Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
166 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
42 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Random and Safe Cache Architecture to Defeat Cache Timing Attacks (2309.16172v2)

Published 28 Sep 2023 in cs.CR and cs.AR

Abstract: Caches have been exploited to leak secret information due to the different times they take to handle memory accesses. Cache timing attacks include non-speculative cache side and covert channel attacks and cache-based speculative execution attacks. We first present a systematic view of the attack and defense space and show that no existing defense has addressed all cache timing attacks, which we do in this paper. We propose Random and Safe (RaS) cache architectures to decorrelate cache state changes from memory requests. RaS fills the cache with ``safe'' cache lines that are likely to be used in the future, rather than with demand-fetched, security-sensitive lines. RaS lifts the restriction on cache fills for accesses that become safe when speculative execution is resolved and authorized. Our RaS-Spec design against cache-based speculative execution attacks has a low 3.8% average performance overhead. RaS+ variants against both speculative and non-speculative attacks have security-performance trade-offs ranging from 7.9% to 45.2% average overhead.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (75)
  1. S. Ainsworth, “Ghostminion: A strictness-ordered cache system for spectre mitigation,” in MICRO-54: 54th Annual IEEE/ACM International Symposium on Microarchitecture, ser. MICRO ’21.   New York, NY, USA: Association for Computing Machinery, 2021, p. 592–606. [Online]. Available: https://doi.org/10.1145/3466752.3480074
  2. S. Ainsworth and T. M. Jones, “Muontrap: Preventing cross-domain spectre-like attacks by capturing speculative state,” in The ACM/IEEE 47th Annual International Symposium on Computer Architecture (ISCA), 2020.
  3. K. Barber, A. Bacha, L. Zhou, Y. Zhang, and R. Teodorescu, “Specshield: Shielding speculative data from microarchitectural covert channels,” in The 28th International Conference on Parallel Architectures and Compilation Techniques (PACT), 2019.
  4. M. Behnia, P. Sahu, R. Paccagnella, J. Yu, Z. N. Zhao, X. Zou, T. Unterluggauer, J. Torrellas, C. Rozas, A. Morrison, F. Mckeen, F. Liu, R. Gabor, C. W. Fletcher, A. Basak, and A. Alameldeen, “Speculative interference attacks: Breaking invisible speculation schemes,” in Proceedings of the 26th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, ser. ASPLOS ’21.   New York, NY, USA: Association for Computing Machinery, 2021, pp. 1046–1060. [Online]. Available: https://doi.org/10.1145/3445814.3446708
  5. D. J. Bernstein, “Cache-timing attacks on aes,” Online, 2005.
  6. A. Bhattacharyya, A. Sandulescu, M. Neugschwandtner, A. Sorniotti, B. Falsafi, M. Payer, and A. Kurmus, “Smotherspectre: exploiting speculative execution through port contention,” in The 2019 ACM SIGSAC Conference on Computer and Communications Security, 2019.
  7. N. Binkert, B. Beckmann, G. Black, S. K. Reinhardt, A. Saidi, A. Basu, J. Hestness, D. R. Hower, T. Krishna, S. Sardashti, R. Sen, K. Sewell, M. Shoaib, N. Vaish, M. D. Hill, and D. A. Wood, “The gem5 simulator,” SIGARCH Comput. Archit. News, vol. 39, no. 2, pp. 1–7, aug 2011. [Online]. Available: https://doi.org/10.1145/2024716.2024718
  8. J. Bonneau and I. Mironov, “Cache-collision timing attacks against aes,” in Cryptographic Hardware and Embedded Systems - CHES 2006, L. Goubin and M. Matsui, Eds.   Berlin, Heidelberg: Springer Berlin Heidelberg, 2006, pp. 201–215.
