Cross-Core Cache Side-Channel Attacks

adversarial prefetch new cross core cache side n.w
1 / 29
Embed
Share

Discover how cache side-channel attacks exploit shared hardware platforms to leak information across VM boundaries, with a focus on same-core and cross-core attack methods. Learn about the Flush+Reload technique and how attackers can access private cache and Last-Level Cache data through monitoring cache states. Explore the practical implications and challenges of detecting and mitigating these attacks.

  • Cache Attacks
  • Security
  • Cross-Core
  • Side-Channel
  • Hardware
rayaanacharya
dlyn Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Adversarial Prefetch: New Cross-Core Cache Side Channel Attacks Yanan Guo1, Andrew Zigerelli, Youtao Zhang1, Jun Yang1 1University of Pittsburgh

  2. Cache Side-channel Attacks The shared hardware platform can be used to leak information The attacker learns a victim s cache access by monitoring cache states. Can cross VM boundries Hard to be detected

  3. Cache Side-channel Attacks The shared hardware platform can be used to leak information The attacker learns a victim s cache access by monitoring cache states. Can cross VM boundries Hard to be detected Same-core attacks Work on the private cache. Usually require hyper-threading. Cross-core attacks Usually work on the LLC. Arguably more practical. Attacker Victim Private Cache Private Cache Last-Level Cache

  4. Cache Side-channel Attacks The shared hardware platform can be used to leak information The attacker learns a victim s cache access by monitoring cache states. Can cross VM boundries Hard to be detected Same-core attacks Work on the private cache. Usually require hyper-threading. Cross-core attacks Usually work on the LLC/Directory. More practical. Victim Attacker Private Cache Private Cache Last-Level Cache

  5. How do cross-core cache attacks work?

  6. Flush+Reload Victim Attacker Private Cache Line 0 Private Cache Attacker flushes Shared LLC Shared LLC Line 0

  7. Flush+Reload Victim Attacker Attacker Victim Private Cache Private Cache Private Cache Line 0 Private Cache Attacker reloads (takes shorter) Victim loads Attacker flushes Shared LLC Shared LLC Shared LLC Line 0

  8. Flush+Reload Victim Attacker Victim Attacker Private Cache Private Cache Private Cache Private Cache Attacker reloads (takes longer) Victim does not load Attacker flushes Shared LLC Shared LLC Shared LLC

  9. Flush+Reload The victim s data is evicted from the LLC (and private caches). Victim Victim Attacker Attacker Private Cache Line 0 Private Cache Private Cache Private Cache Attacker flushes Attacker flushes Shared LLC Shared LLC Shared LLC Shared LLC Line 0

  10. Can we build a cross-core attack that only evicts from the private cache?

  11. Cross-Core Private Cache Attack Attacker Victim Attacker Victim Private Cache Private Cache Private Cache Line 0 Private Cache Attacker ? New Attack flushes Shared LLC Shared LLC Shared LLC Shared LLC Line 0 Line 0 Higher bandwidth Higher resolution Stealthier

  12. Can we use existing eviction methods?

  13. Cross-Core Private Cache Attack Eviction methods CLFLUSH Set Conflicts Way 3 Way 1 Way 2 Way 0 Set 0 Set 1 V A1 A2 A3 Set n

  14. Cross-Core Private Cache Attack Eviction methods CLFLUSH Set Conflicts Way 3 Way 1 Way 2 Way 0 Set 0 Set 1 A4 A1 A2 A3 Set n

  15. New eviction method?

  16. Cross-Core Private Cache Attack New eviction method is necessary Cache coherence protocol? Core 0 Core 1 Core 0 Core 1 Core 0 Core 1 Core 0 Core 1 Private Cache Private Cache Private Cache (S)hared Private Cache (I)nvalid Private Cache (M)odified Private Cache (E)xclusive Private Cache (S)hared Private Cache (I)nvalid Shared LLC Shared LLC Shared LLC Shared LLC Shared LLC Shared LLC Shared LLC Shared LLC Valid Data Valid Data Stale Data Valid Data 1. 2. Exclusive ownership Can read/write the private cache copy 1. 2. Shared Read only Require for ownership, should only happen upon writes

  17. Can we cause RFO without writing the cache line?

  18. Cross-Core Private Cache Attack x86 data prefetching instructions PREFETCHT0, PREFETCHT1, PREFETCHT2 , for reads. PREFETCHW, for writes. PREFETCHW It prefetches the data into the private cache and changes the coherence state to Modified. On Intel Core i7-6700, Core i7-6800K, Core i7-7700K, Core i9-10900X, Property 1: PREFETCHW works on read-only data. Property 2: PREFETCHW has timing variance. PREFETCHW is available since Broadwell. Are the two properties always true on Intel processors?

