Xingjian Zhang,Ziqi Yuan,Rui Chang,Yajin Zhou

DOI: https://doi.org/10.1109/seed51797.2021.00014

2021-01-01

Abstract:Cache side-channel attacks can leak critical information from the target programs. The cache randomization methodology has proven to be an efficient way to mitigate such attacks. However, existing works do not take the cache hierarchy into consideration, failing to address the issue that different levels of caches have different performance and security requirements. In this work, we propose and implement a hybrid randomization scheme, named H(2)Cache, to mitigate cache side-channel attacks. H(2)Cache leverages two randomization approaches and applies them to different levels of caches. It strengthens the security of cache modules, while satisfying the performance and resource utilization requirements. Specifically, we design a table-based randomization method for the L1 cache, which uses a hashed virtual index to look up the actual cache set index. The L2 cache in H(2)Cache takes a computation-based randomization function to calculate the cache set index. We have implemented a prototype of H(2)Cache and extensively evaluated it using a self-designed RISC-V processor on the FPGA platform. We demonstrate the security of H(2)Cache through simulated attack programs and quantitative analysis. Meanwhile, the evaluation results of performance and resource utilization have shown its efficacy.

Wei Song,Zihan Xue,Jinchi Han,Zhenzhen Li,Peng Liu

DOI: https://doi.org/10.1109/tc.2024.3349659

IF: 3.183

2024-03-15

IEEE Transactions on Computers

Abstract:Conflict-based cache side-channel attacks against the last-level cache (LLC) is a widely exploited method for information leaking. Cache randomization has recently been accepted as a promising defense. Most of recent designs randomize skewed caches rather than classic set-associative caches; however, skewed caches incur substantial performance overhead both in area and runtime. We cautiously argue that randomized set-associative caches can be sufficiently strengthened and possess a better chance to be adopted in the near future. For the first time, a dynamically randomized set-associative cache has been implemented in the LLC of a Linux capable multicore processor. A single-cycle hash logic is designed for randomizing the cache set indices. A multi-step relocation scheme is used to reduce the cost in remapping the cache layout. The randomized cache layout is remapped periodically for limiting the time window available to attackers. An attack detector is implemented to catch attacks in action and consequently trigger extra remaps. The evaluation results show that the randomized LLC has been sufficiently strengthened to thwart all existing fast algorithms for searching eviction sets with only marginal runtime overhead, and small area and power overhead.

engineering, electrical & electronic,computer science, hardware & architecture

Mengming Li,Kai Bu,Chenlu Miao,Kui Ren

DOI: https://doi.org/10.1109/tdsc.2024.3354991

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Cache side-channel attacks remain a stubborn source of cross-core secret leakage. Such attacks exploit the timing difference between cache hits and misses. Most defenses thus choose to prevent cache evictions. Given that two possible types of evictions—flush-based and conflict-based—use different architectural features, these defenses have to integrate hybrid defense strategies, incur OS modification, and sacrifice performance to completely throttle cache side-channel attacks. In this paper, we present TreasureCache against cache side-channel attacks without modifying OS or sacrificing performance. Instead of preventing cache evictions with various costs, we advocate to allow cache evictions as is and hide exploitable evictions in our specialized small eviction-hidden buffer. The buffer guarantees a fast hit time comparative to LLC hits. This instantly closes the timing gap between accessing exploitable blocks when they are in and out of the LLC. Moreover, with the help of our buffer, we no longer have to disable flush instructions or shared memory. A lightweight constant-time flush instruction can help TreasureCache to prevent both flush-based and conflict-based side-channel attacks. We validate TreasureCache security and performance through extensive experiments. With a hardware overhead of less than 0.5%, TreasureCache reduces the secret-leakage resolution by about 1,000 times without introducing any performance slowdown.

Ziqiao Zhou,Michael K. Reiter,Yinqian Zhang

DOI: https://doi.org/10.48550/arXiv.1603.05615

2016-03-18

Abstract:We present a software approach to mitigate access-driven side-channel attacks that leverage last-level caches (LLCs) shared across cores to leak information between security domains (e.g., tenants in a cloud). Our approach dynamically manages physical memory pages shared between security domains to disable sharing of LLC lines, thus preventing "Flush-Reload" side channels via LLCs. It also manages cacheability of memory pages to thwart cross-tenant "Prime-Probe" attacks in LLCs. We have implemented our approach as a memory management subsystem called CacheBar within the Linux kernel to intervene on such side channels across container boundaries, as containers are a common method for enforcing tenant isolation in Platform-as-a-Service (PaaS) clouds. Through formal verification, principled analysis, and empirical evaluation, we show that CacheBar achieves strong security with small performance overheads for PaaS workloads.

