ClepsydraCache - Preventing Cache Attacks with Time-Based Evictions

Both the shift towards attacks on the microarchitectural CPU level and the ongoing transition towards cloud computing and shared VM hosts have increasingly drawn attention towards cache attacks. In these fields of application, cache sidechannels lay the cornerstone that is leveraged by attackers to exfiltrate secret information from the CPU microarchitecture. We build upon the observation that current cache side-channel attacks mostly exploit the architectural visibility of conflicting cache addresses. With CLEPSYDRACACHE, we break away this foundation by unraveling the linkage between cache evictions and accesses to conflicting addresses. Our solution takes a new approach that assigns each cache entry a random time-to-live to reduce the amount of cache conflicts. By making those conflicts unobservable to an attacker, CLEPSYDRACACHE efficiently protects against attacks like PRIME+PROBE and FLUSH+RELOAD. Furthermore, our solution is applicable to large last-level caches which are the most common targets for cache attacks. We implement CLEPSYDRACACHE using the Gem5 simulator and provide a proof-of-concept hardware design and simulation using 65-nm CMOS technology. CLEPSYDRACACHE matches the performance of traditional cache architectures while improving the system security against cache attacks. A Clepsydra is an ancient time-measuring device worked by a flow of water.

[1]  Nikos Nikoleris,et al.  The gem5 Simulator: Version 20.0+ , 2020, ArXiv.

[2]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[3]  Mihir Bellare,et al.  Format-Preserving Encryption , 2009, IACR Cryptol. ePrint Arch..

[4]  Ruby B. Lee,et al.  New cache designs for thwarting software cache-based side channel attacks , 2007, ISCA '07.

[5]  Guru Venkataramani,et al.  CC-Hunter: Uncovering Covert Timing Channels on Shared Processor Hardware , 2014, 2014 47th Annual IEEE/ACM International Symposium on Microarchitecture.

[6]  Thomas Eisenbarth,et al.  FortuneTeller: Predicting Microarchitectural Attacks via Unsupervised Deep Learning , 2019, ArXiv.

[7]  Gernot Heiser,et al.  CATalyst: Defeating last-level cache side channel attacks in cloud computing , 2016, 2016 IEEE International Symposium on High Performance Computer Architecture (HPCA).

[8]  Milos Doroslovacki,et al.  Prefetch-guard: Leveraging hardware prefetches to defend against cache timing channels , 2018, 2018 IEEE International Symposium on Hardware Oriented Security and Trust (HOST).

[9]  Srdjan Capkun,et al.  Software Grand Exposure: SGX Cache Attacks Are Practical , 2017, WOOT.

[10]  Kui Ren,et al.  PhantomCache: Obfuscating Cache Conflicts with Localized Randomization , 2020, NDSS.

[11]  K. Ishibashi,et al.  A 65-nm SoC Embedded 6T-SRAM Designed for Manufacturability With Read and Write Operation Stabilizing Circuits , 2007, IEEE Journal of Solid-State Circuits.

[12]  Yale N. Patt,et al.  Utility-Based Cache Partitioning: A Low-Overhead, High-Performance, Runtime Mechanism to Partition Shared Caches , 2006, 2006 39th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO'06).

[13]  Trevor Mudge,et al.  MiBench: A free, commercially representative embedded benchmark suite , 2001 .

[14]  Andreas Haeberlen,et al.  Detecting Covert Timing Channels with Time-Deterministic Replay , 2014, OSDI.

[15]  Christian Bienia,et al.  Benchmarking modern multiprocessors , 2011 .

[16]  Dan Page,et al.  Partitioned Cache Architecture as a Side-Channel Defence Mechanism , 2005, IACR Cryptology ePrint Archive.

[17]  Gabriel H. Loh,et al.  PIPP: promotion/insertion pseudo-partitioning of multi-core shared caches , 2009, ISCA '09.

[18]  Josep Torrellas,et al.  ReplayConfusion: Detecting cache-based covert channel attacks using record and replay , 2016, 2016 49th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[19]  Christoforos E. Kozyrakis,et al.  Scalable and Efficient Fine-Grained Cache Partitioning with Vantage , 2012, IEEE Micro.

[20]  Johannes Götzfried,et al.  Cache Attacks on Intel SGX , 2017, EUROSEC.

[21]  Moinuddin K. Qureshi CEASER: Mitigating Conflict-Based Cache Attacks via Encrypted-Address and Remapping , 2018, 2018 51st Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[22]  Wolfgang E. Nagel,et al.  Comparing cache architectures and coherency protocols on x86-64 multicore SMP systems , 2009, 2009 42nd Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[23]  Michael Hamburg,et al.  Spectre Attacks: Exploiting Speculative Execution , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[24]  Goran Doychev,et al.  Rigorous analysis of software countermeasures against cache attacks , 2017, PLDI.

