NetCAT: Practical Cache Attacks from the Network

Kurth, Michael; Gras, Ben; Andriesse, Dennis; Giuffrida, Cristiano; Bos, Herbert; Razavi, Kaveh

doi:10.1109/sp40000.2020.00082

Cited by 41 publications

(26 citation statements)

References 47 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…CPU caches are probably the most popular microarchitectural components that can be abused for side or covert channels [35,37,69,101]. As CPU caches are shared among different threads and even across CPU cores, adversaries can abuse them in a wide range of attack scenarios [36,53,57,60,64,68].…”

Section: Side-and Covert Channelsmentioning

confidence: 99%

Osiris: Automated Discovery of Microarchitectural Side Channels

Weber,

Ibrahim,

Nemati

et al. 2021

Preprint

View full text Add to dashboard Cite

In the last years, a series of side channels have been discovered on CPUs. These side channels have been used in powerful attacks, e.g., on cryptographic implementations, or as building blocks in transient-execution attacks such as Spectre or Meltdown. However, in many cases, discovering side channels is still a tedious manual process.In this paper, we present Osiris, a fuzzing-based framework to automatically discover microarchitectural side channels. Based on a machine-readable specification of a CPU's ISA, Osiris generates instruction-sequence triples and automatically tests whether they form a timing-based side channel. Furthermore, Osiris evaluates their usability as a side channel in transient-execution attacks, i.e., as the microarchitectural encoding for attacks like Spectre. In total, we discover four novel timing-based side channels on Intel and AMD CPUs. Based on these side channels, we demonstrate exploitation in three case studies. We show that our microarchitectural KASLR break using non-temporal loads, FlushConflict, even works on the new Intel Ice Lake and Comet Lake microarchitectures. We present a cross-core cross-VM covert channel that is not relying on the memory subsystem and transmits up to 1 kbit/s. We demonstrate this channel on the AWS cloud, showing that it is stealthy and noise resistant. Finally, we demonstrate Stream+Reload, a covert channel for transientexecution attacks that, on average, allows leaking 7.83 bytes within a transient window, improving state-of-the-art attacks that only leak up to 3 bytes.

show abstract

Section: Side-and Covert Channelsmentioning

confidence: 99%

Osiris: Automated Discovery of Microarchitectural Side Channels

Weber,

Ibrahim,

Nemati

et al. 2021

Preprint

View full text Add to dashboard Cite

show abstract

“…Similarly, with DDIO, a NIC can directly read data from the LLC; if the data is not present, the NIC will read it from the memory instead, but not allocate it in the LLC. DDIO cuts the packet processing latency by removing the memory trip time [57]. Also, with DDIO, the memory bandwidth consumption of the network packet processing can be significantly reduced [2].…”

Section: Data Direct I/o Technologymentioning

confidence: 99%

IOCA: High-Speed I/O-Aware LLC Management for Network-Centric Multi-Tenant Platform

Yang¹,

Alian²,

Wang³

et al. 2020

Preprint

View full text Add to dashboard Cite

In modern server CPUs, last-level cache (LLC) is a critical hardware resource that exerts significant influence on the performance of the workloads, and how to manage LLC is a key to the performance isolation and QoS in the cloud with multi-tenancy. In this paper, we argue that besides CPU cores, high-speed network I/O is also important for LLC management. This is because of an Intel architectural innovation -Data Direct I/O (DDIO) -that directly injects the inbound I/O traffic to (part of) the LLC instead of the main memory. We summarize two problems caused by DDIO and show that (1) the default DDIO configuration may not always achieve optimal performance, (2) DDIO can decrease the performance of non-I/O workloads which share LLC with it by as high as 32%.We then present IOCA, the first LLC management mechanism for network-centric platforms that treats the I/O as the first-class citizen. IOCA monitors and analyzes the performance of the cores, LLC, and DDIO using CPU's hardware performance counters, and adaptively adjusts the number of LLC ways for DDIO or the tenants that demand more LLC capacity. In addition, IOCA dynamically chooses the tenants that share its LLC resource with DDIO, to minimize the performance interference by both the tenants and the I/O. Our experiments with multiple microbenchmarks and real-world applications in two major end-host network models demonstrate that IOCA can effectively reduce the performance degradation caused by DDIO, with minimal overhead.

show abstract

“…This would reduce the attack surface for a P+P attack as only parts of a cache set can be primed. However, attacks against other peripherals, where access to a limited number of cache ways per set is sufficient, are still possible as recent results show [39].…”

Section: A Cache Attacks From Fpga Pac To Cpumentioning

confidence: 99%

JackHammer: Efficient Rowhammer on Heterogeneous FPGA-CPU Platforms

Weissman¹,

Tiemann²,

Moghimi³

et al. 2019

Preprint

View full text Add to dashboard Cite

After years of development, FPGAs are finally making an appearance on multi-tenant cloud servers. These heterogeneous FPGA-CPU architectures break common assumptions about isolation and security boundaries. Since the FPGA and CPU architectures share hardware resources, a new class of vulnerabilities requires us to reassess the security and dependability of these platforms.In this work, we analyze the memory and cache subsystem and study Rowhammer and cache attacks enabled on two proposed heterogeneous FPGA-CPU platforms by Intel: the Arria 10 GX with an integrated FPGA-CPU platform, and the Arria 10 GX PAC expansion card which connects the FPGA to the CPU via the PCIe interface. We show that while Intel PACs currently are immune to cache attacks from FPGA to CPU, the integrated platform is indeed vulnerable to Prime and Probe style attacks from the FPGA to the CPU's last level cache. Further, we demonstrate JackHammer, a novel and efficient Rowhammer from the FPGA to the host's main memory. Our results indicate that a malicious FPGA can perform twice as fast as a typical Rowhammer attack from the CPU on the same system and causes around four times as many bit flips as the CPU attack. We demonstrate the efficacy of JackHammer from the FPGA through a realistic fault attack on the WolfSSL RSA signing implementation that reliably causes a fault after an average of fifty-eight RSA signatures, 25% faster than a CPU rowhammer attack. In some scenarios our JackHammer attack produces faulty signatures more than three times more often and almost three times faster than a conventional CPU rowhammer attack.

show abstract

NetCAT: Practical Cache Attacks from the Network

Cited by 41 publications

References 47 publications

Osiris: Automated Discovery of Microarchitectural Side Channels

Osiris: Automated Discovery of Microarchitectural Side Channels

IOCA: High-Speed I/O-Aware LLC Management for Network-Centric Multi-Tenant Platform

JackHammer: Efficient Rowhammer on Heterogeneous FPGA-CPU Platforms

Contact Info

Product

Resources

About