Cryptography and Security

Qinhan Tan,Zhihua Zeng,Kai Bu,Kui Ren

DOI: https://doi.org/10.14722/ndss.2020.24086

2020-01-01

Abstract:Cache conflicts due to deterministic memory-to-cache mapping have long been exploited to leak sensitive information such as secret keys. While randomized mapping is fully investigated for L1 caches, it still remains unresolved about how to secure a much larger last-level cache (LLC). Recent solutions periodically change the mapping strategy to disrupt the crafting of conflicted addresses, which is a critical attack procedure to exploit cache conflicts. Remapping, however, increases both miss rate and access latency. We present PhantomCache for securing an LLC with remapping-free randomized mapping. We propose a localized randomization technique to bound randomized mapping of a memory address within only a limited number of cache sets. The small randomization space offers fast set search over an LLC in a memory access. The intrinsic randomness still suffices to obfuscate conflicts and disrupt efficient exploitation of conflicted addresses. We evaluate PhantomCache against an attacker exploring the state-of-the-art attack with linear-complexity. To secure an 8-bank 16 MB 16-way LLC, PhantomCache confines randomization space of an address within 8 sets and brings only 1.20% performance degradation on individual benchmarks, 0.50% performance degradation on mixed workloads, and 0.50% storage overhead per cache line, which are 2x and 9x more efficient than the state-of-the-art solutions. Moreover, PhantomCache is solely an architectural solution and requires no software change.

Kai Wang,Fengkai Yuan,Lutan Zhao,Rui Hou,Zhenzhou Ji,Dan Meng

DOI: https://doi.org/10.1109/tvlsi.2020.3041451

2021-01-01

IEEE Transactions on Very Large Scale Integration (VLSI) Systems

Abstract:Continuous Attacks are common cross-core cache side-channel attack scenarios that we observed, where adversaries frequently probe-target cache lines in a short time. Under Continuous Attacks, the attacked lines go through multiple load-evict processes between different cache (or memory) hierarchies, exhibiting Ping-Pong patterns. Identifying and obscuring these abnormal patterns effectively interfere with the attacker’s probe and mitigate such attacks. Our recent proposal, Ping-Pong regulator (PPR), captures multiple Ping-Pong patterns by counting the reaccesses per cache line and blocks them with different obscuring actions (preload or lock). Although PPR mitigates Continuous Attacks, the added regulator directory (RDir) is vulnerable because it cannot record all cache lines simultaneously. Sophisticated attackers can evict the records of the attacked line from the RDir to avoid triggering defensive actions, thereby bypassing PPR. To improve robustness, we further propose PPR+, which dynamically changes the mapping of physical addresses to RDir locations by encryption and periodically changing keys. This randomness makes it difficult for attackers to evict target entries out of the RDir within a limited time. We show that PPR+ tolerates more than 100 years of attacks, induces negligible performance impacts (improves 0.13%), requires acceptable storage overhead (3.15%), and does not need any software support.

Wenjing Cai,Ziyuan Zhu,Yuxin Liu,Yusha Zhang,Xu Cheng

DOI: https://doi.org/10.1109/CSCWD57460.2023.10152573

2023-01-01

Abstract:Intel Software Guard Extensions (SGX) protect sensitive content of applications on the cloud platform by creating an isolated environment on an untrusted operating system. However, resent works have shown that the SGX is vulnerable to a variety of side channel attacks which could be severely damage the data confidentiality provided by SGX, such as the cache side channel attack. Unfortunately, existing defense mechanisms either provide an incomplete protection or incur too much performance costs. In this paper, we propose a defense countermeasure against cache side channel attacks for SGX by detecting abnormal each level cache use behaviors. We create auxiliary threads for each enclave thread and detect when asynchronous enclave exits (AEX) occur, which defeats the condition of L1/L2 cache side channel attacks that attacker and victim threads execute in the same physical core. We put some guard data to the cache lines and inspect access time, which detects last level cache eviction set behaviors. More importantly, we utilize optimizations to reduce the performance overhead caused by AEX detection. In comparison to existing approaches, our design is secure against any cache level side channel attacks and its performance loss increases less.

Marjan Rahbari,Hamed Farbeh

DOI: https://doi.org/10.1109/tmag.2022.3175269

IF: 1.848

2022-07-01

IEEE Transactions on Magnetics

Abstract:Driven by the trends of emerging technologies in on-chip memories, with increasing the size of last-level caches (LLCs), spin-transfer torque magnetic random access memories (STT-MRAMs) are the most promising alternative technology among the non-volatile memories (NVMs) to replace SRAMs. Despite their high density, scalability, and near-zero leakage power, the reliability of STT-MRAM LLCs is threatened by a high error rate due to their stochastic switching behavior. The error rate is highly influenced by the cache management, which necessitates redesigning the cache replacement policy based on the error behavior. In this article, we propose an error-aware cache replacement policy, namely, conditional replacement policy (CRP), to improve the reliability of STT-MRAM caches by decreasing the rate of both read disturbance and write failure. This is ascertained by nominating an appropriate data block in the cache to be replaced with an incoming data block, considering the minimum error rate. Moreover, the performance and latency of both write and read operations are considered. The simulation results show that compared with the state-of-the-art replacement policy in STT-MRAM caches, CRP reduces the total error rate by 68%. In addition, the proposed policy enhances the performance by 2% and saves energy consumption by 19%, on average. Meanwhile, the total number of writes is decreased by 41% compared with the previous scheme.

Gangyong Jia,Guangjie Han,Hao Wang,Feng Wang

DOI: https://doi.org/10.1080/17517575.2017.1295321

2017-01-01

Enterprise Information Systems

Abstract:Fog computing requires a large main memory capacity to decrease latency and increase the Quality of Service (QoS). However, dynamic random access memory (DRAM), the commonly used random access memory, cannot be included into a fog computing system due to its high consumption of power. In recent years, non-volatile memories (NVM) such as Phase-Change Memory (PCM) and Spin-transfer torque RAM (STT-RAM) with their low power consumption have emerged to replace DRAM. Moreover, the currently proposed hybrid main memory, consisting of both DRAM and NVM, have shown promising advantages in terms of scalability and power consumption. However, the drawbacks of NVM, such as long read/write latency give rise to potential problems leading to asymmetric cache misses in the hybrid main memory. Current last level cache (LLC) policies are based on the unified miss cost, and result in poor performance in LLC and add to the cost of using NVM. In order to minimize the cache miss cost in the hybrid main memory, we propose a cost aware cache replacement policy (CACRP) that reduces the number of cache misses from NVM and improves the cache performance for a hybrid memory system. Experimental results show that our CACRP behaves better in LLC performance, improving performance up to 43.6% (15.5% on average) compared to LRU.

Chenlu Miao,Kai Bu,Mengming Li,Shaowu Mao,Jianwei Jia

DOI: https://doi.org/10.1109/micro56248.2022.00052

2022-01-01

Abstract:Cache coherence states have recently been exploited to leak secrets through timing-channel attacks. The root cause lies in the fact that shared data in state Exclusive (E) and state Shared (S) are served from different cache layers. The state-of-the-art countermeasure—S-MESI—serves both E- and S-state shared data from the last-level cache (LLC) by explicitly synchronizing the Modified (M) state across private caches and the LLC. This has to sacrifice the silent upgrade feature that MESI introduces for speedup. Moreover, it enforces protection to not only exploitable shared data but also unshared data. This further slows down performance, especially for write-after-read intensive applications. In this paper, we propose SwiftDir to efficiently secure cache coherence against cover-channel attacks without overprotection. SwiftDir fundamentally narrows down the protection scope to write-protected data. Such exploitable shared data can be uniquely identified with the write-protection permission in the memory management unit (MMU) and do not necessarily transit to state M. We validate this idea through tracing system calls of shared libraries on Linux. We then investigate all three commercial cache architectures (i.e., PIPT, VIPT, and VIVT) and find it feasible to hitchhike the address translation process to transmit the write-protection information from the MMU to the coherence controller. Then SwiftDir enforces protection over only write-protected data by serving all requests toward them directly from the LLC with a constant latency. This not only simplifies how MESI handles write-protected data but also avoids how S-MESI overprotects them. Meanwhile, SwiftDir still preserves silent upgrade for efficient handling of unshared data. Extensive experiments demonstrate that our SwiftDir can secure cache coherence while outperforming not only secure SMESI but also unprotected MESI.

