Drive-By Key-Extraction Cache Attacks from Portable Code

Genkin, Daniel; Pachmanov, Lev; Tromer, Eran; Yarom, Yuval

doi:10.1007/978-3-319-93387-0_5

Cited by 42 publications

(41 citation statements)

References 31 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The Prime+Probe Technique. Past cache-based attacks from web browsers [28,64] employ the Prime+Probe technique [65,68], which exploits the set-associative structure. Each round of attack consists of three steps.…”

Section: Cache Side-channel Attacksmentioning

confidence: 99%

“…Prime+Probe has been used for attacks on data [65,68] and instruction [3,4] caches, as well as for attacks on the LLC [43,59]. It has been shown practical in multiple settings, including across different virtual machines in cloud environments [40] and from mobile code [28,64].…”

Section: Cache Side-channel Attacksmentioning

confidence: 99%

“…One possible way of causing the user to browse to such an attacker-controlled site is through a phishing attack, where the attacker sends fraudulent messages, purporting to be from a benign source, that induces the victim to click on a link to a malicious web site. Alternatively, the attacker may pay an advertisement service to display a (malicious) advertisement when the user visits a third-party website [28].…”

Section: Standard Sessionmentioning

confidence: 99%

“…The Der Spiegel claims that the GCHQ successfully used this tool to attack the computers of employees at the partly-government-held Belgian telecommunications company Belgacom, and that the NSA used the same technology to target high-ranking members of the Organization of the Petroleum Exporting Countries (OPEC) at the organization's Vienna headquarters. Finally, malicious advertisements are a viable option for injecting cache sidechannel attacks to browsers [28].…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Website Fingerprinting Through the Cache Occupancy Channel and its Real World Practicality

Shusterman

Avraham

Croitoru

et al. 2020

IEEE Trans. Dependable and Secure Comput.

Self Cite

View full text Add to dashboard Cite

Website fingerprinting attacks, which use statistical analysis on network traffic to compromise user privacy, have been shown to be effective even if the traffic is sent over anonymity-preserving networks such as Tor. The classical attack model used to evaluate website fingerprinting attacks assumes an on-path adversary, who can observe all traffic traveling between the user's computer and the secure network.In this work we investigate these attacks under a different attack model, in which the adversary is capable of sending a small amount of malicious JavaScript code to the target user's computer. The malicious code mounts a cache sidechannel attack, which exploits the effects of contention on the CPU's cache, to identify other websites being browsed. The effectiveness of this attack scenario has never been systematically analyzed, especially in the open-world model which assumes that the user is visiting a mix of both sensitive and non-sensitive sites.We show that cache website fingerprinting attacks in JavaScript are highly feasible. Specifically, we use machine learning techniques to classify traces of cache activity. Unlike prior works, which try to identify cache conflicts, our work measures the overall occupancy of the lastlevel cache. We show that our approach achieves high classification accuracy in both the open-world and the closedworld models. We further show that our attack is more resistant than network-based fingerprinting to the effects of response caching, and that our techniques are resilient both to network-based defenses and to side-channel countermeasures introduced to modern browsers as a response to the Spectre attack. To protect against cache-based website fingerprinting, new defense mechanisms must be introduced to privacy-sensitive browsers and websites. We investigate one such mechanism, and show that generating artificial cache activity reduces the effectiveness of the attack and completely eliminates it when used in the Tor Browser.

show abstract

Section: Cache Side-channel Attacksmentioning

confidence: 99%

Section: Cache Side-channel Attacksmentioning

confidence: 99%

Section: Standard Sessionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Website Fingerprinting Through the Cache Occupancy Channel and its Real World Practicality

Shusterman

Avraham

Croitoru

et al. 2020

IEEE Trans. Dependable and Secure Comput.

Self Cite

View full text Add to dashboard Cite

show abstract

“…Both algorithms 1 and 2 are designed to compensate imprecise and noisy timing sources. Although previous work [12,43] suggests that accurate timers can be crafted even in environments that restrict access to high-precision timing sources, this engineering effort can be saved for our inference attack. We believe this adds to the practicality of our attack and shows that inference attacks are a realistic threat.…”

Section: Finding Eviction Setsmentioning

confidence: 99%

Undermining User Privacy on Mobile Devices Using AI

Gülmezoğlu

Zankl

Tol

et al. 2019

Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security

View full text Add to dashboard Cite

Over the past years, literature has shown that attacks exploiting the microarchitecture of modern processors pose a serious threat to the privacy of mobile phone users. This is because applications leave distinct footprints in the processor, which can be used by malware to infer user activities. In this work, we show that these inference attacks are considerably more practical when combined with advanced AI techniques. In particular, we focus on profiling the activity in the last-level cache (LLC) of ARM processors. We employ a simple Prime+Probe based monitoring technique to obtain cache traces, which we classify with Deep Learning methods including Convolutional Neural Networks. We demonstrate our approach on an off-the-shelf Android phone by launching a successful attack from an unprivileged, zeropermission App in well under a minute. The App thereby detects running applications with an accuracy of 98% and reveals opened websites and streaming videos by monitoring the LLC for at most 6 seconds. This is possible, since Deep Learning compensates measurement disturbances stemming from the inherently noisy LLC monitoring and unfavorable cache characteristics such as random line replacement policies. In summary, our results show that thanks to advanced AI techniques, inference attacks are becoming alarmingly easy to implement and execute in practice. This once more calls for countermeasures that confine microarchitectural leakage and protect mobile phone applications, especially those valuing the privacy of their users.CNNs are a so-called Deep Learning technique. They have received broad interest in the field of supervised learning, especially for complex tasks such as image and language classification [8,28]. A typical CNN is made up of neurons, which are interconnected and grouped into layers. Each neuron computes a weighted sum of its inputs using a (non-) linear activation function. Those inputs stem from the actual inputs to the network or from previous layers. A typical CNN comprises multiple layers of neurons, as shown in Figure 1:Convolutional Layer. This layer is the core block of the CNN. It consists of learnable filters that are slid over the width and height of the input to learn any two-dimensional patterns. The activation functions in the neurons thereby extract important features from each input. For efficiency, the neurons are connected only to a local region of the input.

show abstract