ABSTRACT
This paper presents a novel run-time detection mechanism, called NIGHTs-WATCH, for access-driven cache-based Side-Channel Attacks (SCAs). It comprises of multiple machine learning models, which use real-time data from hardware performance counters for detection. We perform experiments with two state-of-the-art SCAs (Flush+Reload and Flush+Flush) to demonstrate the detection capability and effectiveness of NIGHTs-WATCH. we provide experimental evaluation using realistic system load conditions and analyze results on detection accuracy, speed, system-wide performance overhead and confusion matrix for used models. Our results show detection accuracy of 99.51%, 99.50% and 99.44% for F+R attack in case of no, average and full load conditions, respectively, with performance overhead of < 2% at the highest detection speed, i.e., within 1% completion of a single RSA encryption round. In case of Flush+Flush, our results show 99.97%, 98.74% and 95.20% detection accuracy for no load, average load and full load conditions, respectively, with performance overhead of < 2% at the highest detection speed, i.e., within 12.5% completion of 400 AES encryption rounds needed to complete the attack. NIGHTs-WATCH shows considerably high detection efficiency under variable system load conditions.
- 2018. https://www.spec.org/benchmarks.html.Google Scholar
- 2018. Performance Application Programming Interface. http://icl.cs.utk.edu/papi/.Google Scholar
- Onur Aciiçmez. 2007. Yet Another MicroArchitectural Attack:: Exploiting I-Cache. In ACM CSAW. 11--18. Google ScholarDigital Library
- Christopher M. Bishop. 2006. Pattern Recognition and Machine Learning (ISS). Google ScholarDigital Library
- Marco Chiappetta, Erkay Savas, and Cemal Yilmaz. 2016. Real Time Detection of Cache-based Side-channel Attacks Using Hardware Performance Counters. Appl. Soft Comput. 49, C (Dec. 2016), 1162--1174. Google ScholarDigital Library
- Marshall Andrew et al. 2010. Security best practices for developing windows azure applications. Microsoft Corp (2010), 1.Google Scholar
- Manaar Alam et al. 2017. Performance Counters to Rescue: A Machine Learning based safeguard against Micro-architectural Side-Channel-Attacks. Crypt. ePrint Arch.. https://eprint.iacr.org/2017/564.Google Scholar
- Moritz Lipp et al. 2018. Meltdown. (2018).Google Scholar
- Paul Kocher et al. 2018. Spectre Attacks: Exploiting Speculative Execution. (2018).Google Scholar
- Shahid Anwar et al. 2017. Cross-VM cache-based side channel attacks and proposed prevention mechanisms: A survey. Journal of Network and Computer Applications (2017), 259 -- 279.Google Scholar
- Taesoo Kim et al. {n. d.}. STEALTHMEM: System-level Protection Against Cache-based Side Channel Attacks in the Cloud. In USENIX Security 12. 11--11. Google ScholarDigital Library
- Qian Ge, Yuval Yarom, David Cock, and Gernot Heiser. 2016. A Survey of Microarchitectural Timing Attacks and Countermeasures on Contemporary Hardware. IACR Crypt. ePrint Arch. (2016), 613.Google Scholar
- M. (. Godfrey and M. Zulkernine. 2014. Preventing Cache-Based Side-Channel Attacks in a Cloud Environment. IEEE Transactions on Cloud Computing 2, 4 (Oct 2014), 395--408.Google ScholarCross Ref
- Daniel Gruss, Clémentine Maurice, Anders Fogh, Moritz Lipp, and Stefan Mangard. {n. d.}. Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR. In ACM CCS. 12. Google ScholarDigital Library
- Daniel Gruss, Clémentine Maurice, Klaus Wagner, and Stefan Mangard. 2016. Flush+Flush: A Fast and Stealthy Cache Attack. In DIMVA. 279--299. Google ScholarDigital Library
- Daniel Gruss, Clémentine Maurice, Klaus Wagner, and Stefan Mangard. 2016. Flush+Flush: A Fast and Stealthy Cache Attack. In DIMVA. 279--299. Google ScholarDigital Library
- Berk Gülmezoğlu, Mehmet Sinan İnci, Gorka Irazoqui, Thomas Eisenbarth, and Berk Sunar. {n. d.}. A Faster and More Realistic Flush+Reload Attack on AES (COSADE). 16.Google Scholar
- Intel. 2013. Intel 64 and IA-32 Architectures Developer's Manual.Google Scholar
- X. Jin, H. Chen, X. Wang, Z. Wang, X. Wen, Y. Luo, and X. Li. 2009. A Simple Cache Partitioning Approach in a Virtualized Environment. In IEEE ISPA. 519.Google Scholar
- E. W. L. Leng, M. Zwolinski, and B. Halak. {n. d.}. Hardware performance counters for system reliability monitoring. In IEEE IVSW. 76--81.Google Scholar
- Fangfei Liu and Ruby B. Lee. {n. d.}. Random Fill Cache Architecture. In MICRO. 13. Google ScholarDigital Library
- Fei Liu, Lanfang Ren, and Hongtao Bai. 2014. Mitigating Cross-VM Side Channel Attack on Multiple Tenants Cloud Platform. JCP (2014), 1005--1013.Google Scholar
- Dag Arne Osvik, Adi Shamir, and Eran Tromer. 2006. Cache Attacks and Countermeasures: The Case of AES. CT-RSA (2006), 1--20. Google ScholarDigital Library
- Himanshu Raj, Ripal Nathuji, Abhishek Singh, and Paul England. 2009. Resource Management for Isolation Enhanced Cloud Services. In CCSW. 77--84. Google ScholarDigital Library
- Ya Tan, Jizeng Wei, and Wei Guo. 2014. The micro-architectural support countermeasures against the branch prediction analysis attack. In IEEE TrustCom. Google ScholarDigital Library
- Adrian Tang, Simha Sethumadhavan, and Salvatore J. Stolfo. 2014. Unsupervised Anomaly based Malware Detection using Hardware Features. CoRR (2014).Google Scholar
- Gildo Torres and Chen Liu. 2016. Can Data-Only Exploits Be Detected at Runtime Using Hardware Events?: A Case Study of the Heartbleed Vulnerability. In HASP. Article 2, 7 pages. Google ScholarDigital Library
- Teruo Tsunoo, Yukiyasuand Saito, Tomoyasu Suzaki, Maki Shigeri, and Hiroshi Miyauchi. 2003. Cryptanalysis of DES Implemented on Computers with Cache. CHES (2003), 62--76.Google Scholar
- X. Wang and R. Karri. 2016. Reusing Hardware Performance Counters to Detect and Identify Kernel Control-Flow Modifying Rootkits. IEEE TCAD 35, 3 (March 2016), 485--498. Google ScholarDigital Library
- Zhenghong Wang and Ruby B. Lee. 2007. New Cache Designs for Thwarting Software Cache-based Side Channel Attacks. In ISCA. 494--505. Google ScholarDigital Library
- Yuval Yarom and Katrina Falkner. {n. d.}. FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack. In USENIX Security 14. 719. Google ScholarDigital Library
- Yuval Yarom, Daniel Genkin, and Nadia Heninger. {n. d.}. CacheBleed: a timing attack on OpenSSL constant-time RSA. Journal of Crypt. Engg. 2017 ({n. d.}).Google Scholar
- Tianwei Zhang, Yinqian Zhang, and Ruby B Lee. {n. d.}. Cloudradar: A real-time side-channel attack detection system in clouds. In RAID 2016.Google ScholarCross Ref
- Yinqian Zhang and Michael K. Reiter. 2013. DüPpel: Retrofitting Commodity Operating Systems to Mitigate Cache Side Channels in the Cloud. In ACM CCS. Google ScholarDigital Library
Index Terms
- NIGHTs-WATCH: a cache-based side-channel intrusion detector using hardware performance counters
Recommendations
ANVIL: Software-Based Protection Against Next-Generation Rowhammer Attacks
ASPLOS '16Ensuring the integrity and security of the memory system is critical. Recent studies have shown serious security concerns due to "rowhammer" attacks, where repeated accesses to a row of memory cause bit flips in adjacent rows. Recent work by Google's ...
ANVIL: Software-Based Protection Against Next-Generation Rowhammer Attacks
ASPLOS '16: Proceedings of the Twenty-First International Conference on Architectural Support for Programming Languages and Operating SystemsEnsuring the integrity and security of the memory system is critical. Recent studies have shown serious security concerns due to "rowhammer" attacks, where repeated accesses to a row of memory cause bit flips in adjacent rows. Recent work by Google's ...
ANVIL: Software-Based Protection Against Next-Generation Rowhammer Attacks
ASPLOS'16Ensuring the integrity and security of the memory system is critical. Recent studies have shown serious security concerns due to "rowhammer" attacks, where repeated accesses to a row of memory cause bit flips in adjacent rows. Recent work by Google's ...
Comments