Nothing Special   »   [go: up one dir, main page]
Skip to main content
Springer Nature Link
Log in

Methods of Extracting Parameters of the Processor Caches

  • Conference paper
  • First Online:
Advances in Information and Computer Security (IWSEC 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13504))

Included in the following conference series:

Abstract

As attack scenarios and targets are constantly expanding, cache side-channel attacks have gradually penetrated into various daily applications and brought great security risks. The success of a cache side-channel attack relies heavily on the pre-knowledge of some important parameters of the target cache system. Existing methods for reading cache parameters have their limits. In this paper, a series of tests are proposed to extract cache parameters at runtime, which provides a method for launching existing cache side-channel attacks in some restricted cases and reduces the cost of attacks. They have been used to extract cache parameters on four processors using three different architectures, as well as in a restricted virtual machine environment. The extracted parameters match with the publicly available information, including some parameters unavailable from the CPUID instruction.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 59.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 79.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Such context switching can be detected by software as it usually leads to outstanding measurement errors.

  2. 2.

    Introducing extra samples in between each pair of basis points (\(\times \)2) sharpens the peaks in the slope curve, which makes the peaks easy to detect but leads to long running time. As a trade-off, only one extra sample is added at the middle (\(\sqrt{2}\)) of the basis points on the logarithmized x-axis.

  3. 3.

    This latency is not consistent with Table 3 as extra delay is caused by the operations to clean states at the beginning of each test.

References

  1. Lipp, M., et al.: Meltdown: reading kernel memory from user space. In: Proceedings of the USENIX Security Symposium, August 2018, pp. 973–990 (2018)

    Google Scholar 

  2. Kocher, P., et al.: Spectre attacks: exploiting speculative execution. In: Proceedings of the IEEE Symposium on Security and Privacy, May 2019, pp. 19–37 (2019)

    Google Scholar 

  3. Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: Proceedings of the ACM Conference on Computer and Communications Security, November 2009, pp. 199–212 (2009)

    Google Scholar 

  4. Brasser, F., Müller, U., Dmitrienko, A., Kostiainen, K., Capkun, S., Sadeghi, A.-R.: Software grand exposure: SGX cache attacks are practical. In: Proceedings of the USENIX Workshop on Offensive Technologies, August 2017

    Google Scholar 

  5. Hähnel, M., Cui, W., Peinado, M.: High-resolution side channels for untrusted operating systems. In: Proceedings of the USENIX Annual Technical Conference, July 2017, pp. 299–312 (2017)

    Google Scholar 

  6. Schwarz, M., Maurice, C., Gruss, D., Mangard, S.: Fantastic timers and where to find them: high-resolution microarchitectural attacks in JavaScript. In: Proceedings of the International Conference on Financial Cryptography and Data Security, January 2017, pp. 247–267 (2017)

    Google Scholar 

  7. Oren, Y., Kemerlis, V.P., Sethumadhavan, S., Keromytis, A.D.: The spy in the sandbox: practical cache attacks in JavaScript and their implications. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, October 2015, pp. 1406–1418 (2015)

    Google Scholar 

  8. Page, D.: Theoretical use of cache memory as a cryptanalytic side-channel. Cryptology ePrint Archive (2002)

    Google Scholar 

  9. Gras, B., Razavi, K., Bosman, E., Bos, H., Giuffrida, C.: ASLR on the line: Practical cache attacks on the MMU. In: Proceedings of the Network and Distributed System Security Symposium, February 2017

    Google Scholar 

  10. Kim, Y., et al.: Flipping bits in memory without accessing them: an experimental study of DRAM disturbance errors. In: Proceedings of the International Symposium on Computer Architecture, June 2014, pp. 361–372 (2014)

    Google Scholar 

  11. Hund, R., Willems, C., Holz, T.: Practical timing side channel attacks against kernel space ASLR. In: Proceedings of the IEEE Symposium on Security and Privacy, May 2013, pp. 191–205 (2013)

