CacheShield: Detecting Cache Attacks through Self-Observation

Microarchitectural attacks pose a great threat to any code running in parallel to other untrusted processes. Especially in public clouds, where system resources such as caches are shared across several tenants, microarchitectural attacks remain an unsolved problem. Cache attacks rely on evictions by the spy process, which alter the execution behavior of the victim process. Similarly, all attacks exploiting shared resource access will influence these resources, thereby influencing the process they are targeting. We show that hardware performance events reveal the presence of such attacks. Based on this observation, we propose CacheShield, a tool to protect legacy code by self-monitoring its execution and detecting the presence of microarchitectural attacks. CacheShield can be run by users and does not require alteration of the OS or hypervisor, while previously proposed software-based countermeasures require cooperation from the hypervisor. Unlike methods that try to detect malicious processes, our approach is lean, as only a fraction of the system needs to be monitored. It also integrates well into today's cloud infrastructure, as concerned users can opt to use CacheShield without support from the cloud service provider. Our results show that CacheShield detects attacks fast, with high reliability, and with few false positives, even in the presence of strong noise.

[1]  Rudolf B. Blazek,et al.  Detection of intrusions in information systems by sequential change-point methods , 2005 .

[2]  Peng Li,et al.  StopWatch: A Cloud Architecture for Timing Channel Mitigation , 2014, TSEC.

[3]  Gorka Irazoqui Apecechea,et al.  Lucky 13 Strikes Back , 2015, AsiaCCS.

[4]  Salvatore J. Stolfo,et al.  Unsupervised Anomaly-Based Malware Detection Using Hardware Features , 2014, RAID.

[5]  Gorka Irazoqui Apecechea,et al.  Wait a Minute! A fast, Cross-VM Attack on AES , 2014, RAID.

[6]  Taesoo Kim,et al.  STEALTHMEM: System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud , 2012, USENIX Security Symposium.

[7]  Naomi Benger,et al.  Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack , 2014, IACR Cryptol. ePrint Arch..

[8]  Klaus Wagner,et al.  Flush+Flush: A Fast and Stealthy Cache Attack , 2015, DIMVA.

[9]  Iliano Cervesato,et al.  On the Detection of Kernel-Level Rootkits Using Hardware Performance Counters , 2017, AsiaCCS.

[10]  Michèle Basseville,et al.  Detection of abrupt changes: theory and application , 1993 .

[11]  E. S. Page CONTINUOUS INSPECTION SCHEMES , 1954 .

[12]  Onur Aciiçmez,et al.  A Vulnerability in RSA Implementations Due to Instruction Cache Analysis and Its Demonstration on OpenSSL , 2008, CT-RSA.

[13]  Ruby B. Lee,et al.  DoS Attacks on Your Memory in Cloud , 2017, AsiaCCS.

[14]  Salvatore J. Stolfo,et al.  On the feasibility of online malware detection with performance counters , 2013, ISCA.

[15]  Ruby B. Lee,et al.  CloudRadar: A Real-Time Side-Channel Attack Detection System in Clouds , 2016, RAID.

[16]  Stefan Mangard,et al.  ARMageddon: Cache Attacks on Mobile Devices , 2015, USENIX Security Symposium.

[17]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[18]  Debdeep Mukhopadhyay,et al.  Who Watches the Watchmen?: Utilizing Performance Monitors for Compromising Keys of RSA on Intel Platforms , 2015, CHES.

[19]  Gorka Irazoqui Apecechea,et al.  Cache Attacks Enable Bulk Key Recovery on the Cloud , 2016, CHES.

[20]  Ramesh Karri,et al.  NumChecker: Detecting kernel control-flow modifying rootkits by using Hardware Performance Counters , 2013, 2013 50th ACM/EDAC/IEEE Design Automation Conference (DAC).

[21]  Gorka Irazoqui Apecechea,et al.  AutoLock: Why Cache Attacks on ARM Are Harder Than You Think , 2017, USENIX Security Symposium.

[22]  Gernot Heiser,et al.  Last-Level Cache Side-Channel Attacks are Practical , 2015, 2015 IEEE Symposium on Security and Privacy.

[23]  Mathias Payer,et al.  HexPADS: A Platform to Detect "Stealth" Attacks , 2016, ESSoS.

[24]  Gorka Irazoqui Apecechea,et al.  A Faster and More Realistic Flush+Reload Attack on AES , 2015, COSADE.

[25]  Samira Briongos,et al.  Modeling side-channel cache attacks on AES , 2016, SummerSim.

[26]  Craig Disselkoen,et al.  Prime+Abort: A Timer-Free High-Precision L3 Cache Attack using Intel TSX , 2017, USENIX Security Symposium.

[27]  Daniel J. Bernstein,et al.  Cache-timing attacks on AES , 2005 .

[28]  Qi Zhang,et al.  A cusum change-point detection algorithm for non-stationary sequences with application to data network surveillance , 2010, J. Syst. Softw..

[29]  Michael K. Reiter,et al.  Cross-VM side channels and their use to extract private keys , 2012, CCS.

[30]  Mahdi Abadi,et al.  HPCMalHunter: Behavioral malware detection using hardware performance counters and singular value decomposition , 2014, 2014 4th International Conference on Computer and Knowledge Engineering (ICCKE).

[31]  Larry A. Rendell,et al.  The Feature Selection Problem: Traditional Methods and a New Algorithm , 1992, AAAI.

[32]  Gorka Irazoqui Apecechea,et al.  S$A: A Shared Cache Attack That Works across Cores and Defies VM Sandboxing -- and Its Application to AES , 2015, 2015 IEEE Symposium on Security and Privacy.

[33]  Benjamin Serebrin,et al.  Virtualizing Performance Counters , 2011, Euro-Par Workshops.

[34]  Stefan Mangard,et al.  Cache Template Attacks: Automating Attacks on Inclusive Last-Level Caches , 2015, USENIX Security Symposium.

[35]  D. McDonald A cusum procedure based on sequential ranks , 1990 .

[36]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[37]  George Ho,et al.  PAPI: A Portable Interface to Hardware Performance Counters , 1999 .

[38]  Marco Chiappetta,et al.  Real time detection of cache-based side-channel attacks using hardware performance counters , 2016, Appl. Soft Comput..

[39]  Michael K. Reiter,et al.  Cross-Tenant Side-Channel Attacks in PaaS Clouds , 2014, CCS.

[40]  Yuval Yarom,et al.  FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack , 2014, USENIX Security Symposium.

[41]  Michael M. Swift,et al.  Scheduler-based Defenses against Cross-VM Side-channels , 2014, USENIX Security Symposium.

[42]  Stephan Krenn,et al.  Cache Games -- Bringing Access-Based Cache Attacks on AES to Practice , 2011, 2011 IEEE Symposium on Security and Privacy.

[43]  Ian H. Witten,et al.  The WEKA data mining software: an update , 2009, SKDD.

[44]  Michael K. Reiter,et al.  HomeAlone: Co-residency Detection in the Cloud via Side-Channel Analysis , 2011, 2011 IEEE Symposium on Security and Privacy.

[45]  Ruby B. Lee,et al.  New cache designs for thwarting software cache-based side channel attacks , 2007, ISCA '07.

[46]  Thomas Eisenbarth,et al.  Hit by the Bus: QoS Degradation Attack on Android , 2017, AsiaCCS.

[47]  Georg Sigl,et al.  Automated Detection of Instruction Cache Leaks in Modular Exponentiation Software , 2016, CARDIS.