Micro-architectural Cache Side-Channel Attacks and Countermeasures

Central Processing Unit (CPU) is considered as the brain of a computer. If the CPU has vulnerabilities, the security of software running on it is difficult to be guaranteed. In recent years, various micro-architectural cache side-channel attacks on the CPU such as Spectre and Meltdown have appeared. They exploit contention on internal components of the processor to leak secret information between processes. This newly evolving research area has aroused significant interest due to the broad application range and harmfulness of these attacks. This article reviews recent research progress on micro-architectural cache side-channel attacks and defenses. First, the various micro-architectural cache side-channel attacks are classified and discussed. Then, the corresponding countermeasures are summarized. Finally, the limitations and future development trends are prospected.

[1]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[2]  Michael K. Reiter,et al.  Düppel: retrofitting commodity operating systems to mitigate cache side channels in the cloud , 2013, CCS.

[3]  Nael B. Abu-Ghazaleh,et al.  Jump over ASLR: Attacking branch predictors to bypass ASLR , 2016, 2016 49th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[4]  Christopher Kruegel,et al.  Detection of Intrusions and Malware, and Vulnerability Assessment , 2019, Lecture Notes in Computer Science.

[5]  Michael Hamburg,et al.  Meltdown: Reading Kernel Memory from User Space , 2018, USENIX Security Symposium.

[6]  Nael B. Abu-Ghazaleh,et al.  Spectre Returns! Speculation Attacks Using the Return Stack Buffer , 2018, IEEE Design & Test.

[7]  Michael Hamburg,et al.  Spectre Attacks: Exploiting Speculative Execution , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[8]  Herbert Bos,et al.  Throwhammer: Rowhammer Attacks over the Network and Defenses , 2018, USENIX ATC.

[9]  Gernot Heiser,et al.  CATalyst: Defeating last-level cache side channel attacks in cloud computing , 2016, 2016 IEEE International Symposium on High Performance Computer Architecture (HPCA).

[10]  Derek Bruening,et al.  AddressSanitizer: A Fast Address Sanity Checker , 2012, USENIX Annual Technical Conference.

[11]  Christoforos E. Kozyrakis,et al.  Raksha: a flexible information flow architecture for software security , 2007, ISCA '07.

[12]  Aznida Hayati Zakaria,et al.  Retpoline Technique for Mitigating Spectre Attack , 2019, 2019 6th International Conference on Electrical and Electronics Engineering (ICEEE).

[13]  Carl A. Waldspurger,et al.  Speculative Buffer Overflows: Attacks and Defenses , 2018, ArXiv.

[14]  Christof Fetzer,et al.  SpecFuzz: Bringing Spectre-type vulnerabilities to the surface , 2019, USENIX Security Symposium.

[15]  Marco Chiappetta,et al.  Real time detection of cache-based side-channel attacks using hardware performance counters , 2016, Appl. Soft Comput..

[16]  Thomas F. Wenisch,et al.  Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution , 2018, USENIX Security Symposium.

[17]  Arnaldo Carvalho de Melo,et al.  The New Linux ’ perf ’ Tools , 2010 .

[18]  Craig Disselkoen,et al.  Prime+Abort: A Timer-Free High-Precision L3 Cache Attack using Intel TSX , 2017, USENIX Security Symposium.

[19]  Josep Torrellas,et al.  Speculative Taint Tracking (STT): A Comprehensive Protection for Speculatively Accessed Data , 2019, IEEE Micro.

[20]  Milos Doroslovacki,et al.  Are Coherence Protocol States Vulnerable to Information Leakage? , 2018, 2018 IEEE International Symposium on High Performance Computer Architecture (HPCA).

[21]  Cesar Pereida García,et al.  Port Contention for Fun and Profit , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[22]  Avesta Sasan,et al.  Analyzing hardware based malware detectors , 2017, 2017 54th ACM/EDAC/IEEE Design Automation Conference (DAC).

[23]  Stefan Mangard,et al.  KASLR is Dead: Long Live KASLR , 2017, ESSoS.

[24]  Srinivas Devadas,et al.  DAWG: A Defense Against Cache Timing Attacks in Speculative Execution Processors , 2018, 2018 51st Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[25]  Klaus Wagner,et al.  Flush+Flush: A Fast and Stealthy Cache Attack , 2015, DIMVA.

[26]  Guru Venkataramani,et al.  Leveraging Cache Management Hardware for Practical Defense Against Cache Timing Channel Attacks , 2019, IEEE Micro.

[27]  Nael B. Abu-Ghazaleh,et al.  BranchScope: A New Side-Channel Attack on Directional Branch Predictor , 2018, ASPLOS.

[28]  Frank Piessens,et al.  A Systematic Evaluation of Transient Execution Attacks and Defenses , 2018, USENIX Security Symposium.

[29]  Stephan Krenn,et al.  Cache Games -- Bringing Access-Based Cache Attacks on AES to Practice , 2011, 2011 IEEE Symposium on Security and Privacy.

[30]  Sorin Lerner,et al.  On Subnormal Floating Point and Abnormal Timing , 2015, 2015 IEEE Symposium on Security and Privacy.

[31]  Yuval Yarom,et al.  FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack , 2014, USENIX Security Symposium.

[32]  Kostya Serebryany,et al.  OSS-Fuzz - Google's continuous fuzzing service for open source software , 2017 .

[33]  James R. Larus,et al.  Exploiting hardware performance counters with flow and context sensitive profiling , 1997, PLDI '97.

[34]  Ofir Weisse,et al.  NDA: Preventing Speculative Execution Attacks at Their Source , 2019, MICRO.

[35]  Julian Stecklina,et al.  LazyFP: Leaking FPU Register State using Microarchitectural Side-Channels , 2018, ArXiv.

[36]  Chris Fallin,et al.  Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[37]  Stefan Mangard,et al.  Cache Template Attacks: Automating Attacks on Inclusive Last-Level Caches , 2015, USENIX Security Symposium.

[38]  Angelos D. Keromytis,et al.  The Spy in the Sandbox: Practical Cache Attacks in JavaScript and their Implications , 2015, CCS.

[39]  Josep Torrellas,et al.  InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy , 2018, 2018 51st Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[40]  Daniel J. Bernstein,et al.  Cache-timing attacks on AES , 2005 .

[41]  Babak Falsafi,et al.  SMoTherSpectre: Exploiting Speculative Execution through Port Contention , 2019, CCS.

[42]  Stefan Mangard,et al.  Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR , 2016, CCS.