Xiao Liu,Mark Zwolinski,Basel Halak

2024-05-30

Abstract:Many cache designs have been proposed to guard against contention-based side-channel attacks. One well-known type of cache is the randomized remapping cache. Many randomized remapping caches provide fixed or over protection, which leads to permanent performance degradation, or they provide flexible protection, but sacrifice performance against strong contention-based attacks. To improve the secure cache design, we extend an existing secure cache design, CEASER-SH cache, and propose the SEA cache. The novel cache configurations in both caches are logical associativity, which allows the cache line to be placed not only in its mapped cache set but also in the subsequent cache sets. SEA cache allows each user or each process to have a different local logical associativity. Hence, only those users or processes that request extra protection against contention-based attacks are protected with high logical associativity. Other users or processes can access the cache with lower latency and higher performance. Compared to a CEASER-SH cache with logical associativity of 8, an SEA cache with logical associativity of 1 for normal protection users and 16 for high protection users has a Cycles Per Instruction penalty that is about 0.6% less for users under normal protections and provides better security against contention-based attacks. Based on a 45nm technology library, and compared to a conventional cache, we estimate the power overhead is about 20% and the area overhead is 3.4%.

Cryptography and Security,Hardware Architecture

P K Jawahar,Felipe L. Madruga,Henrique C. Freitas,Philippe O. A. Navaux,Yingying Tiyan,Samira M. Khan,Daniel A. Jimenez,Carole-Jean Wu,Aamer Jaleel,Will Hasenplaugh,Margaret Martonosi,Simon C. Steely,Viacheslav V. Fedorov,Sheng Qiu,A. L. Narasimha Reddy

2015-01-01

Abstract:Poor cache memory management can have adverse impact on the overall system performance. In a Chip Multi-Core (CMP) scenario, this effect can be enhanced as every core has a private cache apart from a larger shared cache. Replacement policy plays a key role in managing cache data. So it needs to be extremely efficient in order to extract the maximum potential of the cache memory. Over the years versatile set of replacement policies have been proposed and implemented and few of them (LRU, MRU etc) have proven to work well compared to others. However recent works have shown that few counter based replacement strategies have marginally outperformed LRU for certain workloads as LRU does not dynamically adapt to changing workload patterns. This work explores three counter based replacement techniques namely Context-Based Data Pattern Exploitation (CB-DPET), Logical Cache Partitioning Technique (LCP) and Sharing and Hit-Based Prioritizing Technique (SHP). Evaluation is carried out on 4 core and 8 core platforms (apart from 2 core platform which was already done as part of previous works) using PARSEC benchmarks and various performance metrics like throughput speedup, hit rate etc are captured and compared with that of LRU. All the three methods have produced better results on the performance metrics when compared to LRU.

Xingjian Zhang,Haochen Gong,Rui Chang,Yajin Zhou

DOI: https://doi.org/10.1109/tifs.2024.3368862

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Conflict-based cache attacks can leak critical information from target programs. Accordingly, randomization-based cache designs have emerged as an efficient and LLC-favorable way to mitigate such attacks. However, later investigations have revealed several problems with these designs. Specifically, we identify limited randomness and coarse-grained protection as key issues of previous designs. To solve these issues, we propose Recast, a secure cache design with address-sensitive secret generation and tweakable index randomization. Our insight is that cache modules at different levels can work collaboratively to enhance their security. Address-sensitive secret generation in private caches generates a secret value for each address upon cache misses. The shared cache in Recast uses tweakable index randomization, where the cryptographic function uses the secret value from private caches as the input to calculate the cache set index. Therefore, Recast achieves fine-grained dynamic mapping. We implement Recast in the gem5 simulator. We use a micro-benchmark and a benchmark suite to showcase the security of Recast. Our performance evaluations on SPEC 2017 and PARSEC benchmarks show that Recast incurs 2.29% and 2.03% performance overhead. Moreover, Recast with the LRU replacement policy has only 0.51% and 1.04% performance overhead on the two benchmarks. Therefore, Recast provides higher security guarantees with minimal performance overhead.

