Website Fingerprinting Through the Cache Occupancy Channel and its Real World Practicality

Shusterman, Anatoly; Avraham, Zohar; Croitoru, Eliezer; Haskal, Yarden; Kang, Lachlan; Levi, D.; Meltser, Yosef; Mittal, Prateek; Oren, Yossi; Yarom, Yuval

doi:10.1109/tdsc.2020.2988369

Cited by 53 publications

(89 citation statements)

References 84 publications

(118 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…One reason for these differences is that we incorporated the results by Prouff et al [41] in addition to conducting preliminary experiments. The classification rates for Google Chrome in [44] are comparable to the ones we achieve. In summary, both Shusterman et al and this work propose inference attacks that share a common goal, but differ regarding approach and attack environment.…”

Section: Comparison With Shusterman Et Alsupporting

confidence: 74%

“…Compared to the LLC-based attack in [39], our success rates are higher, even though we classify significantly more websites. Compared to the results by Shusterman et al [44], we achieve similar classification rates. At the same time, we relax the attacker model by not only compensating imprecise timing sources but also random cache replacement policies.…”

Section: Website and Application Inferencesupporting

confidence: 72%

“…In [44], the authors present a similar inference attack than the one proposed in this work. The LLC profiling is implemented with so-called one-dimensional memorygrams.…”

Section: Comparison With Shusterman Et Almentioning

confidence: 94%

“…Shusterman et al [44] extend this work by inferring websites from JavaScript with simple last-level cache profiles that are classified by Convolutional Neural Networks and Long Short-Term Memory. As this is concurrent work to ours 3 , we provide a closer comparison later in the section.…”

Section: Website and Application Inferencementioning

confidence: 99%

“…We trained our model with 2 Convolution layers, which yield a lower validation loss compared to 3 layers. The kernel size is kept the same in LLC 78.5 40 [53] iOS APIs 89.0 120 [46] Java-based Android API 85.6 20 [9] Interrupt Handling Mechanism 87.0 100 [45] ProcFS Leaks 96.0 100 each Convolution layer, while in [44] it is varied with each layer. Finally, we use a Pooling size of 2, while Shusterman et al use 4.…”

Section: Comparison With Shusterman Et Almentioning

confidence: 99%

See 4 more Smart Citations

Undermining User Privacy on Mobile Devices Using AI

Gülmezoğlu

Zankl

Tol

et al. 2019

Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security

View full text Add to dashboard Cite

Over the past years, literature has shown that attacks exploiting the microarchitecture of modern processors pose a serious threat to the privacy of mobile phone users. This is because applications leave distinct footprints in the processor, which can be used by malware to infer user activities. In this work, we show that these inference attacks are considerably more practical when combined with advanced AI techniques. In particular, we focus on profiling the activity in the last-level cache (LLC) of ARM processors. We employ a simple Prime+Probe based monitoring technique to obtain cache traces, which we classify with Deep Learning methods including Convolutional Neural Networks. We demonstrate our approach on an off-the-shelf Android phone by launching a successful attack from an unprivileged, zeropermission App in well under a minute. The App thereby detects running applications with an accuracy of 98% and reveals opened websites and streaming videos by monitoring the LLC for at most 6 seconds. This is possible, since Deep Learning compensates measurement disturbances stemming from the inherently noisy LLC monitoring and unfavorable cache characteristics such as random line replacement policies. In summary, our results show that thanks to advanced AI techniques, inference attacks are becoming alarmingly easy to implement and execute in practice. This once more calls for countermeasures that confine microarchitectural leakage and protect mobile phone applications, especially those valuing the privacy of their users.CNNs are a so-called Deep Learning technique. They have received broad interest in the field of supervised learning, especially for complex tasks such as image and language classification [8,28]. A typical CNN is made up of neurons, which are interconnected and grouped into layers. Each neuron computes a weighted sum of its inputs using a (non-) linear activation function. Those inputs stem from the actual inputs to the network or from previous layers. A typical CNN comprises multiple layers of neurons, as shown in Figure 1:Convolutional Layer. This layer is the core block of the CNN. It consists of learnable filters that are slid over the width and height of the input to learn any two-dimensional patterns. The activation functions in the neurons thereby extract important features from each input. For efficiency, the neurons are connected only to a local region of the input.

show abstract

Section: Comparison With Shusterman Et Alsupporting

confidence: 74%

Section: Website and Application Inferencesupporting

confidence: 72%

“…In [44], the authors present a similar inference attack than the one proposed in this work. The LLC profiling is implemented with so-called one-dimensional memorygrams.…”

Section: Comparison With Shusterman Et Almentioning

confidence: 94%

Section: Website and Application Inferencementioning

confidence: 99%

Section: Comparison With Shusterman Et Almentioning

confidence: 99%

See 3 more Smart Citations

Undermining User Privacy on Mobile Devices Using AI

Gülmezoğlu

Zankl

Tol

et al. 2019

Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security

View full text Add to dashboard Cite

show abstract

Side-Channeling the Kalyna Key Expansion

Chuengsatiansup

Genkin

Yarom

et al. 2022

Lecture Notes in Computer Science

View full text Add to dashboard Cite

CPU Port Contention Without SMT

Rokicki

Maurice

Schwarz

2022

Computer Security – ESORICS 2022

View full text Add to dashboard Cite

CPU port contention has been used in the last years as a stateless side channel to perform side-channel attacks and transient execution attacks. One drawback of this channel is that it heavily relies on simultaneous multi-threading, which can be absent from some CPUs or simply disabled by the OS. In this paper, we present sequential port contention, which does not require SMT. It exploits sub-optimal scheduling to execution ports for instruction-level parallelization. As a result, specifically-crafted instruction sequences on a single thread suffer from an increased latency. We show that sequential port contention can be exploited from web browsers in WebAssembly. We present an automated framework to search for instruction sequences leading to sequential port contention for specific CPU generations, which we evaluated on 50 different CPUs. An attacker can use these sequences from the browser to determine the CPU generation within 12 s with a 95 % accuracy. This fingerprint is highly stable and resistant to system noise, and we show that mitigations are either expensive or only probabilistic.

show abstract

Website Fingerprinting Through the Cache Occupancy Channel and its Real World Practicality

Cited by 53 publications

References 84 publications

Undermining User Privacy on Mobile Devices Using AI

Undermining User Privacy on Mobile Devices Using AI

Side-Channeling the Kalyna Key Expansion

CPU Port Contention Without SMT

Contact Info

Product

Resources

About