Flush+Flush: A Fast and Stealthy Cache Attack

Gruss, Daniel; Maurice, Clémentine; Wagner, Klaus W.; Mangard, Stefan

doi:10.1007/978-3-319-40667-1_14

Cited by 440 publications

(400 citation statements)

References 38 publications

Supporting

Mentioning

394

Contrasting

Order By: Relevance

“…During the Prime+Probe attack, the decrease is a significantly higher and varying between 2.5 and 4.8 GBps. This is similar to what was observed by the authors in [19] though they considered cache counters and we observe memory bandwidth.…”

Section: Application Of Pokerface During the Exploitation Phase Of Prsupporting

confidence: 92%

“…With multiple lines and sets being monitored, the memory bus usage is high. This similarity in the anomalous behaviour of Prime+Probe and Flush+Reload has been observed previously [17,19].…”

Section: Listing 1 Poker Pseudocodesupporting

confidence: 88%

“…Here, we demonstrate the effectiveness of our strategy during different kinds of attacks and also during the exploitation phase. Gruss et al [19] demonstrated that Prime+Probe attack incurs a larger number of cache misses for the attacker as well as the victim when compared to Flush+Reload attack. This is because both the attacks are similar in approach.…”

Section: Application Of Pokerface During the Exploitation Phase Of Prmentioning

confidence: 99%

See 2 more Smart Citations

Keep the PokerFace on! Thwarting cache side channel attacks by memory bus monitoring and cache obfuscation

Raj

2017

J Cloud Comp

View full text Add to dashboard Cite

Cloud instances are vulnerable to cross-core, cross-VM attacks against the shared, inclusive last-level cache. Automated cache template attacks, in particular, are very powerful as the vulnerabilities do not need to be manually identified. Such attacks can be devised using both the Prime+Probe and the Flush+Reload techniques. In this paper, we present PokerFace, a novel method to identify and mitigate such attacks. This approach allows us to identify suspicious cache accesses automatically, without prior knowledge about the system or access to hardware metrics. PokerFace consists of two components, Poker and Face. Poker executes a memory bus benchmark to measure the available bus bandwidth and derive information about cache accesses and possible side channel attacks. Our experiments with cache attacks show a reduction of up to 14% in the memory bandwidth during the attack. When an attack is detected, Poker triggers Face which performs cache obfuscation. We demonstrate the effectiveness of our approach against keypress logging attacks. We also test it against generic Prime+Probe and Flush+Reload attacks and show that it is practically useful against a variety of cache timing attacks. PokerFace incurs modest overheads (< 8%) and moreover, does not require support from the cloud provider or changes to the hypervisor. Unlike previously proposed techniques, it can be implemented by cloud subscribers.

show abstract

Section: Application Of Pokerface During the Exploitation Phase Of Prsupporting

confidence: 92%

Section: Listing 1 Poker Pseudocodesupporting

confidence: 88%

Section: Application Of Pokerface During the Exploitation Phase Of Prmentioning

confidence: 99%

See 1 more Smart Citation

Keep the PokerFace on! Thwarting cache side channel attacks by memory bus monitoring and cache obfuscation

Raj

2017

J Cloud Comp

View full text Add to dashboard Cite

show abstract

“…Other detection methods were presented by Payer [41] and Herath and Fogh [42]. However, the latest development in CSCa introduced a new stealthier variant called Flush + Flush [43]. Since this method does not try to read the memory, no hit and miss events will happen; thus its existence cannot be detected using the HPC.…”

Section: Security and Communication Networkmentioning

confidence: 99%

“…The Flush + Flush method [43] is the latest variation of the Flush + Reload attack. It enhances the attack by removing the Reload stage of the spy process.…”

Section: Flush + Flushmentioning

confidence: 99%

Leveraging KVM Events to Detect Cache-Based Side Channel Attacks in a Virtualization Environment

Paundu

Fall

Miyamoto

et al. 2018

Security and Communication Networks

View full text Add to dashboard Cite

Cache-based side channel attack (CSCa) techniques in virtualization systems are becoming more advanced, while defense methods against them are still perceived as nonpractical. The most recent CSCa variant called Flush + Flush has showed that the current detection methods can be easily bypassed. Within this work, we introduce a novel monitoring approach to detect CSCa operations inside a virtualization environment. We utilize the Kernel Virtual Machine (KVM) event data in the kernel and process this data using a machine learning technique to identify any CSCa operation in the guest Virtual Machine (VM). We evaluate our approach using Receiver Operating Characteristic (ROC) diagram of multiple attack and benign operation scenarios. Our method successfully separate the CSCa datasets from the non-CSCa datasets, on both trained and nontrained data scenarios. The successful classification also include the Flush + Flush attack scenario. We are also able to explain the classification results by extracting the set of most important features that separate both classes using their Fisher scores and show that our monitoring approach can work to detect CSCa in general. Finally, we evaluate the overhead impact of our CSCa monitoring method and show that it has a negligible computation overhead on the host and the guest VM.

show abstract

Survey on covert channels in virtual machines and cloud computing

Betz

Westhoff

Müller

2016

Trans. Emerging Tel. Tech.

View full text Add to dashboard Cite

Covert channels have been known for a long time because of their versatile forms of appearance. For nearly every technical improvement or change in technology, such channels have been (re‐)created or known methods have been adapted. For example, the introduction of hyperthreading technology has introduced new possibilities for covert communication between malicious processes because they can now share the arithmetic logical unit as well as the L1 and L2 caches, which enable establishing multiple covert channels. Even virtualization, which is known for its isolation of multiple machines, is prone to covert‐ and side‐channel attacks because of the sharing of resources. Therefore, it is not surprising that cloud computing is not immune to this kind of attacks. Moreover, cloud computing with multiple, possibly competing users or customers using the same shared resources may elevate the risk of illegitimate communication. In such a setting, the “air gap” between physical servers and networks disappears, and only the means of isolation and virtual separation serve as a barrier between adversary and victim. In the work at hand, we will provide a survey on vulnerable spots that an adversary could exploit trying to exfiltrate private data from target virtual machines through covert channels in a cloud environment. We will evaluate the feasibility of example attacks and point out proposed mitigation solutions in case they exist.

show abstract

Flush+Flush: A Fast and Stealthy Cache Attack

Cited by 440 publications

References 38 publications

Keep the PokerFace on! Thwarting cache side channel attacks by memory bus monitoring and cache obfuscation

Keep the PokerFace on! Thwarting cache side channel attacks by memory bus monitoring and cache obfuscation

Leveraging KVM Events to Detect Cache-Based Side Channel Attacks in a Virtualization Environment

Survey on covert channels in virtual machines and cloud computing

Contact Info

Product

Resources

About