TreasureCache: Hiding Cache Evictions Against Side-Channel Attacks
Authors: 
Mengming Li, Kai Bu, Chenlu Miao, Kui RenAuthors Info & Claims
Pages 4574 - 4588
Abstract
Cache side-channel attacks remain a stubborn source of cross-core secret leakage. Such attacks exploit the timing difference between cache hits and misses. Most defenses thus choose to prevent cache evictions. Given that two possible types of evictions—flush-based and conflict-based—use different architectural features, these defenses have to integrate hybrid defense strategies, incur OS modification, and sacrifice performance to completely throttle cache side-channel attacks. In this article, we present TreasureCache against cache side-channel attacks without modifying OS or sacrificing performance. Instead of preventing cache evictions with various costs, we advocate to allow cache evictions as is and hide exploitable evictions in our specialized small eviction-hidden buffer. The buffer guarantees a fast hit time comparative to LLC hits. This instantly closes the timing gap between accessing exploitable blocks when they are in and out of the LLC. Moreover, with the help of our buffer, we no longer have to disable flush instructions or shared memory. A lightweight constant-time flush instruction can help TreasureCache to prevent both flush-based and conflict-based side-channel attacks. We validate TreasureCache security and performance through extensive experiments. With a hardware overhead of less than 0.5%, TreasureCache reduces the secret-leakage resolution by about 1,000 times without introducing any performance slowdown.
References
[1]
F. Liu, Y. Yarom, Q. Ge, G. Heiser, and R. B. Lee, “Last-level cache side-channel attacks are practical,” in Proc. IEEE Symp. Secur. Privacy, 2015, pp. 605–622.
[2]
D. Gruss, C. Maurice, K. Wagner, and S. Mangard, “Flush flush: A fast and stealthy cache attack,” in Proc. Int. Conf. Detection Intrusions Malware Vulnerability Assessment, Springer, 2016, pp. 279–299.
[3]
Y. Yarom and K. Falkner, “FLUSH RELOAD: A high resolution, low noise, L3 cache side-channel attack,” in Proc. 23rd USENIX Conf. Secur. Symp., 2014, pp. 719–732.
[4]
D. Gruss, R. Spreitzer, and S. Mangard, “Cache template attacks: Automating attacks on inclusive last-level caches,” in Proc. USENIX Secur. Symp., 2015, pp. 897–912.
[5]
A. Purnal, L. Giner, D. Gruss, and I. Verbauwhede, “Systematic analysis of randomization-based protected cache architectures,” in Proc. IEEE Symp. Secur. Privacy, 2021, pp. 987–1002.
[6]
S. B. Dutta, H. Naghibijouybari, N. Abu-Ghazaleh, A. Marquez, and K. Barker, “Leaky buddies: Cross-component covert channels on integrated CPU-GPU systems,” in Proc. 48th Annu. Int. Symp. Comput. Architecture, 2021, pp. 972–984.
[7]
A. Agarwal et al., “Spook.js: Attacking chrome strict site isolation via speculative execution,” in Proc. IEEE Symp. Secur. Privacy, 2022, pp. 699–715.
[8]
Y. Tobah, A. Kwong, I. Kang, D. Genkin, and K. G. Shin, “SpecHammer: Combining spectre and rowhammer for new speculative attacks,” in Proc. IEEE Symp. Secur. Privacy, 2022, pp. 681–698.
[9]
G. Chen, S. Chen, Y. Xiao, Y. Zhang, Z. Lin, and T. H. Lai, “SgxPectre: Stealing intel secrets from SGX enclaves via speculative execution,” in Proc. IEEE Eur. Symp. Secur. Privacy, 2019, pp. 142–157.
[10]
E. M. Koruyeh, K. N. Khasawneh, C. Song, and N. Abu-Ghazaleh, “Spectre returns! speculation attacks using the return stack buffer,” in Proc. 12th USENIX Conf. Offensive Technol., 2018, Art. no.
[11]
M. Lipp et al., “Meltdown: Reading kernel memory from user space,” in Proc. USENIX Secur. Symp., 2018, pp. 973–990.
[12]
J. Cook, J. Drean, J. Behrens, and M. Yan, “There's always a bigger fish: A clarifying analysis of a machine-learning-assisted side-channel attack,” in Proc. 49th Annu. Int. Symp. Comput. Architecture, 2022, pp. 204–217.
[13]
J. Ravichandran, W. T. Na, J. Lang, and M. Yan, “PACMAN: Attacking ARM pointer authentication with speculative execution,” in Proc. 49th Annu. Int. Symp. Comput. Architecture, 2022, pp. 685–698.