[25]  Gorka Irazoqui Apecechea,et al.  Cross Processor Cache Attacks , 2016, IACR Cryptol. ePrint Arch..

[26]  Hao Wu,et al.  Newcache: Secure Cache Architecture Thwarting Cache Side-Channel Attacks , 2016, IEEE Micro.

[27]  Anne Canteaut,et al.  PRINCE - A Low-Latency Block Cipher for Pervasive Computing Applications - Extended Abstract , 2012, ASIACRYPT.

[28]  Yuval Yarom,et al.  FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack , 2014, USENIX Security Symposium.

[29]  Michael Hamburg,et al.  Meltdown: Reading Kernel Memory from User Space , 2018, USENIX Security Symposium.

[30]  장훈,et al.  [서평]「Computer Organization and Design, The Hardware/Software Interface」 , 1997 .

[31]  Pepe Vila,et al.  Theory and Practice of Finding Eviction Sets , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[32]  Frank Piessens,et al.  A Systematic Evaluation of Transient Execution Attacks and Defenses , 2018, USENIX Security Symposium.

[33]  Adi Shamir,et al.  Efficient Cache Attacks on AES, and Countermeasures , 2010, Journal of Cryptology.

[34]  David Thomas,et al.  The Art in Computer Programming , 2001 .

[35]  Vern Paxson,et al.  TCP Congestion Control , 1999, RFC.

[36]  Jacques Stern,et al.  Secret linear congruential generators are not cryptographically secure , 1987, 28th Annual Symposium on Foundations of Computer Science (sfcs 1987).

[37]  Ricardo J. Rodríguez,et al.  Proceedings of the 13th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment - Volume 9721 , 2016 .

[38]  Paul England,et al.  Resource management for isolation enhanced cloud services , 2009, CCSW '09.

[39]  André Seznec,et al.  A case for two-way skewed-associative caches , 1993, ISCA '93.

[40]  Daniel J. Bernstein,et al.  Cache-timing attacks on AES , 2005 .

[41]  Lars R. Knudsen,et al.  Truncated and Higher Order Differentials , 1994, FSE.

[42]  Kai Li,et al.  The PARSEC benchmark suite: Characterization and architectural implications , 2008, 2008 International Conference on Parallel Architectures and Compilation Techniques (PACT).

[43]  Herbert Bos,et al.  : Practical Cache Attacks from the Network , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[44]  Klaus Wagner,et al.  Flush+Flush: A Fast and Stealthy Cache Attack , 2015, DIMVA.

[45]  M. Bellare,et al.  The FFX Mode of Operation for Format-Preserving Encryption Draft 1 . 1 , 2010 .

[46]  Sylvain Duquesne,et al.  Montgomery-friendly primes and applications to cryptography , 2021, Journal of Cryptographic Engineering.

[47]  Aleksandar Milenkovic,et al.  Performance evaluation of cache replacement policies for the SPEC CPU2000 benchmark suite , 2004, ACM-SE 42.

[48]  Ruby B. Lee,et al.  Random Fill Cache Architecture , 2014, 2014 47th Annual IEEE/ACM International Symposium on Microarchitecture.

[49]  Herbert Bos,et al.  Malicious Management Unit: Why Stopping Cache Attacks in Software is Harder Than You Think , 2018, USENIX Security Symposium.

[50]  Mario Werner,et al.  ScatterCache: Thwarting Cache Attacks via Cache Set Randomization , 2019, USENIX Security Symposium.

[51]  Ruby B. Lee,et al.  A novel cache architecture with enhanced performance and security , 2008, 2008 41st IEEE/ACM International Symposium on Microarchitecture.

[52]  Gernot Heiser,et al.  Last-Level Cache Side-Channel Attacks are Practical , 2015, 2015 IEEE Symposium on Security and Privacy.

[53]  Ingrid Verbauwhede,et al.  Systematic Analysis of Randomization-based Protected Cache Architectures , 2021, 2021 IEEE Symposium on Security and Privacy (SP).

[54]  Wonchan Kim,et al.  A Low Voltage Low Power CMOS Delay Element , 1995, ESSCIRC '95: Twenty-first European Solid-State Circuits Conference.

[55]  Young-Deuk Jeon,et al.  A 6b 1.4GS/s 11.9mW 0.11mm2 65nm CMOS DAC with a 2-D INL bounded switching scheme , 2010, 2010 International SoC Design Conference.