computer science, theory & methods,engineering, electrical & electronic

Guangyuan Hu,Ruby B. Lee

2023-06-05

Abstract:Hardware caches are essential performance optimization features in modern processors to reduce the effective memory access time. Unfortunately, they are also the prime targets for attacks on computer processors because they are high-bandwidth and reliable side or covert channels for leaking secrets. Conventional cache timing attacks typically leak secret encryption keys, while recent speculative execution attacks typically leak arbitrary illegally-obtained secrets through cache timing channels. While many hardware defenses have been proposed for each class of attacks, we show that those for conventional (non-speculative) cache timing channels do not work for all speculative execution attacks, and vice versa. We maintain that a cache is not secure unless it can defend against both of these major attack classes. We propose a new methodology and framework for covering such relatively large attack surfaces to produce a Speculative and Timing Attack Resilient (STAR) cache subsystem. We use this to design two comprehensive secure cache architectures, STAR-FARR and STAR-NEWS, that have very low performance overheads of 5.6% and 6.8%, respectively. To the best of our knowledge, these are the first secure cache designs that cover both non-speculative cache side channels and cache-based speculative execution attacks. Our methodology can be used to compose and check other secure cache designs. It can also be extended to other attack classes and hardware systems. Additionally, we also highlight the intrinsic security and performance benefits of a randomized cache like a real Fully Associative cache with Random Replacement (FARR) and a lower-latency, speculation-aware version (NEWS).

Cryptography and Security,Hardware Architecture

Ghada Dessouky,Tommaso Frassetto,Ahmad-Reza Sadeghi

DOI: https://doi.org/10.48550/arXiv.1909.09599

2019-09-21

Abstract:Modern multi-core processors share cache resources for maximum cache utilization and performance gains. However, this leaves the cache vulnerable to side-channel attacks, where timing differences in shared cache behavior are exploited to infer information on the victim's execution patterns, ultimately leaking private information. The root cause for these attacks is mutually distrusting processes sharing cache entries and accessing them in a deterministic manner. Various defenses against cache side-channel attacks have been proposed. However, they either degrade performance significantly, impose impractical restrictions, or can only defeat certain classes of these attacks. More importantly, they assume that side-channel-resilient caches are required for the entire execution workload and do not allow to selectively enable the mitigation only for the security-critical portion of the workload. We present a generic mechanism for a flexible and soft partitioning of set-associative caches and propose a hybrid cache architecture, called HybCache. HybCache can be configured to selectively apply side-channel-resilient cache behavior only for isolated execution domains, while providing the non-isolated execution with conventional cache behavior, capacity and performance. An isolation domain can include one or more processes, specific portions of code, or a Trusted Execution Environment. We show that, with minimal hardware modifications and kernel support, HybCache can provide side-channel-resilient cache only for isolated execution with a performance overhead of 3.5-5%, while incurring no performance overhead for the remaining execution workload. We provide a simulator-based and hardware implementation of HybCache to evaluate the performance and area overheads, and show how it mitigates typical access-based and contention-based cache attacks.

Cryptography and Security

Yuxia Cheng,Yang Xiang,Wenzhi Chen,Houcine Hassan,Abdulhameed Alelaiwi

DOI: https://doi.org/10.1016/j.future.2017.09.044

2018-01-01

Abstract:Multi-level buffer cache hierarchies are now commonly seen in most client/server cluster configurations, especially in today's big data application deployment. However, multi-level caching policies deployed so far typically use independent cache replacement algorithms in each level, which has two major drawbacks: (1) File blocks may be redundantly cached on multiple levels, reducing the actual aggregate cache usable size; (2) Less accurate replacement decisions at lower level caches due to weakened locality. Inefficient cache resource usage may result in noticeable performance degradation for big data applications. To address these problems, we propose new adaptive multi-level exclusive caching policies that can dynamically adjust replacement and placement decisions in response to changing access patterns. (1) First, to capture locality information in multi-level cache hierarchies, we propose a Reuse Distance based Adaptive Replacement Caching (ReDARC) algorithm that adopts reuse distance as the means of locality measure and adaptively balances between the Small Reuse Distance (SRD) set and Large Reuse Distance (LRD) set. (2) Second, to achieve exclusive caching and make global caching decisions, we propose an Adaptive Level-Aware Caching Algorithm (ALACA) that works collaboratively with ReDARC. The ALACA algorithm uses an adaptive probabilistic PUSH technique that allows lower caches to push blocks to higher caches and appropriately decide blocks' caching locations with the ReDARC algorithm. In this way, we achieve multi-level exclusive caching with significant cache performance improvement. Our trace-driven simulation experiments show that the policies we proposed achieve a reduction of the client average response time of 8 percent to 56 percent over other multi-level cache schemes. (C) 2017 Elsevier B.V. All rights reserved.