  9. T. Bourgeat, I. Lebedev, A. Wright, S. Zhang, Arvind, and S. Devadas, “Mi6: Secure enclaves in a speculative out-of-order processor,” in The 52nd Annual IEEE/ACM International Symposium on Microarchitecture, 2019. [Online]. Available: https://doi.org/10.1145/3352460.3358310
  10. C. Canella, J. V. Bulck, M. Schwarz, M. Lipp, B. von Berg, P. Ortner, F. Piessens, D. Evtyushkin, and D. Gruss, “A systematic evaluation of transient execution attacks and defenses,” in 28th USENIX Security Symposium, 2019. [Online]. Available: https://www.usenix.org/conference/usenixsecurity19/presentation/canella
  11. C. Canella, D. Genkin, L. Giner, D. Gruss, M. Lipp, M. Minkin, D. Moghimi, F. Piessens, M. Schwarz, B. Sunar, J. Van Bulck, and Y. Yarom, “Fallout: Leaking data on meltdown-resistant cpus,” in Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, ser. CCS ’19.   New York, NY, USA: Association for Computing Machinery, 2019, pp. 769–784. [Online]. Available: https://doi.org/10.1145/3319535.3363219
  12. M. S. R. Center, “Mitigating speculative execution side channel hardware vulnerabilities,” https://msrc-blog.microsoft.com/2018/03/15/mitigating-speculative-execution-side-channel-hardware-vulnerabilities.
  13. G. Dessouky, T. Frassetto, and A.-R. Sadeghi, “Hybcache: Hybrid side-channel-resilient caches for trusted execution environments,” in Proceedings of the 29th USENIX Conference on Security Symposium, 2020, pp. 451–468.
  14. L. Domnitser, A. Jaleel, J. Loew, N. Abu-Ghazaleh, and D. Ponomarev, “Non-monopolizable caches: Low-complexity mitigation of cache side channel attacks,” ACM Trans. Archit. Code Optim., vol. 8, no. 4, 2012. [Online]. Available: https://doi.org/10.1145/2086696.2086714
  15. D. Evtyushkin, R. Riley, N. Abu-Ghazaleh, and D. Ponomarev, “Branchscope: A new side-channel attack on directional branch predictor,” in The Twenty-Third International Conference on Architectural Support for Programming Languages and Operating Systems, 2018. [Online]. Available: https://doi.org/10.1145/3173162.3173204
  16. J. Fustos, F. Farshchi, and H. Yun, “Spectreguard: An efficient data-centric defense mechanism against spectre attacks,” in The 56th Design Automation Conference (DAC), 2019. [Online]. Available: https://doi.org/10.1145/3316781.3317914
  17. D. Gruss, C. Maurice, K. Wagner, and S. Mangard, “Flush+flush: A fast and stealthy cache attack,” in Proceedings of the 13th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment - Volume 9721, ser. DIMVA 2016.   Berlin, Heidelberg: Springer-Verlag, 2016, p. 279–299. [Online]. Available: https://doi.org/10.1007/978-3-319-40667-1_14
  18. D. Gullasch, E. Bangerter, and S. Krenn, “Cache games – bringing access-based cache attacks on aes to practice,” in 2011 IEEE Symposium on Security and Privacy, 2011, pp. 490–505.
  19. Z. He, G. Hu, and R. Lee, “New models for understanding and reasoning about speculative execution attacks,” in 2021 IEEE International Symposium on High-Performance Computer Architecture (HPCA), 2021, pp. 40–53.
  20. J. Horn, “Speculative execution, variant 4: Speculative store bypass, 2018,” URl: https://bugs.chromium.org/p/project-zero/issues/detail?id=1528, 2018.
  21. G. Hu, Z. He, and R. B. Lee, “Sok: Hardware defenses against speculative execution attacks,” in 2021 International Symposium on Secure and Private Execution Environment Design (SEED).   IEEE, 2021, pp. 108–120.
  22. Intel, “Lazy fp,” https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00145.html, Intel, 2018.
  23. Intel, “Spectre v3a (rsre),” https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html, Intel, 2018.
  24. Intel, “Microarchitectural data sampling,” https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/technical-documentation/intel-analysis-microarchitectural-data-sampling.html, Intel, 2019.
  25. Intel, “TAA,” https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/advisory-guidance/intel-tsx-asynchronous-abort.html, Intel, 2019.
  26. Intel, “L1d eviction sampling,” https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/advisory-guidance/l1d-eviction-sampling.html, Intel, 2020.
  27. Intel, “Special register buffer data sampling,” https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/technical-documentation/special-register-buffer-data-sampling.html, Intel, 2020.
  28. Intel, “VRS,” https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/advisory-guidance/vector-register-sampling.html, Intel, 2020.
  29. K. N. Khasawneh, E. M. Koruyeh, C. Song, D. Evtyushkin, D. Ponomarev, and N. Abu-Ghazaleh, “Safespec: Banishing the spectre of a meltdown with leakage-free speculation,” in The 56th Design Automation Conference (DAC), 2019.
  30. V. Kiriansky, I. Lebedev, S. Amarasinghe, S. Devadas, and J. Emer, “Dawg: A defense against cache timing attacks in speculative execution processors,” in The 51st Annual IEEE/ACM International Symposium on Microarchitecture (MICRO), 2018.
  31. V. Kiriansky and C. Waldspurger, “Speculative buffer overflows: Attacks and defenses,” arXiv preprint arXiv:1807.03757, 2018.
  32. P. Kocher, J. Horn, A. Fogh, D. Genkin, D. Gruss, W. Haas, M. Hamburg, M. Lipp, S. Mangard, T. Prescher, M. Schwarz, and Y. Yarom, “Spectre attacks: Exploiting speculative execution,” in 2019 IEEE Symposium on Security and Privacy (SP), 2019, pp. 1–19.
  33. E. M. Koruyeh, K. N. Khasawneh, C. Song, and N. Abu-Ghazaleh, “Spectre returns! speculation attacks using the return stack buffer,” in 12th USENIX Workshop on Offensive Technologies (WOOT 18), 2018. [Online]. Available: https://www.usenix.org/conference/woot18/presentation/koruyeh
  34. M. Li, C. Miao, Y. Yang, and K. Bu, “unxpec: Breaking undo-based safe speculation,” in 2022 IEEE International Symposium on High-Performance Computer Architecture (HPCA), 2022, pp. 98–112.
  35. P. Li, L. Zhao, R. Hou, L. Zhang, and D. Meng, “Conditional speculation: An effective approach to safeguard out-of-order execution against spectre attacks,” in 2019 IEEE International Symposium on High Performance Computer Architecture (HPCA), 2019.
  36. M. Lipp, M. Schwarz, D. Gruss, T. Prescher, W. Haas, A. Fogh, J. Horn, S. Mangard, P. Kocher, D. Genkin, Y. Yarom, and M. Hamburg, “Meltdown: Reading kernel memory from user space,” in 27th USENIX Security Symposium, 2018. [Online]. Available: https://www.usenix.org/conference/usenixsecurity18/presentation/lipp
  37. F. Liu, Q. Ge, Y. Yarom, F. Mckeen, C. Rozas, G. Heiser, and R. B. Lee, “Catalyst: Defeating last-level cache side channel attacks in cloud computing,” in 2016 IEEE International Symposium on High Performance Computer Architecture (HPCA), 2016, pp. 406–418.
  38. F. Liu and R. B. Lee, “Random fill cache architecture,” in 2014 47th Annual IEEE/ACM International Symposium on Microarchitecture, 2014, pp. 203–215.
  39. F. Liu, H. Wu, K. Mai, and R. B. Lee, “Newcache: Secure cache architecture thwarting cache side-channel attacks,” IEEE Micro, vol. 36, no. 5, pp. 8–16, 2016.
  40. F. Liu, Y. Yarom, Q. Ge, G. Heiser, and R. B. Lee, “Last-level cache side-channel attacks are practical,” in 2015 IEEE Symposium on Security and Privacy, 2015, pp. 605–622.
  41. K. Loughlin, I. Neal, J. Ma, E. Tsai, O. Weisse, S. Narayanasamy, and B. Kasikci, “DOLMA: Securing speculation with the principle of transient non-observability,” in 30th USENIX Security Symposium (USENIX Security 21), 2021. [Online]. Available: https://www.usenix.org/conference/usenixsecurity21/presentation/loughlin
  42. G. Maisuradze and C. Rossow, “Ret2spec: Speculative execution using return stack buffers,” in The 2018 ACM SIGSAC Conference on Computer and Communications Security, 2018. [Online]. Available: https://doi.org/10.1145/3243734.3243761
  43. E. J. Ojogbo, M. Thottethodi, and T. N. Vijaykumar, “Secure automatic bounds checking: Prevention is simpler than cure,” in The 18th ACM/IEEE International Symposium on Code Generation and Optimization, 2020. [Online]. Available: https://doi.org/10.1145/3368826.3377921
  44. H. Omar and O. Khan, “Ironhide: A secure multicore that efficiently mitigates microarchitecture state attacks for interactive applications,” in 2020 IEEE International Symposium on High Performance Computer Architecture (HPCA), 2020.
  45. D. A. Osvik, A. Shamir, and E. Tromer, “Cache attacks and countermeasures: The case of aes,” in Topics in Cryptology – CT-RSA 2006, D. Pointcheval, Ed., 2006.
  46. C. Percival, “Cache missing for fun and profit,” 2005.
  47. A. Purnal, L. Giner, D. Gruss, and I. Verbauwhede, “Systematic analysis of randomization-based protected cache architectures,” in 2021 IEEE Symposium on Security and Privacy (SP), 2021, pp. 987–1002.
  48. M. K. Qureshi, “Ceaser: Mitigating conflict-based cache attacks via encrypted-address and remapping,” in The 51st Annual IEEE/ACM International Symposium on Microarchitecture (MICRO), 2018.
  49. M. K. Qureshi, “New attacks and defense for encrypted-address cache,” in 2019 ACM/IEEE 46th Annual International Symposium on Computer Architecture (ISCA), 2019, pp. 360–371.
  50. H. Ragab, A. Milburn, K. Razavi, H. Bos, and C. Giuffrida, “Crosstalk: Speculative data leaks across cores are real,” in 2021 IEEE Symposium on Security and Privacy (SP), 2021.
  51. G. Saileshwar and M. K. Qureshi, “Cleanupspec: An ”undo” approach to safe speculation,” in The 52nd Annual IEEE/ACM International Symposium on Microarchitecture (MICRO), 2019. [Online]. Available: https://doi.org/10.1145/3352460.3358314
  52. G. Saileshwar and M. K. Qureshi, “Mirage: Mitigating conflict-based cache attacks with a practical fully-associative design.” in USENIX Security Symposium, 2021, pp. 1379–1396.
  53. C. Sakalis, S. Kaxiras, A. Ros, A. Jimborean, and M. Själander, “Efficient invisible speculative execution through selective delay and value prediction,” in The 46th International Symposium on Computer Architecture (ISCA), 2019. [Online]. Available: https://doi.org/10.1145/3307650.3322216
  54. M. Schwarz, M. Lipp, C. Canella, R. Schilling, F. Kargl, and D. Gruss, “Context: A generic approach for mitigating spectre,” in The 27th Annual Network and Distributed System Security Symposium (NDSS’20), San Diego, CA, USA, 2020.
  55. M. Schwarz, M. Lipp, D. Moghimi, J. Van Bulck, J. Stecklina, T. Prescher, and D. Gruss, “Zombieload: Cross-privilege-boundary data sampling,” in The 2019 ACM SIGSAC Conference on Computer and Communications Security, 2019.
  56. M. Schwarz, M. Schwarzl, M. Lipp, J. Masters, and D. Gruss, “Netspectre: Read arbitrary memory over network,” in European Symposium on Research in Computer Security, 2019.
  57. W. Song, B. Li, Z. Xue, Z. Li, W. Wang, and P. Liu, “Randomized last-level caches are still vulnerable to cache side-channel attacks! but we can fix it,” in 2021 IEEE Symposium on Security and Privacy (SP), 2021, pp. 955–969.
  58. Q. Tan, Z. Zeng, K. Bu, and K. Ren, “Phantomcache: Obfuscating cache conflicts with localized randomization,” in Symposium on Network and Distributed System Security (NDSS), 2020.
  59. M. Taram, A. Venkat, and D. Tullsen, “Context-sensitive fencing: Securing speculative execution via microcode customization,” in The International Conference on Architectural Support for Programming Languages and Operating Systems, 2019. [Online]. Available: https://doi.org/10.1145/3297858.3304060
  60. D. Townley, K. Arıkan, Y. D. Liu, D. Ponomarev, and O. Ergin, “Composable cachelets: Protecting enclaves from cache Side-Channel attacks,” in 31st USENIX Security Symposium (USENIX Security 22).   Boston, MA: USENIX Association, Aug. 2022, pp. 2839–2856. [Online]. Available: https://www.usenix.org/conference/usenixsecurity22/presentation/townley
  61. J. Van Bulck, M. Minkin, O. Weisse, D. Genkin, B. Kasikci, F. Piessens, M. Silberstein, T. F. Wenisch, Y. Yarom, and R. Strackx, “Foreshadow: Extracting the keys to the Intel SGX kingdom with transient out-of-order execution,” in 27th USENIX Security Symposium, 2018.