    Google Scholar 

  12. Song, W., Liu, P.: Dynamically finding minimal eviction sets can be quicker than you think for side-channel attacks against the LLC. In: Proceedings of the International Symposium on Recent Advances in Intrusion Detection, September 2019, pp. 427–442 (2019)

    Google Scholar 

  13. Vila, P., Köpf, B., Morales, J.: Theory and practice of finding eviction sets. In: Proceedings of the IEEE Symposium on Security and Privacy, May 2019 (2019)

    Google Scholar 

  14. Jain, A., Lin, C.: Cache Replacement Policies. Morgan & Claypool Publishers, San Rafael (2019)

    Book  Google Scholar 

  15. Berg, C.: PLRU cache domino effects. In: Proceedings of the International Workshop on Worst-Case Execution Time Analysis, June 2006

    Google Scholar 

  16. Jaleel, A, Theobald, K.B., Steely, S.C.Jr., Emer, J.S.: High performance cache replacement using re-reference interval prediction (RRIP). In: Proceedings of the International Symposium on Computer Architecture, June 2010, pp. 60–71 (2010)

    Google Scholar 

  17. Wong, H.: Intel Ivy Bridge cache replacement policy, January 2013. http://blog.stuffedcow.net/2013/01/ivb-cache-replacement/

  18. Qureshi, M.K.: New attacks and defense for encrypted-address cache. In: Proceedings of the International Symposium on Computer Architecture, June 2019, pp. 360–371 (2019)

    Google Scholar 

  19. Vila, P., Ganty, P., Guarnieri, M., Köpf, B.: CacheQuery: learning replacement policies from hardware caches. In: Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation, June 2020, pp. 519–532 (2020)

    Google Scholar 

  20. Nakajima, J., Mallick, A.K.: Hybrid-virtualization – enhanced virtualization for Linux. In: Linux Symposium, vol. 2, June 2007, pp. 87–96 (2007)

    Google Scholar 

  21. Martin, R., Demme, J., Sethumadhavan, S.: TimeWarp: rethinking timekeeping and performance monitoring mechanisms to mitigate side-channel attacks. In: Proceedings of the International Symposium on Computer Architecture, June 2012, pp. 118–129 (2012)

    Google Scholar 

  22. Deng, S., Xiong, W., Szefer, J.: A benchmark suite for evaluating caches’ vulnerability to timing attacks. In: Proceedings of the International Conference on Architectural Support for Programming Languages and Operating Systems, 2020, pp. 683–697 (2020)

    Google Scholar 

  23. Ge, Q., Yarom, Y., Cock, D., Heiser, G.: A survey of microarchitectural timing attacks and countermeasures on contemporary hardware. J. Cryptogr. Eng. 8(1), 1–27 (2016). https://doi.org/10.1007/s13389-016-0141-6

    Article  Google Scholar 

  24. Yarom, Y., Falkner, K.: FLUSH+RELOAD: a high resolution, low noise, L3 cache side-channel attack. In: Proceedings of the USENIX Security Symposium, 2014, pp. 719–732 (2014)

    Google Scholar 

  25. Zhang, X., Xiao, Y., Zhang, Y.: Return-oriented flush-reload side channels on arm and their implications for android devices. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, 2016, pp. 858–870 (2016)

    Google Scholar 

  26. Zhang, Y., Juels, A., Reiter, M.K., Ristenpart, T.: Cross-tenant side-channel attacks in PaaS clouds. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, 2014, pp. 990–1003 (2014)

    Google Scholar 

  27. Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: the case of AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer, Heidelberg (2006). https://doi.org/10.1007/11605805_1

    Chapter  Google Scholar 

  28. Lipp, M., Gruss, D., Spreitzer, R., Maurice, C., Mangard, S.: ARMageddon: cache attacks on mobile devices. In: Proceedings of the USENIX Security Symposium, 2016, pp. 549–564 (2016)