Sanchuan Chen,Fangfei Liu,Zeyu Mi,Yinqian Zhang,Ruby B. Lee,Haibo Chen,XiaoFeng Wang

DOI: https://doi.org/10.1145/3196494.3196501

2018-01-01

Abstract:A program's use of CPU caches may reveal its memory access pattern and thus leak sensitive information when the program performs secret-dependent memory accesses. In recent studies, it has been demonstrated that cache side-channel attacks that extract secrets by observing the victim program's cache uses can be conducted under a variety of scenarios, among which the most concerning are cross-VM attacks and those against SGX enclaves. In this paper, we propose a mechanism that leverages hardware transactional memory (HTM) to enable software programs to defend themselves against various cache side-channel attacks. We observe that when the HTM is implemented by retrofitting cache coherence protocols, as is the case of Intel's Transactional Synchronization Extensions, the cache interference that is necessary in cache side-channel attacks will inevitably terminate hardware transactions. We provide a systematic analysis of the security requirements that a software-only solution must meet to defeat cache attacks, propose a software design that leverages HTM to satisfy these requirements and devise several optimization techniques in our implementation to reduce performance impact caused by transaction aborts. The empirical evaluation suggests that the performance overhead caused by the HTM-based solution is low.

Quancheng Wang,Xige Zhang,Han Wang,Yuzhe Gu,Ming Tang

2024-06-12

Abstract:Caches are used to reduce the speed differential between the CPU and memory to improve the performance of modern processors. However, attackers can use contention-based cache timing attacks to steal sensitive information from victim processes through carefully designed cache eviction sets. And L1 data cache attacks are widely exploited and pose a significant privacy and confidentiality threat. Existing hardware-based countermeasures mainly focus on cache partitioning, randomization, and cache line flushing, which unfortunately either incur high overhead or can be circumvented by sophisticated attacks. In this paper, we propose a novel hardware-software co-design called BackCache with the idea of always achieving cache hits instead of cache misses to mitigate contention-based cache timing attacks on the L1 data cache. BackCache places the evicted cache lines from the L1 data cache into a fully-associative backup cache to hide the evictions. To improve the security of BackCache, we introduce a randomly used replacement policy (RURP) and a dynamic backup cache resizing mechanism. We also present a theoretical security analysis to demonstrate the effectiveness of BackCache. Our evaluation on the gem5 simulator shows that BackCache can degrade the performance by 2.61%, 2.66%, and 3.36% For OS kernel, single-thread, and multi-thread benchmarks.

Cryptography and Security,Hardware Architecture

Junpeng Wan,Yanxiang Bi,Zhe Zhou,Zhou Li

DOI: https://doi.org/10.1109/sp46214.2022.9833794

2022-01-01

Abstract:Cache side-channel attacks lead to severe security threats to the settings where a CPU is shared across users, e.g., in the cloud. The majority of attacks rely on sensing the micro-architectural state changes made by victims, but this assumption can be invalidated by combining spatial (e.g., Intel CAT) and temporal isolation. In this work, we advance the state of cache side-channel attacks by showing stateless cache side-channel attacks on server-grade CPUs, that can bypass both spatial and temporal isolation. Unlike stateful cache side-channel attacks that rely on the timing difference between a cache hit or miss, our attack exploits the timing difference caused by the interconnect congestion. Specifically, to complete cache transactions, for Intel server CPUs, which use non-inclusive and mesh interconnect, cache lines would travel across cores via the CPU mesh and UPI interconnects. Nonetheless, the interconnects are shared by all cores, and cache isolation does not segregate the traffic. An attacker can generate traffic to contend with a victim on a link, measure the extra delay, deduce the memory access pattern of the victim’s program, and infer its sensitive data. Based on this idea, we implement MESHUP, a stateless cache side-channel against mesh interconnect, and test it against the existing RSA implementations of JDK for the cross-core attack and application fingerprinting for the the cross-CPU attack. We found the RSA private key used by a victim process can be partially recovered and the co-running application can be inferred at high accuracy.

Min Feng,Chen Tian,Changhui Lin,Rajiv Gupta

DOI: https://doi.org/10.1145/2019608.2019613

IF: 1.444

2011-01-01

ACM Transactions on Architecture and Code Optimization

Abstract:In this article, we propose a new cache replacement policy that makes the replacement decision based on the reuse information of the cache lines and the requested data. We present the architectural support and evaluate the performance of our approach using SPEC benchmarks. We also develop two reuse information predictors: a profile-based static predictor and a runtime predictor. The applicability of each predictor is discussed in this paper. We further extend our reuse information predictors so that the cache can adaptively choose between the reuse information based replacement policy and an approximation of LRU policy. According to the experimental results, our adaptive reuse information based replacement policy performs either better than or close to the LRU policy. Our experiments show that L2 cache misses are reduced by 12.32% and 19.95% using the profiling-based static and runtime adaptive predictors respectively.