  19. PREFETCHW Characterization Processor Microarch. LLC Type Property #1 Property #2 Core i7-6700 Skylake Inclusive Yes Yes Core i7-6800K Skylake Inclusive Yes Yes Core i7-7700K Kaby Lake Inclusive Yes Yes Core i9-10900X Cascade Lake Non-inclu. Yes Yes Xeon Silver 4114 Skylake-SP Non-inclu. Yes Yes Xeon Plat. 8151 Skylake-SP Non-inclu. Yes Yes Xeon Plat. 8124M Skylake-SP Non-inclu. Yes Yes Xeon Plat. 8175M Skylake-SP Non-inclu. Yes Yes Xeon Plat. 8259CL Skylake-SP Non-inclu. Yes Yes Xeon Plat. 8275CL Skylake-SP Non-inclu. Yes Yes Xeon Plat. 8375C Ice Lake Non-inclu. Yes No

  20. Two cross-core private cache attacks: Prefetch+Prefetch and Prefetch+Reload

  21. Prefetch+Prefetch Attacker Victim Attacker Victim Private Cache Private Cache (M)odified Private Cache (S)hared Private Cache (S)hared Attacker prefetches Victim loads Shared LLC Shared LLC Shared LLC Stale Data Valid Data Attacker prefetches (takes longer)

  22. Prefetch+Prefetch Attacker Victim Attacker Victim Private Cache Private Cache (M)odified Private Cache Private Cache (M)odified Attacker prefetches Victim does not load Shared LLC Shared LLC Shared LLC Stale Data Stale Data Attacker prefetches (takes shorter) Can we load and time the load instead?

  23. Prefetch+Prefetch Attacker Victim Attacker Victim Private Cache Private Cache (M)odified Private Cache (S)hared Private Cache (S)hared Attacker prefetches Victim loads Shared LLC Shared LLC Shared LLC Stale Data Valid Data Attacker prefetches (takes longer) Can we load and time the load instead? Not by the same attacker s thread. What if the attacker has a second thread?

  24. Prefetch+Reload Trojan Spy Victim Trojan Spy Victim Private Cache (S)hared Private Cache (I)nvalid Private Cache (S)hared Private Cache (I)nvalid Private Cache (I)nvalid Private Cache (M)odified Spy loads (LLC hit) Trojan prefetches Victim loads Shared LLC Shared LLC Valid data Stale data

  25. Prefetch+Reload Trojan Spy Victim Trojan Spy Victim Private Cache (I)nvalid Private Cache (I)nvalid Private Cache (M)odified Private Cache (I)nvalid Private Cache (I)nvalid Private Cache (M)odified Trojan prefetches Victim does not load Spy loads (Remote L1 hit) Shared LLC Shared LLC Stale data Stale data

  26. Experiments Covert channel capacities (with one cache line) Processor Prefetch+Reload Prefetch+Load Prefetch+Prefetch Core i7-6700 631 KB/s 709 KB/s 721 KB/s Core i7-7700K 782 KB/s 840 KB/s 822 KB/s Xeon Plat. 8124M 394 KB/s 586 KB/s 556 KB/s Xeon Plat. 8151 476 KB/s 680 KB/s 605 KB/s

  27. Experiments Covert channel capacities (with one cache line) Processor Prefetch+Reload Prefetch+Load Prefetch+Prefetch Core i7-6700 631 KB/s 709 KB/s 721 KB/s Core i7-7700K 782 KB/s 840 KB/s 822 KB/s Xeon Plat. 8124M 394 KB/s 586 KB/s 556 KB/s Xeon Plat. 8151 476 KB/s 680 KB/s 605 KB/s Flush+Reload: ~ 270 KB/s Flush+Flush: ~ 570 KB/s

  28. Experiments Prefetch-based channels with transient execution attacks Faster Encoding Operation Remote private cache hits are usually much faster than DRAM accesses. 8 bytes can be leaked with Flush+Reload 17 bytes can be leaked with Prefetch+Prefetch Side channel attacks Attacking the Square-and-Multiply Algorithm in GnuPG to leak the private key. Attacking the GUI libraries to detect keystrokes.

  29. Adversarial Prefetch: New Cross-Core Cache Side Channel Attacks Yanan Guo1, Andrew Zigerelli, Youtao Zhang1, Jun Yang1 1University of Pittsburgh Paper:https://arxiv.org/pdf/2110.12340.pdf Artifacts: https://github.com/PittECEArch/AdversarialPrefetch

Related


Clean Energy Transition, Scarcity and Urban Mining

Clean Energy Transition, Scarcity and Urban Mining

anisa
Clean Heat Skills and Supply Chains

Clean Heat Skills and Supply Chains

ilyas
Herbal Home Care Products for a Clean and Healthy Lifestyle

Herbal Home Care Products for a Clean and Healthy Lifestyle

alvin
9th Plenary Meeting Clean Hydrogen Mission Agenda and Updates

9th Plenary Meeting Clean Hydrogen Mission Agenda and Updates

estrella
Home Transformation, A Dive Into The Benefits Of Professional House Washing With GREEN N Clean

Home Transformation, A Dive Into The Benefits Of Professional House Washing With GREEN N Clean

Greennclean
Clean Energy DC 2.0: Transformative Climate and Energy Plan for the District of Columbia

Clean Energy DC 2.0: Transformative Climate and Energy Plan for the District of Columbia

marwah
Maintaining Personal Hygiene: Tips to Keep Clean and Fresh

Maintaining Personal Hygiene: Tips to Keep Clean and Fresh

susannah
Clean Air Awareness Campaign: Myths vs. Facts

Clean Air Awareness Campaign: Myths vs. Facts

gethin
Clean Coalition's Fixed Charge Proposal for Local Solar Energy

Clean Coalition's Fixed Charge Proposal for Local Solar Energy

roisin
Research Highlights: Clean Air Initiatives at IIT Delhi (2019-20)

Research Highlights: Clean Air Initiatives at IIT Delhi (2019-20)

buck
Partnership to Advance Clean Energy Deployment (PACE-D) Technical Assistance Program Grid Connectivity & Inspection Procedure

Partnership to Advance Clean Energy Deployment (PACE-D) Technical Assistance Program Grid Connectivity & Inspection Procedure

egypt
Establishment of Decentralized Clean Water Service Providers in Winooski Basin

Establishment of Decentralized Clean Water Service Providers in Winooski Basin

jaquelin
Advancing Clean Energy Economy in Minnesota

Advancing Clean Energy Economy in Minnesota

giavann
Financial Analysis and Management of Clean Energy Technologies

Financial Analysis and Management of Clean Energy Technologies

hephzibah
Advancing Clean Energy Transition in Illinois: Sierra Club's Ready for 100 Campaign Update

Advancing Clean Energy Transition in Illinois: Sierra Club's Ready for 100 Campaign Update

zay_sti
Clean Energy Policy and Carbon Emissions in Nevada

Clean Energy Policy and Carbon Emissions in Nevada

sbake
Manitoba's Climate Action Plan: Fostering Clean Energy and Carbon Pricing

Manitoba's Climate Action Plan: Fostering Clean Energy and Carbon Pricing

stum_omi
EPA Regulations and Clean Air Act: Legal Interpretation

EPA Regulations and Clean Air Act: Legal Interpretation

jusi592
Green Valley Green Committee: Keeping Our Neighborhood Clean and Green

Green Valley Green Committee: Keeping Our Neighborhood Clean and Green

zyke_659
Clean Fuels Forecast Review - August 22nd, 2023 Summary

Clean Fuels Forecast Review - August 22nd, 2023 Summary

meen276
Grid Modernization Policies and Barriers to Clean Energy Overview

Grid Modernization Policies and Barriers to Clean Energy Overview

kadija
The Importance of Clean Water: Insights from Europe

The Importance of Clean Water: Insights from Europe

banister_m

More Related Content