    Google Scholar 

  29. Yan, M., Gopireddy, B., Shull, T., Torrellas, J.: Secure hierarchy-aware cache replacement policy (SHARP): defending against cache-based side channel attacks. In: Proceedings of the ACM/IEEE Annual International Symposium on Computer Architecture, pp. 347–360. IEEE (2017)

    Google Scholar 

  30. Irazoqui, G., Eisenbarth, T., Sunar, B.: S\$A: a shared cache attack that works across cores and defies VM sandboxing - and its application to AES. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 591–604. IEEE (2015)

    Google Scholar 

  31. Liu, F., Yarom, Y., Ge, Q., Heiser, G., Lee, R.B.: Last-level cache side-channel attacks are practical. In: Proceedings of the IEEE Symposium on Security and Privacy, May 2015, pp. 605–622. IEEE (2015)

    Google Scholar 

  32. Percival, C.: Cache missing for fun and profit. In: BSD Conference Ottawa (2005)

    Google Scholar 

  33. Smith, A.J.: Cache memories. ACM Comput. Surv. 14(3), 473–530 (1982)

    Article  Google Scholar 

  34. Song, W., Li, B., Xue, Z., Li, Z., Wang, W., Liu, P.: Randomized last-level caches are still vulnerable to cache side-channel attacks! But we can fix it. In: Proceedings of the IEEE Symposium on Security and Privacy, May 2021

    Google Scholar 

  35. Abel, A., Reineke, J.: Reverse engineering of cache replacement policies in intel microprocessors and their evaluation. In: Proceedings of the IEEE International Symposium on Performance Analysis of Systems and Software, pp. 141–142. IEEE (2014)

    Google Scholar 

  36. Qureshi, M.K., Jaleel, A., Patt, Y.N., Steely, S.C., Emer, J.: Adaptive insertion policies for high performance caching. ACM SIGARCH Comput. Arch. News 35(2), 381–391 (2007)

    Article  Google Scholar 

  37. Yan, M., Sprabery, R., Gopireddy, B., Fletcher, C.W., Campbell, R.H., Torrellas, J.: Attack directories, not caches: side-channel attacks in a non-inclusive world. In: Proceedings of the IEEE Symposium on Security and Privacy, May 2019, pp. 888–904 (2019)

    Google Scholar 

  38. Genkin, D., Pachmanov, L., Tromer, E., Yarom, Y.: Drive-by key-extraction cache attacks from portable code. In: Preneel, B., Vercauteren, F. (eds.) ACNS 2018. LNCS, vol. 10892, pp. 83–102. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93387-0_5

    Chapter  Google Scholar 

Download references

Acknowledgements

The HiFive Unleashed board was kindly borrowed from Xiongfei Guo. This work was partially supported by the National Natural Science Foundation of China under grant No. 62172406 and No. 61802402, the CAS Pioneer Hundred Talents Program, and internal grants from the Institute of Information Engineering, CAS. Any opinions, findings, conclusions, and recommendations expressed in this paper are those of the authors and do not necessarily reflect the views of the funding parties.

Author information

Authors and Affiliations

  1. State Key Laboratory of Information Security, Institute of Information Engineering, CAS, Beijing, China

    Sihao Shen, Zhenzhen Li & Wei Song

  2. School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China

    Sihao Shen, Zhenzhen Li & Wei Song

Authors
  1. Sihao Shen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Zhenzhen Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Wei Song
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Wei Song .

Editor information

Editors and Affiliations

  1. BTQ AG, Vaduz, Liechtenstein

    Chen-Mou Cheng

  2. NTT, Tokyo, Japan

    Mitsuaki Akiyama

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Shen, S., Li, Z., Song, W. (2022). Methods of Extracting Parameters of the Processor Caches. In: Cheng, CM., Akiyama, M. (eds) Advances in Information and Computer Security. IWSEC 2022. Lecture Notes in Computer Science, vol 13504. Springer, Cham. https://doi.org/10.1007/978-3-031-15255-9_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-15255-9_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-15254-2

  • Online ISBN: 978-3-031-15255-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation