern CPU architecture, enhancements such as the Line Fill Buffer (LFB) and Super Queue (SQ), which are designed to track pending cache requests, have significantly boosted performance. To exploit this structure, we deliberately engineered blockages in the L2 to L1d route by controlling LFB conflict and triggering prefetch prediction failures, while consciously dismissing other plausible influencing factors. This approach was subsequently extended to the L3 to L2 and L2 to L1i pathways, resulting in three potent covert channels, termed L2CC, L3CC, and LiCC, with capacities of 10.02 Mbps, 10.37 Mbps, and 1.83 Mbps, respectively. Strikingly, the capacities of L2CC and L3CC surpass those of earlier non-shared-memory-based covert channels, reaching a level comparable to their shared memory-dependent equivalents. Leveraging this congestion further facilitated the extraction of key bits from RSA and EdDSA designs. Coupled with SpectreV1 and V2, our covert channels effectively evade the majority of traditional Spectre defenses. Their confluence with Branch Prediction (BP) Timing assaults additionally undercuts balanced branch protections, hence broad-ening their capability to infiltrate a wide range of cryptography libraries. Index

Yanan Guo,Andrew Zigerelli,Youtao Zhang,Jun Yang

DOI: https://doi.org/10.48550/arXiv.2110.12340

2022-08-17

Abstract:Modern x86 processors have many prefetch instructions that can be used by programmers to boost performance. However, these instructions may also cause security problems. In particular, we found that on Intel processors, there are two security flaws in the implementation of PREFETCHW, an instruction for accelerating future writes. First, this instruction can execute on data with read-only permission. Second, the execution time of this instruction leaks the current coherence state of the target data. Based on these two design issues, we build two cross-core private cache attacks that work with both inclusive and non-inclusive LLCs, named Prefetch+Reload and Prefetch+Prefetch. We demonstrate the significance of our attacks in different scenarios. First, in the covert channel case, Prefetch+Reload and Prefetch+Prefetch achieve 782 KB/s and 822 KB/s channel capacities, when using only one shared cache line between the sender and receiver, the largest-to-date single-line capacities for CPU cache covert channels. Further, in the side channel case, our attacks can monitor the access pattern of the victim on the same processor, with almost zero error rate. We show that they can be used to leak private information of real-world applications such as cryptographic keys. Finally, our attacks can be used in transient execution attacks in order to leak more secrets within the transient window than prior work. From the experimental results, our attacks allow leaking about 2 times as many secret bytes, compared to Flush+Reload, which is widely used in transient execution attacks.

Cryptography and Security

Chang Li,Fei Qiao,Huazhong Yang

DOI: https://doi.org/10.1109/ICETC.2010.5529184

2010-01-01

Abstract:Embedded cryptographic devices not only suffer from traditional physical side channel attacks, but also undergo software cache-based side channel attacks recently. The attacks can easily get the user's confidential data via information leakage in caches, and don't require any special instruments. Among existing countermeasures, software solutions can defend the attacks perfectly while leading to significant performance degradation. Hardware solutions are very effective in reducing performance overhead while their structures are complex. This paper presents a novel easily implemented cache architecture which has an added small cache and adopts certain operation mechanism. Compared with traditional cache architecture, it has reduction in miss rate ranging between 20% and 50%, and has about 8.5% of reduction in power consumption, and is secure at the same time. This paper presents both theoretical analysis and experimental results. In our experiments, the MiBench suite is used to evaluate the cache performance of miss rate and energy consumption, and the security of cache is also analyzed. It also supplies the result of Synopsys Design Compiler of the RTL cache code under the 0.18μm CMOS technology.

Haehyun Cho,Jinbum Park,Donguk Kim,Ziming Zhao,Yan Shoshitaishvili,Adam Doupé,Gail-Joon Ahn

DOI: https://doi.org/10.1145/3386901.3388888

2020-01-01

Abstract:Cache side-channel attacks abuse microarchitectural designs meant to optimize memory access to infer information about victim processes, threatening data privacy and security. Recently, the ARM architecture has come into the spotlight of cache side-channel attacks with its unprecedented growth in the market.

Junpeng Wan,Yanxiang Bi,Zhe Zhou,Zhou Li

DOI: https://doi.org/10.1109/sp46214.2022.9833794

2022-01-01

Abstract:Cache side-channel attacks lead to severe security threats to the settings where a CPU is shared across users, e.g., in the cloud. The majority of attacks rely on sensing the micro-architectural state changes made by victims, but this assumption can be invalidated by combining spatial (e.g., Intel CAT) and temporal isolation. In this work, we advance the state of cache side-channel attacks by showing stateless cache side-channel attacks on server-grade CPUs, that can bypass both spatial and temporal isolation. Unlike stateful cache side-channel attacks that rely on the timing difference between a cache hit or miss, our attack exploits the timing difference caused by the interconnect congestion. Specifically, to complete cache transactions, for Intel server CPUs, which use non-inclusive and mesh interconnect, cache lines would travel across cores via the CPU mesh and UPI interconnects. Nonetheless, the interconnects are shared by all cores, and cache isolation does not segregate the traffic. An attacker can generate traffic to contend with a victim on a link, measure the extra delay, deduce the memory access pattern of the victim’s program, and infer its sensitive data. Based on this idea, we implement MESHUP, a stateless cache side-channel against mesh interconnect, and test it against the existing RSA implementations of JDK for the cross-core attack and application fingerprinting for the the cross-CPU attack. We found the RSA private key used by a victim process can be partially recovered and the co-running application can be inferred at high accuracy.

Fang Jiang,Fei Tong,Hongyu Wang,Xiaoyu Cheng,Zhe Zhou,Ming Ling,Yuxing Mao

2024-05-06

Abstract:To defend against conflict-based cache side-channel attacks, cache partitioning or remapping techniques were proposed to prevent set conflicts between different security domains or obfuscate the locations of such conflicts. But such techniques complicate cache design and may result in significant performance penalties. Therefore, there have been lightweight prefetching-based schemes proposed to introduce noise to confuse attackers' observation. However, we have validated experimentally that relying on prefetching to only introduce noise is insufficient, as attackers can still reliably distinguish the victim's cache accesses. This paper proposes a novel prefetching-based scheme, called PCG. It combines adding victim-irrelevant cache occupancy changes and reducing victim-relevant cache occupancy changes to disrupt attackers by generating noisy and indistinguishable cache access patterns. Additionally, PCG can either work independently or seamlessly be integrated with most of the commonly used prefetchers. We have implemented and evaluated PCG in both gem5 and the open-source RISC-V core BOOMv3. The evaluation results show the PCG's robust security superior to the existing solutions, while without resulting in significant performance degradation. According to the evaluation based on the SPEC CPU 2017 benchmark suite, PCG even shows an average performance improvement of about 1.64%. Moreover, it incurs only 1.26% overhead on hardware resource consumption.

Cryptography and Security,Hardware Architecture

Pengfei Guo,Yingjian Yan,Fan Zhang,Chunsheng Zhu,Lichao Zhang,Zibin Dai

DOI: https://doi.org/10.1016/j.cose.2023.103255

2023-04-10

Abstract:Cryptographic devices are vulnerable to side-channel attacks, which have attracted broad attention in the hardware security field. The side-channel analysis framework proposed at Eurocrypt 2009 has been widely adopted in academia, containing key elements such as points of interest, leakage models, distinguishers, and security metrics. This classical framework, however, is not intuitively compatible with recent micro-architectural attacks such as cache attacks, therefore, few attempts have been made to link them. In this paper, we extend the classical side-channel analysis framework and migrate its ideas to access-driven cache attacks. We find that cache attacks can be effectively incorporated into this framework. Specifically, we propose a leakage model called cache access pattern vector according to the cache timing leakage characteristics. Furthermore, we propose data preprocessing schemes such as noise reduction, dimensionality reduction, and vector expansion to implement efficient attacks. Subsequently, we proposed seven distinguishers in three categories: difference of means-based analysis, vector distance-based analysis, and mutual information-based analysis. Moreover, we attacked the last round of the AES fast software implementation algorithm based on the Chipyard platform. According to the experimental results, all proposed methods can successfully extract the key, and five of them are comparable to mainstream cache analysis in attack efficiency. Finally, we evaluate the five efficient distinguishers under three different cache micro-architectures using guessing entropy. Based on the experimental environment of this paper, vector distance-based distinguishers have the best attack efficiency, and the difference of mean-based analysis has the worst. Surprisingly, the most general mutual information-based attacks can achieve excellent medium results in a few attack rounds without the help of static analysis tools. Meanwhile, the experimental results demonstrate that cache micro-architecture directly impacts the attack effect, in which the smaller cache line size benefits the attacks, while the random replacement policy increases the noise and difficulty of the attacks.

computer science, information systems

Wu Dehua,Xiao Wan’ang,Gao Shan,Gao Wanlin

DOI: https://doi.org/10.1051/matecconf/202235503054

2022-01-01

MATEC Web of Conferences

Abstract:The Spectre attacks exploit the speculative execution vulnerabilities to exfiltrate private information by building a leakage channel. Creation of a leakage channel is the basic element for spectre attacks, among which the cache-tag side channel is considered to be the most serious one. To block the leakage channels, a novel cache applies Dynamic Mapping technology, named DmCache, is presented in this paper. DmCache applies a dynamic mapping mechanism to temporarily store all the cache lines polluted by speculative execution and keep invisible when accessing. Then it monitors the head of the reorder buffer to determine which polluted cache line can become visible. In this paper, we demonstrated that Spectre attacks exerted no impact on a processor system equipped with DmCache based on the analysis of the processor’s circuit behaviour, which equipped with the DmCache and under the Spectre attack.

Jaehyuk Lee,Fan Sang,Taesoo Kim

2024-02-24

Abstract:Caches on the modern commodity CPUs have become one of the major sources of side-channel leakages and been abused as a new attack vector. To thwart the cache-based side-channel attacks, two types of countermeasures have been proposed: detection-based ones that limit the amount of microarchitectural traces an attacker can leave, and cache prefetching-and-locking techniques that claim to prevent such leakage by disallowing evictions on sensitive data. In this paper, we present the Prime+Retouch attack that completely bypasses these defense schemes by accurately inferring the cache activities with the metadata of the cache replacement policy. Prime+Retouch has three noticeable properties: 1) it incurs no eviction on the victim's data, allowing us to bypass the two known mitigation schemes, 2) it requires minimal synchronization of only one memory access to the attacker's pre-primed cache lines, and 3) it leaks data via non-shared memory, yet because underlying eviction metadata is shared. We demonstrate Prime+Retouch in two architectures: predominant Intel x86 and emerging Apple M1. We elucidate how Prime+Retouch can break the T-table implementation of AES with robust cache side-channel mitigations such as Cloak, under both normal and SGX-protected environments. We also manifest feasibility of the Prime+Retouch attack on the M1 platform imposing more restrictions where the precise measurement tools such as core clock cycle timer and performance counters are inaccessible to the attacker. Furthermore, we first demystify undisclosed cache architecture and its eviction policy of L1 data cache on Apple M1 architecture. We also devise a user-space noise-free cache monitoring tool by repurposing Intel TSX.

Cryptography and Security,Hardware Architecture

Pengfei Guo,Yingjian Yan,Junjie Wang,Jingxin Zhong,Yanjiang Liu,Jinsong Xu

DOI: https://doi.org/10.1016/j.cose.2023.103480

IF: 5.105

2023-09-13

Computers & Security

Abstract:Caches are key microarchitectural components of modern processors to improve memory access speed. However, attackers can readily implement timing side-channel attacks by exploiting the inherent time difference between cache hits and misses, which brings serious security threats to computer systems. In recent years, cache attacks have achieved fruitful consequences regarding attack techniques, targets, and platforms. At the same time, in order to measure the cache vulnerability, researchers have been looking at verifying the security policies and have proposed a variety of evaluation metrics. However, there are certain limitations in the current metrics, such as harsh assumptions, the distinguishing ability cannot be maintained all the time, the false positive and false negative noises can not be explicitly quantified, other tools are needed, and the verification environment is difficult to reproduce. To face these issues, we proposed a set of evaluation metrics, which includes the highest score (HS), minimum rounds to disclosure (MRD), and key score scissors differential (KSSD); we give the formal expressions in practice and theoretical, respectively. In order to facilitate the accurate reproduction of the experimental environment and results, we build a dual-core RISC-V bare-metal system based on the open-source framework Chipyard. On this basis, we conduct comprehensive evaluations to exploit vulnerabilities within the RISC-V cache architecture to verify the validity of the metrics suite. Furthermore, we compared the metrics with the commonly used success rate (SR) and guessing entropy (GE). The comparison results show that our proposed metrics suite can accurately depict the effects of attacks. Moreover, KSSD can maintain discrimination and converge quickly; MRD has more practical guidance; HS can specifically describe false negative noises. Finally, we perform a theoretical evaluation of AES algorithms with different T-table implementations using the proposed metrics, analyze the system's false positive and false negative noises, and suggest how the number of cache evictions can be determined under the random replacement policy.

computer science, information systems

Ahmad Moghimi,Gorka Irazoqui,Thomas Eisenbarth

DOI: https://doi.org/10.48550/arXiv.1703.06986

2017-08-21

Abstract:In modern computing environments, hardware resources are commonly shared, and parallel computation is widely used. Parallel tasks can cause privacy and security problems if proper isolation is not enforced. Intel proposed SGX to create a trusted execution environment within the processor. SGX relies on the hardware, and claims runtime protection even if the OS and other software components are malicious. However, SGX disregards side-channel attacks. We introduce a powerful cache side-channel attack that provides system adversaries a high resolution channel. Our attack tool named CacheZoom is able to virtually track all memory accesses of SGX enclaves with high spatial and temporal precision. As proof of concept, we demonstrate AES key recovery attacks on commonly used implementations including those that were believed to be resistant in previous scenarios. Our results show that SGX cannot protect critical data sensitive computations, and efficient AES key recovery is possible in a practical environment. In contrast to previous works which require hundreds of measurements, this is the first cache side-channel attack on a real system that can recover AES keys with a minimal number of measurements. We can successfully recover AES keys from T-Table based implementations with as few as ten measurements.

Cryptography and Security

Hossein Hosseinzadeh,Mihailo Isakov,Mostafa Darabi,Ahmad Patooghy,Michel A. Kinsy

DOI: https://doi.org/10.1109/MWSCAS.2017.8053051

2017-10-25

Abstract:Side channel attacks are a major class of attacks to crypto-systems. Attackers collect and analyze timing behavior, I/O data, or power consumption in these systems to undermine their effectiveness in protecting sensitive information. In this work, we propose a new cache architecture, called Janus, to enable crypto-systems to introduce randomization and uncertainty in their runtime timing behavior and power utilization profile. In the proposed cache architecture, each data block is equipped with an on-off flag to enable/disable the data block. The Janus architecture has two special instructions in its instruction set to support the on-off flag. Beside the analytical evaluation of the proposed cache architecture, we deploy it in an ARM-7 processor core to study its feasibility and practicality. Results show a significant variation in the timing behavior across all the benchmarks. The new secure processor architecture has minimal hardware overhead and significant improvement in protecting against power analysis and timing behavior attacks.

Cryptography and Security

Mahya Morid Ahmadi,Faiq Khalid,Muhammad Shafique

DOI: https://doi.org/10.48550/arXiv.2106.08877

2021-06-16

Abstract:Side-channel attacks on microprocessors, like the RISC-V, exhibit security vulnerabilities that lead to several design challenges. Hence, it is imperative to study and analyze these security vulnerabilities comprehensively. In this paper, we present a brief yet comprehensive study of the security vulnerabilities in modern microprocessors with respect to side-channel attacks and their respective mitigation techniques. The focus of this paper is to analyze the hardware-exploitable side-channel attack using power consumption and software-exploitable side-channel attacks to manipulate cache. Towards this, we perform an in-depth analysis of the applicability and practical implications of cache attacks on RISC-V microprocessors and their associated challenges. Finally, based on the comparative study and our analysis, we highlight some key research directions to develop robust RISC-V microprocessors that are resilient to side-channel attacks.

Cryptography and Security,Hardware Architecture

Guangyuan Hu,Ruby B. Lee

2023-06-05

Abstract:Hardware caches are essential performance optimization features in modern processors to reduce the effective memory access time. Unfortunately, they are also the prime targets for attacks on computer processors because they are high-bandwidth and reliable side or covert channels for leaking secrets. Conventional cache timing attacks typically leak secret encryption keys, while recent speculative execution attacks typically leak arbitrary illegally-obtained secrets through cache timing channels. While many hardware defenses have been proposed for each class of attacks, we show that those for conventional (non-speculative) cache timing channels do not work for all speculative execution attacks, and vice versa. We maintain that a cache is not secure unless it can defend against both of these major attack classes. We propose a new methodology and framework for covering such relatively large attack surfaces to produce a Speculative and Timing Attack Resilient (STAR) cache subsystem. We use this to design two comprehensive secure cache architectures, STAR-FARR and STAR-NEWS, that have very low performance overheads of 5.6% and 6.8%, respectively. To the best of our knowledge, these are the first secure cache designs that cover both non-speculative cache side channels and cache-based speculative execution attacks. Our methodology can be used to compose and check other secure cache designs. It can also be extended to other attack classes and hardware systems. Additionally, we also highlight the intrinsic security and performance benefits of a randomized cache like a real Fully Associative cache with Random Replacement (FARR) and a lower-latency, speculation-aware version (NEWS).

Cryptography and Security,Hardware Architecture

Stephan van Schaik,Marina Minkin,Andrew Kwong,Daniel Genkin,Yuval Yarom

DOI: https://doi.org/10.48550/arXiv.2006.13353

2020-06-24

Abstract:Recent transient-execution attacks, such as RIDL, Fallout, and ZombieLoad, demonstrated that attackers can leak information while it transits through microarchitectural buffers. Named Microarchitectural Data Sampling (MDS) by Intel, these attacks are likened to "drinking from the firehose", as the attacker has little control over what data is observed and from what origin. Unable to prevent the buffers from leaking, Intel issued countermeasures via microcode updates that overwrite the buffers when the CPU changes security domains. In this work we present CacheOut, a new microarchitectural attack that is capable of bypassing Intel's buffer overwrite countermeasures. We observe that as data is being evicted from the CPU's L1 cache, it is often transferred back to the leaky CPU buffers where it can be recovered by the attacker. CacheOut improves over previous MDS attacks by allowing the attacker to choose which data to leak from the CPU's L1 cache, as well as which part of a cache line to leak. We demonstrate that CacheOut can leak information across multiple security boundaries, including those between processes, virtual machines, user and kernel space, and from SGX enclaves.

Cryptography and Security

Sanchuan Chen,Fangfei Liu,Zeyu Mi,Yinqian Zhang,Ruby B. Lee,Haibo Chen,XiaoFeng Wang

DOI: https://doi.org/10.1145/3196494.3196501

2018-01-01

Abstract:A program's use of CPU caches may reveal its memory access pattern and thus leak sensitive information when the program performs secret-dependent memory accesses. In recent studies, it has been demonstrated that cache side-channel attacks that extract secrets by observing the victim program's cache uses can be conducted under a variety of scenarios, among which the most concerning are cross-VM attacks and those against SGX enclaves. In this paper, we propose a mechanism that leverages hardware transactional memory (HTM) to enable software programs to defend themselves against various cache side-channel attacks. We observe that when the HTM is implemented by retrofitting cache coherence protocols, as is the case of Intel's Transactional Synchronization Extensions, the cache interference that is necessary in cache side-channel attacks will inevitably terminate hardware transactions. We provide a systematic analysis of the security requirements that a software-only solution must meet to defeat cache attacks, propose a software design that leverages HTM to satisfy these requirements and devise several optimization techniques in our implementation to reduce performance impact caused by transaction aborts. The empirical evaluation suggests that the performance overhead caused by the HTM-based solution is low.