Scheduling, Isolation, and Cache Allocation: A Side-Channel Defense

Sprabery, Read; Evchenko, Konstantin; Raj, Abhilash; Bobba, Rakesh B.; Mohan, Sibin; Campbell, Roy H.

doi:10.1109/ic2e.2018.00025

Cited by 10 publications

(9 citation statements)

References 28 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Spectre gadget detection can be categorized as static and dynamic detection techniques. One direction of the static analysis technique is to model the Spectre gadget by using its syntax pattern, such as Spectre 1 Scanner from RedHat [5] and MSCV Spectre 1 pass [41], and conduct the pattern search on binaries for potential candidates. These tools produce a large number of false positives.…”

Section: Related Workmentioning

confidence: 99%

“…Generally speaking, they try to find a set of potential Spectre gadgets in a program and only patch these gadgets to avoid high runtime overhead. Spectre V1 Scanner from RedHat [5] and MSCV Spectre 1 pass [41] search in binary for gadget patterns, and only patch gadgets that match predefined patterns. Tools like SPECTECTOR [23] and oo7 [43] conduct more advanced static analysis such as symbolic execution and taint analysis to detect Spectre gadgets.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

SpecTaint: Speculative Taint Analysis for Discovering Spectre Gadgets

Qi¹,

Qian²,

Cheng³

et al. 2021

Proceedings 2021 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Software patching is a crucial mitigation approach against Spectre-type attacks. It utilizes serialization instructions to disable speculative execution of potential Spectre gadgets in a program. Unfortunately, there are no effective solutions to detect gadgets for Spectre-type attacks. In this paper, we propose a novel Spectre gadget detection technique by enabling dynamic taint analysis on speculative execution paths. To this end, we simulate and explore speculative execution at system level (within a CPU emulator). We have implemented a prototype called SpecTaint to demonstrate the efficacy of our proposed approach. We evaluated SpecTaint on our Spectre Samples Dataset, and compared SpecTaint with existing state-of-the-art Spectre gadget detection approaches on real-world applications. Our experimental results demonstrate that SpecTaint outperforms existing methods with respect to detection precision and recall by large margins, and it also detects new Spectre gadgets in real-world applications such as Caffe and Brotli. Besides, SpecTaint significantly reduces the performance overhead after patching the detected gadgets, compared with other approaches.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

SpecTaint: Speculative Taint Analysis for Discovering Spectre Gadgets

Qi¹,

Qian²,

Cheng³

et al. 2021

Proceedings 2021 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…For example, attacks that rely on simultaneous multithreading (SMT) can be thwarted by disabling SMT, which is an increasingly common practice for both cloud providers and end users [10,19,67]. Other approaches propose to partition the shared resource to ensure that its use by the victim cannot be monitored by the attacker [56,64,92,104,118]. For example, Liu et al [64] present a defense to multicore cache attacks that uses Intel CAT [74] to load sensitive victim cache lines in a secure LLC partition where they cannot be evicted by the attacker.…”

Section: Side Channel Defensesmentioning

confidence: 99%

“…Finally, for channels that rely on preemptive scheduling and SMT, one mitigation approach is to erase the victim's footprint from the microarchitectural state across context switches. For example, several works proposed to flush the CPU caches on context switches [17,32,34,35,37,43,44,78,81,92,99,117].…”

Section: Side Channel Defensesmentioning

confidence: 99%

Lord of the Ring(s): Side Channel Attacks on the CPU On-Chip Ring Interconnect Are Practical

Paccagnella,

Luo,

Fletcher

2021

Preprint

View full text Add to dashboard Cite

We introduce the first microarchitectural side channel attacks that leverage contention on the CPU ring interconnect. There are two challenges that make it uniquely difficult to exploit this channel. First, little is known about the ring interconnect's functioning and architecture. Second, information that can be learned by an attacker through ring contention is noisy by nature and has coarse spatial granularity. To address the first challenge, we perform a thorough reverse engineering of the sophisticated protocols that handle communication on the ring interconnect. With this knowledge, we build a crosscore covert channel over the ring interconnect with a capacity of over 4 Mbps from a single thread, the largest to date for a cross-core channel not relying on shared memory. To address the second challenge, we leverage the fine-grained temporal patterns of ring contention to infer a victim program's secrets. We demonstrate our attack by extracting key bits from vulnerable EdDSA and RSA implementations, as well as inferring the precise timing of keystrokes typed by a victim user.

show abstract

“…The most common target for side-channel attacks is CPU caches, and many of the practical attacks can be prevented by defending this target. There is an extensive body of research in the direction of preventing side channel attacks, ranging from cache isolation [39], to attack detection [19], enforcing non-interrupted execution [32,41], and cache coloring [37]. Yet, they provide only a partial defence as transient execution attacks may use other side-channel targets too [35].…”

Section: Preventing Side Channelsmentioning

confidence: 99%

SpecFuzz: Bringing Spectre-type vulnerabilities to the surface

Oleksenko,

Trach,

Silberstein

et al. 2019

Preprint

View full text Add to dashboard Cite

SpecFuzz is the first tool that enables dynamic testing for speculative execution vulnerabilities (e.g., Spectre). The key is the concept of speculation exposure: The program is instrumented to simulate speculative execution in software by forcefully executing the code paths that could be triggered due to mispredictions, thereby making the speculative memory accesses visible to integrity checkers. Combined with the conventional fuzzing techniques, speculation exposure enables more precise identification of potential vulnerabilities compared to the state-of-the-art static analyzers.Our prototype for detecting Spectre V1 vulnerabilities successfully identifies all known variations of Spectre V1, and dramatically reduces the overheads compared to the deployed Speculative Load Hardening mitigation across the evaluated applications, reducing the amount of necessary instrumentation by 99% in some of them.

show abstract

Scheduling, Isolation, and Cache Allocation: A Side-Channel Defense

Cited by 10 publications

References 28 publications

SpecTaint: Speculative Taint Analysis for Discovering Spectre Gadgets

SpecTaint: Speculative Taint Analysis for Discovering Spectre Gadgets

Lord of the Ring(s): Side Channel Attacks on the CPU On-Chip Ring Interconnect Are Practical

SpecFuzz: Bringing Spectre-type vulnerabilities to the surface

Contact Info

Product

Resources

About