[14]
M. K. Qureshi, “CEASER: Mitigating conflict-based cache attacks via encrypted-address and remapping,” in Proc. IEEE/ACM 51st Annu. Int. Symp. Microarchitecture, 2018, pp. 775–787.
[15]
M. Yan, B. Gopireddy, T. Shull, and J. Torrellas, “Secure hierarchy-aware cache replacement policy (SHARP): Defending against cache-based side channel attacks,” in Proc. 44th Annu. Int. Symp. Comput. Architecture, 2017, pp. 347–360.
[16]
Q. Tan, Z. Zeng, K. Bu, and K. Ren, “PhantomCache: Obfuscating cache conflicts with localized randomization,” in Proc. Annu. Netw. Distrib. Syst. Secur. Symp., 2020, pp. 1–17.
[17]
G. Saileshwar and M. Qureshi, “MIRAGE: Mitigating conflict-based cache attacks with a practical fully-associative design,” in Proc. USENIX Secur. Symp., 2021, pp. 1379–1396.
[18]
Z. Zhou, M. K. Reiter, and Y. Zhang, “A software approach to defeating side channels in last-level caches,” in Proc. ACM SIGSAC Conf. Comput. Commun. Secur., 2016, pp. 871–882.
[19]
M. Werner, T. Unterluggauer, L. Giner, M. Schwarz, D. Gruss, and S. Mangard, “SCATTERCACHE: Thwarting cache attacks via cache set randomization,” in Proc. USENIX Secur. Symp., 2019, pp. 675–692.
[20]
W. Song, B. Li, Z. Xue, Z. Li, W. Wang, and P. Liu, “Randomized last-level caches are still vulnerable to cache side-channel attacks! But we can fix it,” in Proc. IEEE Symp. Secur. Privacy, 2021, pp. 955–969.
[21]
D. Ojha and S. Dwarkadas, “TimeCache: Using time to eliminate cache side channels when sharing software,” in Proc. ACM/IEEE 48th Annu. Int. Symp. Comput. Architecture, 2021, pp. 375–387.
[22]
J. Van Bulck et al., “Foreshadow: Extracting the keys to the intel SGX kingdom with transient out-of-order execution,” in Proc. USENIX Secur. Symp., 2018, pp. 991–1008.
[23]
P. Vila, B. Köpf, and J. F. Morales, “Theory and practice of finding eviction sets,” in Proc. IEEE Symp. Secur. Privacy, 2019, pp. 39–54.
[24]
V. Kiriansky, I. Lebedev, S. Amarasinghe, S. Devadas, and J. Emer, “DAWG: A defense against cache timing attacks in speculative execution processors,” in Proc. IEEE/ACM 51st Annu. Int. Symp. Microarchitecture, 2018, pp. 974–987.
[25]
F. Liu et al., “CATalyst: Defeating last-level cache side channel attacks in cloud computing,” in Proc. IEEE Int. Symp. High Perform. Comput. Architecture, 2016, pp. 406–418.
[26]
Y. Wang, A. Ferraiuolo, D. Zhang, A. C. Myers, and G. E. Suh, “SecDCP: Secure dynamic cache partitioning for efficient timing channel protection,” in Proc. ACM/EDAC/IEEE 53rd Des. Autom. Conf., 2016, pp. 1–6.
[27]
X. Dong, Z. Shen, J. Criswell, A. L. Cox, and S. Dwarkadas, “Shielding software from privileged side-channel attacks,” in Proc. USENIX Secur. Symp., 2018, pp. 1441–1458.
[28]
M. K. Qureshi, “New attacks and defense for encrypted-address cache,” in Proc. ACM/IEEE 46th Annu. Int. Symp. Comput. Architecture, 2019, pp. 360–371.
[29]
M. Kayaalp et al., “RIC: Relaxed inclusion caches for mitigating LLC side-channel attacks,” in Proc. ACM/EDAC/IEEE 54th Des. Autom. Conf., 2017, pp. 1–6.
[30]
B. Panda, “Fooling the sense of cross-core last-level cache eviction based attacker by prefetching common sense,” in Proc. 28th Int. Conf. Parallel Architectures Compilation Techn., 2019, pp. 138–150.
[31]
G. Irazoqui, T. Eisenbarth, and B. Sunar, “S$ A: A shared cache attack that works across cores and defies VM sandboxing–and its application to AES,” in Proc. IEEE Symp. Secur. Privacy, 2015, pp. 591–604.
[32]
D. A. Osvik, A. Shamir, and E. Tromer, “Cache attacks and countermeasures: The case of aes,” in Proc. Cryptographers’ Track RSA Conf., 2006, pp. 1–20.
[33]
D. Kumar, C. S. Yashavant, B. Panda, and V. Gupta, “How sharp is SHARP?,” in Proc. 13th USENIX Conf. Offensive Technol., 2019, Art. no.
[34]
F. Yao, M. Doroslovacki, and G. Venkataramani, “Are coherence protocol states vulnerable to information leakage?,” in Proc. IEEE Int. Symp. High Perform. Comput. Architecture, 2018, pp. 168–179.
[35]
O. Aciiçmez, “Yet another microarchitectural attack: Exploiting i-cache,” in Proc. ACM Workshop Comput. Secur. Architecture, 2007, pp. 11–18.
[36]
O. Acıiçmez and W. Schindler, “A vulnerability in RSA implementations due to instruction cache analysis and its demonstration on OpenSSL,” in Proc. Cryptographers’ Track RSA Conf., 2008, pp. 256–273.
[37]
B. B. Brumley and R. M. Hakala, “Cache-timing template attacks,” in Proc. 15th Int. Conf. Theory Appl. Cryptol. Inf. Secur., 2009, pp. 667–684.
[38]
D. Gullasch, E. Bangerter, and S. Krenn, “Cache games–bringing access-based cache attacks on AES to practice,” in Proc. IEEE Symp. Secur. Privacy, 2011, pp. 490–505.
[39]
F. Liu, H. Wu, K. Mai, and R. B. Lee, “Newcache: Secure cache architecture thwarting cache side-channel attacks,” IEEE Micro, vol. 36, no. 5, pp. 8–16, Sep./Oct. 2016.
[40]
Z. Wang and R. B. Lee, “A novel cache architecture with enhanced performance and security,” in Proc. IEEE/ACM 41st Int. Symp. Microarchitecture, 2008, pp. 83–93.
[41]
Z. Wang and R. B. Lee, “New cache designs for thwarting software cache-based side channel attacks,” in Proc. 34th Annu. Int. Symp. Comput. Architecture, 2007, pp. 494–505.
[42]
S. Briongos, P. Malagón, J. M. Moya, and T. Eisenbarth, “RELOAD REFRESH: Abusing cache replacement policies to perform stealthy cache attacks,” in Proc. USENIX Secur. Symp., 2020, Art. no.
[43]
W. Xiong and J. Szefer, “Leaking information through cache LRU states,” in Proc. IEEE Int. Symp. High Perform. Comput. Architecture, 2020, pp. 139–152.
[44]
W. Xiong, S. Katzenbeisser, and J. Szefer, “Leaking information through cache LRU states in commercial processors and secure caches,” IEEE Trans. Comput., vol. 70, no. 4, pp. 511–523, Apr. 2021.
[45]
Y. Cui, C. Yang, and X. Cheng, “Abusing cache line dirty states to leak information in commercial processors,” in Proc. IEEE Int. Symp. High Perform. Comput. Architecture, 2022, pp. 82–97.
[46]
F. Yao, M. Doroslovački, and G. Venkataramani, “Covert timing channels exploiting cache coherence hardware: Characterization and defense,” Int. J. Parallel Program., vol. 47, no. 4, pp. 595–620, 2019.
[47]
C. Miao, K. Bu, M. Li, S. Mao, and J. Jia, “SwiftDir: Secure cache coherence without overprotection,” in Proc. IEEE/ACM 55th Int. Symp. Microarchitecture, 2022, pp. 662–677.
[48]
K. Loughlin, S. Saroiu, A. Wolman, Y. A. Manerkar, and B. Kasikci, “MOESI-prime: Preventing coherence-induced hammering in commodity workloads,” in Proc. 49th Annu. Int. Symp. Comput. Architecture, 2022, pp. 670–684.
[49]
D. Lenoski, J. Laudon, K. Gharachorloo, A. Gupta, and J. Hennessy, “The directory-based cache coherence protocol for the dash multiprocessor,” ACM SIGARCH Comput. Archit. News, vol. 18, pp. 148–159, 1990.
[50]
D. Molka, D. Hackenberg, R. Schone, and M. S. Muller, “Memory performance and cache coherency effects on an intel nehalem multiprocessor system,” in Proc. 18th Int. Conf. Parallel Architectures Compilation Techn., 2009, pp. 261–270.
[51]
R. Singhal, “Inside intel core microarchitecture (nehalem),” in Proc. IEEE Hot Chips Symp., 2008, pp. 1–25.
[52]
V. Nagarajan, D. J. Sorin, M. D. Hill, and D. A. Wood, “A primer on memory consistency and cache coherence,” Synth. Lectures Comput. Archit., vol. 15, no. 1, pp. 1–294, 2020.
[53]
A. Jaleel, E. Borch, M. Bhandaru, S. C. Steely Jr, and J. Emer, “Achieving non-inclusive cache performance with inclusive caches: Temporal locality aware (TLA) cache management policies,” in Proc. IEEE/ACM 43rd Annu. Int. Symp. Microarchitecture, 2010, pp. 151–162.
[54]
K. Pagiamtzis and A. Sheikholeslami, “Content-addressable memory (CAM) circuits and architectures: A tutorial and survey,” IEEE J. Solid-State Circuits, vol. 41, no. 3, pp. 712–727, Mar. 2006.
[55]
G. Dessouky, T. Frassetto, and A.-R. Sadeghi, “HybCache: Hybrid side-channel-resilient caches for trusted execution environments,” in Proc. USENIX Secur. Symp., 2020, pp. 451–468.
[56]
N. Binkert et al., “The gem5 simulator,” ACM SIGARCH Comput. Archit. News, vol. 39, no. 2, pp. 1–7, 2011.
[57]
Ruby home page, 2024. [Online]. Available: https://www.gem5.org/documentation/general_docs/ruby
[58]
M. S. Papamarcos and J. H. Patel, “A low-overhead coherence solution for multiprocessors with private cache memories,” in Proc. 11th Annu. Int. Symp. Comput. Architecture, 1984, pp. 348–354.
[59]
J. Bucek, K.-D. Lange, and J. V. Kistowski, “SPEC CPU2017: Next-generation compute benchmark,” in Proc. ACM/SPEC Int. Conf. Perform. Eng., 2018, pp. 41–42.
[60]
N. P. Jouppi, “Improving direct-mapped cache performance by the addition of a small fully-associative cache and prefetch buffers,” in Proc. 17th Annu. Int. Symp. Comput. Architecture, 1990, pp. 364–373.
[61]
M. Yan, J.-Y. Wen, C. W. Fletcher, and J. Torrellas, “SecDir: A secure directory to defeat directory side-channel attacks,” in Proc. ACM/IEEE 46th Annu. Int. Symp. Comput. Architecture, 2019, pp. 332–345.
[62]
M. Yan, J. Choi, D. Skarlatos, A. Morrison, C. Fletcher, and J. Torrellas, “InvisiSpec: Making speculative execution invisible in the cache hierarchy,” in Proc. IEEE/ACM 51st Annu. Int. Symp. Microarchitecture, 2018, pp. 428–441.
[63]
S. Ainsworth and T. M. Jones, “MuonTrap: Preventing cross-domain spectre-like attacks by capturing speculative state,” in Proc. 47th Annu. Int. Symp. Comput. Architecture, 2020, pp. 132–144.
[64]
S. Kim et al., “ReViCe: Reusing victim cache to prevent speculative cache leakage,” in Proc. IEEE Secure Develop., 2020, pp. 96–107.
[65]
M. Yan, R. Sprabery, B. Gopireddy, C. Fletcher, R. Campbell, and J. Torrellas, “Attack directories, not caches: Side channel attacks in a non-inclusive world,” in Proc. IEEE Symp. Secur. Privacy, 2019, pp. 888–904.
Index Terms
- TreasureCache: Hiding Cache Evictions Against Side-Channel Attacks
Index terms have been assigned to the content through auto-classification.
Recommendations
Architecting against Software Cache-Based Side-Channel Attacks
Using cache-like architectural components including data caches, instruction caches, or branch target buffers as a side channel, software cache-based side-channel attacks are able to derive secret keys used in cryptographic operations through legitimate ...
How secure is your cache against side-channel attacks?
MICRO-50 '17: Proceedings of the 50th Annual IEEE/ACM International Symposium on MicroarchitectureSecurity-critical data can leak through very unexpected side channels, making side-channel attacks very dangerous threats to information security. Of these, cache-based side-channel attacks are some of the most problematic. This is because caches are ...
Randomizing Set-Associative Caches Against Conflict-Based Cache Side-Channel Attacks
Conflict-based cache side-channel attacks against the last-level cache (LLC) is a widely exploited method for information leaking. Cache randomization has recently been accepted as a promising defense. Most of recent designs randomize skewed caches rather ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
1545-5971 © 2024 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See https://www.ieee.org/publications/rights/index.html for more information.
Publisher
IEEE Computer Society Press
Washington, DC, United States
Publication History
Published: 16 January 2024
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 11 Dec 2024
Other Metrics
Citations
View Options
View options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in