Random Fill Cache Architecture

Liu, Fangfei; Lee, Ruby B.

doi:10.1109/micro.2014.28

Cited by 184 publications

(113 citation statements)

References 23 publications

Supporting

Mentioning

103

Contrasting

Order By: Relevance

“…At the hardware level, several solutions have been proposed to prevent cache attacks, either by removing cache interferences, or randomizing them. The solutions include new secure cache designs [23,41,42] or altering the prefetcher policy [8]. However, hardware changes are not applicable to commodity systems.…”

Section: Countermeasuresmentioning

confidence: 99%

Flush+Flush: A Fast and Stealthy Cache Attack

Gruss

Maurice

Wagner

et al. 2016

Lecture Notes in Computer Science

439

371

View full text Add to dashboard Cite

Abstract. Research on cache attacks has shown that CPU caches leak significant information. Proposed detection mechanisms assume that all cache attacks cause more cache hits and cache misses than benign applications and use hardware performance counters for detection. In this article, we show that this assumption does not hold by developing a novel attack technique: the Flush+Flush attack. The Flush+Flush attack only relies on the execution time of the flush instruction, which depends on whether data is cached or not. Flush+Flush does not make any memory accesses, contrary to any other cache attack. Thus, it causes no cache misses at all and the number of cache hits is reduced to a minimum due to the constant cache flushes. Therefore, Flush+Flush attacks are stealthy, i.e., the spy process cannot be detected based on cache hits and misses, or state-of-the-art detection mechanisms. The Flush+Flush attack runs in a higher frequency and thus is faster than any existing cache attack. With 496 KB/s in a cross-core covert channel it is 6.7 times faster than any previously published cache covert channel.

show abstract

Section: Countermeasuresmentioning

confidence: 99%

Flush+Flush: A Fast and Stealthy Cache Attack

Gruss

Maurice

Wagner

et al. 2016

Lecture Notes in Computer Science

439

371

View full text Add to dashboard Cite

show abstract

“…Existing countermeasures to side-channel attacks can be categorized into three classes: hardware solutions, system solutions, and application solutions. Hardware solutions [12,15,47,49,78,79] require modification of the processors, which are typically effective, but are limited in that the time window required to have major processor vendors to incorporate them in commercial hardware is very long. System solutions only modify system software [40,46,75,89], but as they require trusted system software, they cannot be directly applied to SGX enclaves.…”

Section: Related Workmentioning

confidence: 99%

SgxPectre: Stealing Intel Secrets From SGX Enclaves via Speculative Execution

Chen

Xiao

et al. 2020

IEEE Secur. Privacy

116

159

View full text Add to dashboard Cite

This paper presents SgxPectre Attacks that exploit the recently disclosed CPU bugs to subvert the confidentiality and integrity of SGX enclaves. Particularly, we show that when branch prediction of the enclave code can be influenced by programs outside the enclave, the control flow of the enclave program can be temporarily altered to execute instructions that lead to observable cache-state changes. An adversary observing such changes can learn secrets inside the enclave memory or its internal registers, thus completely defeating the confidentiality guarantee offered by SGX. To demonstrate the practicality of our SgxPectre Attacks, we have systematically explored the possible attack vectors of branch target injection, approaches to win the race condition during enclave's speculative execution, and techniques to automatically search for code patterns required for launching the attacks. Our study suggests that any enclave program could be vulnerable to SgxPectre Attacks since the desired code patterns are available in most SGX runtimes (e.g., Intel SGX SDK, Rust-SGX, and Graphene-SGX). Most importantly, we have applied SgxPectre Attacks to steal seal keys and attestation keys from Intel signed quoting enclaves. The seal key can be used to decrypt sealed storage outside the enclaves and forge valid sealed data; the attestation key can be used to forge attestation signatures. For these reasons, SgxPectre Attacks practically defeat SGX's security protection. This paper also systematically evaluates Intel's existing countermeasures against SgxPectre Attacks and discusses the security implications.

show abstract

“…By focusing on cache occupancy rather than on activity within specific cache sets, our attack avoids the need for high resolution timers required by prior cache-based attacks. Furthermore, because our technique does not depend on the layout of the cache, it can overcome proposed countermeasures that randomize the cache layout [58,70,91].…”

Section: Our Contributionmentioning

confidence: 99%

“…Cache randomization techniques [58,70,91] dissociate victim and adversary cache sets, and prevent the adversary from monitoring victim access to specific addresses. However, our attack measures the overall cache activity rather than looking at specific victim accesses.…”

Section: Other Countermeasuresmentioning

confidence: 99%

Website Fingerprinting Through the Cache Occupancy Channel and its Real World Practicality

Shusterman

Avraham

Croitoru

et al. 2020

IEEE Trans. Dependable and Secure Comput.

View full text Add to dashboard Cite

Website fingerprinting attacks, which use statistical analysis on network traffic to compromise user privacy, have been shown to be effective even if the traffic is sent over anonymity-preserving networks such as Tor. The classical attack model used to evaluate website fingerprinting attacks assumes an on-path adversary, who can observe all traffic traveling between the user's computer and the secure network.In this work we investigate these attacks under a different attack model, in which the adversary is capable of sending a small amount of malicious JavaScript code to the target user's computer. The malicious code mounts a cache sidechannel attack, which exploits the effects of contention on the CPU's cache, to identify other websites being browsed. The effectiveness of this attack scenario has never been systematically analyzed, especially in the open-world model which assumes that the user is visiting a mix of both sensitive and non-sensitive sites.We show that cache website fingerprinting attacks in JavaScript are highly feasible. Specifically, we use machine learning techniques to classify traces of cache activity. Unlike prior works, which try to identify cache conflicts, our work measures the overall occupancy of the lastlevel cache. We show that our approach achieves high classification accuracy in both the open-world and the closedworld models. We further show that our attack is more resistant than network-based fingerprinting to the effects of response caching, and that our techniques are resilient both to network-based defenses and to side-channel countermeasures introduced to modern browsers as a response to the Spectre attack. To protect against cache-based website fingerprinting, new defense mechanisms must be introduced to privacy-sensitive browsers and websites. We investigate one such mechanism, and show that generating artificial cache activity reduces the effectiveness of the attack and completely eliminates it when used in the Tor Browser.

show abstract

Random Fill Cache Architecture

Cited by 184 publications

References 23 publications

Flush+Flush: A Fast and Stealthy Cache Attack

Flush+Flush: A Fast and Stealthy Cache Attack

SgxPectre: Stealing Intel Secrets From SGX Enclaves via Speculative Execution

Website Fingerprinting Through the Cache Occupancy Channel and its Real World Practicality

Contact Info

Product

Resources

About