  62. J. Van Bulck, D. Moghimi, M. Schwarz, M. Lippi, M. Minkin, D. Genkin, Y. Yarom, B. Sunar, D. Gruss, and F. Piessens, “Lvi: Hijacking transient execution through microarchitectural load value injection,” in 2020 IEEE Symposium on Security and Privacy (SP), 2020.
  63. S. Van Schaik, A. Milburn, S. Österlund, P. Frigo, G. Maisuradze, K. Razavi, H. Bos, and C. Giuffrida, “Ridl: Rogue in-flight data load,” in 2019 IEEE Symposium on Security and Privacy (SP), 2019.
  64. S. van Schaik, M. Minkin, A. Kwong, D. Genkin, and Y. Yarom, “Cacheout: Leaking data on intel cpus via cache evictions,” in 2021 IEEE Symposium on Security and Privacy (SP), 2021.
  65. Z. Wang and R. B. Lee, “New cache designs for thwarting software cache-based side channel attacks,” in Proceedings of the 34th Annual International Symposium on Computer Architecture, ser. ISCA ’07.   New York, NY, USA: Association for Computing Machinery, 2007, pp. 494–505. [Online]. Available: https://doi.org/10.1145/1250662.1250723
  66. Z. Wang and R. B. Lee, “A novel cache architecture with enhanced performance and security,” in 2008 41st IEEE/ACM International Symposium on Microarchitecture, 2008, pp. 83–93.
  67. O. Weisse, I. Neal, K. Loughlin, T. F. Wenisch, and B. Kasikci, “Nda: Preventing speculative execution attacks at their source,” in The 52nd Annual IEEE/ACM International Symposium on Microarchitecture (MICRO), 2019. [Online]. Available: https://doi.org/10.1145/3352460.3358306
  68. O. Weisse, J. Van Bulck, M. Minkin, D. Genkin, B. Kasikci, F. Piessens, M. Silberstein, R. Strackx, T. F. Wenisch, and Y. Yarom, “Foreshadow-NG: Breaking the virtual memory abstraction with transient out-of-order execution,” Technical report, 2018.
  69. M. Werner, T. Unterluggauer, L. Giner, M. Schwarz, D. Gruss, and S. Mangard, “ScatterCache: Thwarting cache attacks via cache set randomization,” in 28th USENIX Security Symposium (USENIX Security 19).   Santa Clara, CA: USENIX Association, Aug. 2019, pp. 675–692. [Online]. Available: https://www.usenix.org/conference/usenixsecurity19/presentation/werner
  70. W. Xiong and J. Szefer, “Leaking information through cache lru states,” in 2020 IEEE International Symposium on High Performance Computer Architecture (HPCA), 2020, pp. 139–152.
  71. W. Xiong and J. Szefer, “Survey of transient execution attacks and their mitigations,” ACM Computing Surveys, 2021.
  72. M. Yan, J. Choi, D. Skarlatos, A. Morrison, C. Fletcher, and J. Torrellas, “Invisispec: Making speculative execution invisible in the cache hierarchy,” in The 51st Annual IEEE/ACM International Symposium on Microarchitecture (MICRO), 2018.
  73. M. Yan, J. Choi, D. Skarlatos, A. Morrison, C. W. Fletcher, and J. Torrellas, “Correction: Invisispec: Making speculative execution invisible in the cache hierarchy,” Online, 2019. [Online]. Available: https://iacoma.cs.uiuc.edu/iacoma-papers/corrected_micro18.pdf
  74. Y. Yarom and K. Falkner, “Flush+reload: A high resolution, low noise, l3 cache side-channel attack,” in 23rd USENIX Security Symposium, 2014. [Online]. Available: https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/yarom
  75. J. Yu, M. Yan, A. Khyzha, A. Morrison, J. Torrellas, and C. W. Fletcher, “Speculative taint tracking (stt): A comprehensive protection for speculatively accessed data,” in The 52nd Annual IEEE/ACM International Symposium on Microarchitecture (MICRO), 2019. [Online]. Available: https://doi.org/10.1145/3352460.3358274

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets