Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
144 tokens/sec
GPT-4o
8 tokens/sec
Gemini 2.5 Pro Pro
46 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Write+Sync: Software Cache Write Covert Channels Exploiting Memory-disk Synchronization (2312.11501v2)

Published 8 Dec 2023 in cs.CR

Abstract: Memory-disk synchronization is a critical technology for ensuring data correctness, integrity, and security, especially in systems that handle sensitive information like financial transactions and medical records. We propose SYNC+SYNC, a group of attacks that exploit the memory-disk synchronization primitives. SYNC+SYNC works by subtly varying the timing of synchronization on the write buffer, offering several advantages: 1) implemented purely in software, enabling deployment on any hardware devices; 2) resilient against existing cache partitioning and randomization techniques; 3) unaffected by prefetching techniques and cache replacement strategies. We present the principles of SYNC+SYNC through the implementation of two write covert channel protocols, using either a single file or page, and introduce three enhanced strategies that utilize multiple files and pages. The feasibility of these channels is demonstrated in both cross-process and cross-sandbox scenarios across diverse operating systems (OSes). Experimental results show that, the average rate can reach 2.036 Kb/s (with a peak rate of 14.762 Kb/s) and the error rate is 0% on Linux; when running on macOS, the average rate achieves 10.211 Kb/s (with a peak rate of 253.022 Kb/s) and the error rate is 0.004%. To the best of our knowledge, SYNC+SYNC is the first high-speed write covert channel for software cache.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (49)
  1. C. Canella, J. V. Bulck, M. Schwarz, M. Lipp, B. V. Berg, P. Ortner, F. Piessens, D. Evtyushkin, and D. Gruss, “A systematic evaluation of transient execution attacks and defenses,” In USENIX Security, 2019, pp. 249–266.
  2. A. K. Biswas, D. Ghosal, and S. Nagaraja, “A Survey of Timing Channels and Countermeasures,” ACM Computing Surveys (CSUR), vol. 50, no. 1, pp. 1–39, 2018.
  3. Y. Yarom, K. Falkner, and K. Falkner, “Flush + Reload: A High Resolution, Low Noise, L3 Cache Side-Channel Attack,” in USENIX Security, 2014, pp. 719–732.
  4. D. Gruss, C. Maurice, K. Wagner, and S. Mangard, “Flush + Flush: A Fast and Stealthy Cache Attack,” in DIMVA, 2016, pp. 279–299.
  5. F. Liu, Y. Yarom, Q. Ge, G. Heiser, and R. B. Lee, “Last-Level Cache Side-Channel Attacks are Practical,” in S&P, 2015, pp. 605–622.
  6. G. Saileshwar, C. W. Fletcher, and M. Qureshi, “Streamline: A Fast, Flushless Cache Covert-Channel Attack by Enabling Asynchronous Collusion,” in ASPLOS, 2021, pp. 1077–1090.
  7. S. Briongos, P. Malagon, J. M. Moya, and T. Eisenbarth, “RELOAD + REFRESH: Abusing Cache Replacement Policies to Perform Stealthy Cache Attacks,” in USENIX Security, 2020, pp. 1967–1984.
  8. Y. Cui, C. Yang, and X. Cheng, “Abusing Cache Line Dirty States to Leak Information in Commercial Processors,” in HPCA, 2022, pp. 82–97.
  9. A. Purnal, F. Turan, and I. Verbauwhede, “Prime + Scope: Overcoming the Observer Effect for High-Precision Cache Contention Attacks,” in CCS, 2021, pp. 2906–2920.
  10. D. Gruss, E. Kraft, T. Tiwari, M. Schwarz, A. Trachtenberg, J. Hennessey, A. Ionescu, and A. Fogh, “Page Cache Attacks,” in CCS, 2019, pp. 167–180.
  11. Hat. R., “Disabling SMT to prevent CPU security issues using the web console”, 2022, https://access.redhat.com/documentation/en-us/red-hat-enterprise-linux/8/topic/f1d65124-781b-4543-a51a-d2bf9fa794ac.
