Real-Time Detection for Cache Side Channel Attack using Performance Counter Monitor

Cho, Jonghyeon; Kim, Soojin; Im, Miok; Kim, Tae Hyun; Shin, Youngjoo

doi:10.3390/app10030984

Cited by 31 publications

(11 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This characteristic of these attacks regarding cache usage can be exploited to implement an intrusion detection system for MDS attacks. There are already anomalybased detection techniques for cache side-channel attacks [20], [58]- [62]. Certain techniques are also proposed to detect a broad range of attacks including transient execution attacks by leveraging unsupervised deep learning [63] and ensemble learning [64].…”

Section: Attack Detectionmentioning

confidence: 99%

Multibyte Microarchitectural Data Sampling and its Application to Session Key Extraction Attacks

Shin

2021

IEEE Access

Self Cite

View full text Add to dashboard Cite

Microarchitectural data sampling (MDS) attacks leak secret data from the internal buffers of a processor to the attacker during transient execution. Because of the narrow window of transient execution, previous MDS attacks relied on repetitive sampling to obtain arbitrarily sized data from the buffer. However, as an MDS attacker cannot control the address for data leakage, such an approach significantly degrades the signal-to-noise ratio in the sampled data. In this paper, we propose a novel multibyte microarchitectural data sampling technique for performing MDS attacks. The proposed technique allows several continuous bytes to be captured in one execution without repetition of sampling. The implementation of the technique is quite challenging, because a transient execution window is not sufficiently large to allow multibyte sampling to be completed. We address this problem by leveraging a return stack buffer-based speculation technique, which originally was used for variants of Spectre-type attacks. We repurpose it to enlarge the transient execution window in our attack. Our implementations can capture data of up to 16 bytes in length in one execution from a line-fill buffer. To validate the effectiveness of the multibyte sampling technique, we demonstrate session key extraction attacks against secure network protocols. In particular, our objective is to extract AES-128 and AES-256 keys from TLS and SSH applications. To recover session keys in a postprocessing phase efficiently, we also propose a novel clustering-based search method that assembles the bytes of interest from the noisy sampled data. The experimental results show that our technique can successfully extract AES-128/256 session keys from victim applications with a probability of at least 98% and a reasonable search complexity. INDEX TERMS Microarchitectural data sampling, Transient execution attack, Session key extraction attackRecently, new vulnerabilities have been found on microarchitectural buffers inside some Intel processors [3], [4]. The

show abstract

Section: Attack Detectionmentioning

confidence: 99%

Multibyte Microarchitectural Data Sampling and its Application to Session Key Extraction Attacks

Shin

2021

IEEE Access

Self Cite

View full text Add to dashboard Cite

show abstract

“…A wide range of classification techniques can be developed by applying off-the-shelf Machine Learning (ML) algorithms. However, existing works in particular on SCAs detection have primarily focused on one or limited ML techniques for attacks detection and classification [8,9,25,42]. Comprehensive analysis of diverse classifiers for SCAs detection is important as each could yield different performance (in terms of accuracy, false positive rate, computational complexity, etc.)…”

Section: Comprehensive Study Of Machine Learning Classifiersmentioning

confidence: 99%

“…1 Lack of Robustness: Our comprehensive analysis shows that the previous works on SCAs detection jointly correlate the HPCs traces of victim and attack applications [8,42] where the detectors require HPCs data from both the attack and victim application. However, recent studies [2,11,15,17] show that attackers can craft [42] Yes Yes 100 -5000 No No mitigation module Real-Time Detection [9] No Yes 1. 5 2.4 No No mitigation module Nights-watch [25] No No No Mentioned No No mitigation module Cacheshield [3] No No [11][12][13][14][15][16][17][18][19][20][21][22][23][24] No mitigation module CPU Elasticity [23] No detection module No 32.66% No FLUSH+PREFETCH [24] No detection module No Not Mentioned No Random Fill [21] No detection module Yes No Mentioned No Catalyst [19] No attacks to bypass detectors.…”

Section: Introductionmentioning

confidence: 99%

Hybrid-shield

Wang

Sayadi

Sasan

et al. 2020

Proceedings of the 39th International Conference on Computer-Aided Design

View full text Add to dashboard Cite

“…Since the common cache side-channel attacks execute memory-related instructions frequently to manipulate the target cache states, the attacks may provoke uncommon hardware performance counts such as skyrocketing cache misses. The signature-based detection methods [6,[29][30][31][32][33][34] rely on the models with HPCs collected from several attacks such as Flush+Reload [1], Prime+Probe [5], and Flush+Flush [6]. The anomaly-based detection methods [35][36][37][38][39] developed the detection model based on the normal behavior of the potential victim applications, such as cryptography applications.…”

Section: Introductionmentioning

confidence: 99%

RT-Sniper: A Low-Overhead Defense Mechanism Pinpointing Cache Side-Channel Attacks

et al. 2021

View full text Add to dashboard Cite

Since cache side-channel attacks have been serious security threats to multi-tenant systems, there have been several studies to protect systems against the attacks. However, the prior studies have limitations in determining only the existence of the attack and/or occupying too many computing resources in runtime. We propose a low-overhead pinpointing solution, called RT-Sniper, to overcome such limitations. RT-Sniper employs a two-level filtering mechanism to minimize performance overhead. It first monitors hardware events per core and isolates a suspected core to run a malicious process. Then among the processes running on the selected core, RT-Sniper pinpoints a malicious process through a per-process monitoring approach. With the core-level filtering, RT-Sniper has an advantage in overhead compared to the previous works. We evaluate RT-Sniper against Flush+Reload and Prime+Probe attacks running SPEC2017, LMBench, and PARSEC benchmarks on multi-core systems. Our evaluation demonstrates that the performance overhead by RT-Sniper is negligible (0.3% for single-threaded applications and 2.05% for multi-threaded applications). Compared to the previous defense solutions against cache side-channel attacks, RT-Sniper exhibits better detection performance with lower performance overhead.

show abstract

Real-Time Detection for Cache Side Channel Attack using Performance Counter Monitor

Cited by 31 publications

References 8 publications

Multibyte Microarchitectural Data Sampling and its Application to Session Key Extraction Attacks

Multibyte Microarchitectural Data Sampling and its Application to Session Key Extraction Attacks

Hybrid-shield

RT-Sniper: A Low-Overhead Defense Mechanism Pinpointing Cache Side-Channel Attacks

Contact Info

Product

Resources

About