  12. Y. Zhang and M. K. Reiter, “Düppel: retrofitting commodity operating systems to mitigate cache side channels in the cloud”, In CCS, 2013, pp. 827–838.
  13. V. Kiriansky, I. Lebedev, S. Amarasinghe, S. Devadas, and J. Emer, “DAWG: A defense against cache timing attacks in speculative execution processors,” in MICRO, 2018, pp. 974–987.
  14. M. Werner, T. Unterluggauer, L. Giner, M. Schwarz, D. Gruss, and S. Mangard, “SCATTERCACHE: thwarting cache attacks via cache set randomization,” in USENIX Security, 2019, pp. 675–692.
  15. T. Van Goethem, W. Joosen, and N. Nikiforakis, “The Clock is Still Ticking: Timing Attacks in the Modern Web,“ in CCS, 2015, pp. 1382–1393.
  16. Y. Shin, H. C. Kim, D. Kwon, J. H. Jeong, and J. Hur, “Unveiling Hardware-based Data Prefetcher, a Hidden Source of Information Leakage,” in CCS, 2018, pp. 131–145.
  17. P. Pessl, D. Gruss, C. Maurice, M. Schwarz, and S. Mangard, “DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks,” in USENIX Security, 2016, pp. 565–581.
  18. S. Deng and J. Szefer, “New Predictor-Based Attacks in Processors,” in DAC, 2021, pp. 697–702.
  19. A. C. Aldaya, B. B. Brumley, S. ul Hassan, C. P. García, and N. Tuveri, “Port Contention for Fun and Profit,” in S&P, 2019, pp. 870–887.
  20. A. Bhattacharyya, A. Sandulescu, M. Neugschwandtner, A. Sorniotti, B. Falsafi, M. Payer, A. Kurmus, “SMoTherSpectre: Exploiting Speculative Execution through Port Contention,” in CCS, 2019, pp. 785–800.
  21. Z. Wu, Z. Xu, and H. Wang, “Whispers in the hyper-space: High-bandwidth and reliable covert channel attacks inside the cloud,” IEEE/ACM Trans. Netw., vol. 23, no. 2, pp. 603–615, 2015.
  22. D. Gruss, D. Bidner, and S. Mangard, “Practical Memory Deduplication Attacks in Sandboxed Javascript,” in ESORICS, 2015, pp. 108–122.
  23. X. Gao, B. Steenkamer, Z. Gu, M. Kayaalp, D. Pendarakis, and H. Wang, “A Study on the Security Implications of Information Leakages in Container Clouds,” IEEE Trans. Dependable Secur. Comput., vol. 18, no. 1, pp. 174–191, 2021.
  24. M. Lipp, M. Schwarz, D. Gruss, T. Prescher, W. Haas, A. Fogh, J. Horn, S. Mangard, P. Kocher, D. Genkin, Y. Yarom, and M. Hamburg, “Meltdown: Reading kernel memory from user space,” in USENIX Security, 2018, pp. 973–990.
  25. P. Kocher, J. Horn, A. Fogh, D. Genkin, D. Gruss, W. Haas, M. Hamburg, M. Lipp, S. Mangard, T. Prescher, M. Schwarz, Y. Yarom, “Spectre Attacks: Exploiting Speculative Execution,” in S&P, 2019, pp. 1–19.
  26. G. Dessouky, T. Frassetto, and A.-R. Sadeghi, “HYBCACHE: Hybrid Side-Channel-Resilient Caches for Trusted Execution Environments,” in USENIX Security, 2020, pp. 451–468.
  27. E. Bosman, K. Razavi, H. Bos, and C. Giuffrida, “Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector,” in S&P, 2016, pp. 987–1004.
  28. F. Liu and R. B. Lee, “Random Fill Cache Architecture,” in MICRO, 2014, pp. 203–215.
  29. Z. H. Jiang and Y. Fei, “A novel cache bank timing attack,” in ICCAD, 2017, pp. 139–146.
  30. M. Yan, R. Sprabery, B. Gopireddy, C. W. Fletcher, R. Campbell, and J. Torrellas, “Attack Directories, Not Caches: Side Channel Attacks in a Non-Inclusive World,” in S&P, 2019, pp. 888–904.
  31. F. Yao, M. Doroslovacki, and G. Venkataramani, “Are Coherence Protocol States Vulnerable to Information Leakage?,” in HPCA, 2018, pp. 168–179.
  32. W. Xiong and J. Szefer, “Leaking Information Through Cache LRU States,” in HPCA, 2020, pp. 139–152.
  33. D. Evtyushkin, D. Ponomarev, and N. Abu-Ghazaleh, “Jump over ASLR: Attacking branch predictors to bypass ASLR,” in MICRO, 2016, pp. 1–13.
  34. M. Lipp, V. Hadžić, M. Schwarz, A. Perais, C. Maurice, and D. Gruss, “Take A Way: Exploring the Security Implications of AMD’s Cache Way Predictors,” in CCS, 2020, pp. 813–825.
  35. Microsoft, “Programming reference for Windows API,” 2018, https://docs.microsoft.com/en-us/windows/desktop/api/index.
  36. C. Shen, J. Zhang, G. Qu, “MES-Attacks: Software-Controlled Covert Channels based on Mutual Exclusion and Synchronization”, In DAC, 2023.
  37. J. Ahn, J. Kim, H. Kasan, L. Delshadtehrani, W. Song, A. Joshi, and J. Kim, “Network-on-Chip Microarchitecture-based Covert Channel in GPUs,” in MICRO, 2021, pp. 565–577.
  38. X. Gao, Z. Gu, Z. Li, H. Jamjoom, and C. Wang, “Houdini’s Escape: Breaking the Resource Rein of Linux Control Groups,” in CCS, 2019, pp. 1073–1086.
  39. J. Corbet, “Fixing page-cache side channels, second attempt,” 2019, https://lwn.net/Articles/778437/.
  40. Firejail, “Firejail Security Sandbox,” 2023, https://firejail.wordpress.com/.
  41. U. Jayasankar, V. Thirumal, and D. Ponnurangam, “A survey on data compression techniques: From the perspective of data quality, coding schemes, data type and applications,” J. King Saud Univ. - Comput. Inf. Sci., vol. 33, no. 2, pp. 119–140, 2021.
  42. J. Wan, Y. Bi, Z. Zhou, and Z. Li, “MeshUp: Stateless Cache Side-channel Attack on CPU Mesh,” in S&P, 2022, pp. 1396–1414.
  43. D. Evtyushkin, D. Ponomarev, and N. Abu-Ghazaleh, “Covert channels through branch predictors,” in HASP, 2015, pp. 1–8.
  44. C. Forcha, “Create a Thread Pool in C++,” 2022, https://linuxhint.com/create-thread-pool-c/.
  45. S. D. Carson and S. Setia, “Analysis of the periodic update write policy for disk cache,” IEEE Transactions on Software Engineering, vol. 18, no. 1, pp. 44-54, 1992.
  46. W. Xiong and J. Szefer. “Survey of transient execution attacks and their mitigations,” ACM Computing Surveys, vol. 54, no. 2, pp. 1–36, 2021.
  47. Microsoft, “File Caching,” 2021, https://learn.microsoft.com/en-us/windows/win32/fileio/file-caching.
  48. J. P. Thoma and T. Güneysu. “Write Me and I’ll Tell You Secrets – Write-After-Write Effects On Intel CPUs,” RAID, 2022, pp. 72–85.
  49. C. Su, Q. Zeng, and P. Nicopolitidis. “Survey of CPU Cache-Based Side-Channel Attacks: Systematic Analysis, Security Models, and Countermeasures,” Security and Communication Networks, 2021.
Citations (11)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now