Attack directories, not caches: Side channel attacks in a non-inclusive world

Mengjia Yan, Read Sprabery, Bhargava Gopireddy, Christopher Wardlaw Fletcher, R H Campbell, Josep Torrellas

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Although clouds have strong virtual memory isolation guarantees, cache attacks stemming from shared caches have proved to be a large security problem. However, despite the past effectiveness of cache attacks, their viability has recently been called into question on modern systems, due to trends in cache hierarchy design moving away from inclusive cache hierarchies. In this paper, we reverse engineer the structure of the directory in a sliced, non-inclusive cache hierarchy, and prove that the directory can be used to bootstrap conflict-based cache attacks on the last-level cache. We design the first cross-core Prime+Probe attack on non-inclusive caches. This attack works with minimal assumptions: the adversary does not need to share any virtual memory with the victim, nor run on the same processor core. We also show the first high-bandwidth Evict+Reload attack on the same hardware. We demonstrate both attacks by extracting key bits during RSA operations in GnuPG on a state-of-the-art non-inclusive Intel Skylake-X server.

Original languageEnglish (US)
Title of host publicationProceedings - 2019 IEEE Symposium on Security and Privacy, SP 2019
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages888-904
Number of pages17
ISBN (Electronic)9781538666609
DOIs
StatePublished - May 2019
Event40th IEEE Symposium on Security and Privacy, SP 2019 - San Francisco, United States
Duration: May 19 2019May 23 2019

Publication series

NameProceedings - IEEE Symposium on Security and Privacy
Volume2019-May
ISSN (Print)1081-6011

Conference

Conference40th IEEE Symposium on Security and Privacy, SP 2019
CountryUnited States
CitySan Francisco
Period5/19/195/23/19

Fingerprint

Data storage equipment
Servers
Hardware
Bandwidth
Engineers
Side channel attack

Keywords

  • Cache-side-channel-attack
  • Directory
  • Evict+Reload
  • Flush+Reload
  • Non-inclusive-cache
  • Prime+Probe

ASJC Scopus subject areas

  • Safety, Risk, Reliability and Quality
  • Software
  • Computer Networks and Communications

Cite this

Yan, M., Sprabery, R., Gopireddy, B., Fletcher, C. W., Campbell, R. H., & Torrellas, J. (2019). Attack directories, not caches: Side channel attacks in a non-inclusive world. In Proceedings - 2019 IEEE Symposium on Security and Privacy, SP 2019 (pp. 888-904). [8835325] (Proceedings - IEEE Symposium on Security and Privacy; Vol. 2019-May). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/SP.2019.00004

Attack directories, not caches : Side channel attacks in a non-inclusive world. / Yan, Mengjia; Sprabery, Read; Gopireddy, Bhargava; Fletcher, Christopher Wardlaw; Campbell, R H; Torrellas, Josep.

Proceedings - 2019 IEEE Symposium on Security and Privacy, SP 2019. Institute of Electrical and Electronics Engineers Inc., 2019. p. 888-904 8835325 (Proceedings - IEEE Symposium on Security and Privacy; Vol. 2019-May).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Yan, M, Sprabery, R, Gopireddy, B, Fletcher, CW, Campbell, RH & Torrellas, J 2019, Attack directories, not caches: Side channel attacks in a non-inclusive world. in Proceedings - 2019 IEEE Symposium on Security and Privacy, SP 2019., 8835325, Proceedings - IEEE Symposium on Security and Privacy, vol. 2019-May, Institute of Electrical and Electronics Engineers Inc., pp. 888-904, 40th IEEE Symposium on Security and Privacy, SP 2019, San Francisco, United States, 5/19/19. https://doi.org/10.1109/SP.2019.00004
Yan M, Sprabery R, Gopireddy B, Fletcher CW, Campbell RH, Torrellas J. Attack directories, not caches: Side channel attacks in a non-inclusive world. In Proceedings - 2019 IEEE Symposium on Security and Privacy, SP 2019. Institute of Electrical and Electronics Engineers Inc. 2019. p. 888-904. 8835325. (Proceedings - IEEE Symposium on Security and Privacy). https://doi.org/10.1109/SP.2019.00004
Yan, Mengjia ; Sprabery, Read ; Gopireddy, Bhargava ; Fletcher, Christopher Wardlaw ; Campbell, R H ; Torrellas, Josep. / Attack directories, not caches : Side channel attacks in a non-inclusive world. Proceedings - 2019 IEEE Symposium on Security and Privacy, SP 2019. Institute of Electrical and Electronics Engineers Inc., 2019. pp. 888-904 (Proceedings - IEEE Symposium on Security and Privacy).
@inproceedings{e9980274824e4394bdc9092b62ffcb78,
title = "Attack directories, not caches: Side channel attacks in a non-inclusive world",
abstract = "Although clouds have strong virtual memory isolation guarantees, cache attacks stemming from shared caches have proved to be a large security problem. However, despite the past effectiveness of cache attacks, their viability has recently been called into question on modern systems, due to trends in cache hierarchy design moving away from inclusive cache hierarchies. In this paper, we reverse engineer the structure of the directory in a sliced, non-inclusive cache hierarchy, and prove that the directory can be used to bootstrap conflict-based cache attacks on the last-level cache. We design the first cross-core Prime+Probe attack on non-inclusive caches. This attack works with minimal assumptions: the adversary does not need to share any virtual memory with the victim, nor run on the same processor core. We also show the first high-bandwidth Evict+Reload attack on the same hardware. We demonstrate both attacks by extracting key bits during RSA operations in GnuPG on a state-of-the-art non-inclusive Intel Skylake-X server.",
keywords = "Cache-side-channel-attack, Directory, Evict+Reload, Flush+Reload, Non-inclusive-cache, Prime+Probe",
author = "Mengjia Yan and Read Sprabery and Bhargava Gopireddy and Fletcher, {Christopher Wardlaw} and Campbell, {R H} and Josep Torrellas",
year = "2019",
month = "5",
doi = "10.1109/SP.2019.00004",
language = "English (US)",
series = "Proceedings - IEEE Symposium on Security and Privacy",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
pages = "888--904",
booktitle = "Proceedings - 2019 IEEE Symposium on Security and Privacy, SP 2019",
address = "United States",

}

TY - GEN

T1 - Attack directories, not caches

T2 - Side channel attacks in a non-inclusive world

AU - Yan, Mengjia

AU - Sprabery, Read

AU - Gopireddy, Bhargava

AU - Fletcher, Christopher Wardlaw

AU - Campbell, R H

AU - Torrellas, Josep

PY - 2019/5

Y1 - 2019/5

N2 - Although clouds have strong virtual memory isolation guarantees, cache attacks stemming from shared caches have proved to be a large security problem. However, despite the past effectiveness of cache attacks, their viability has recently been called into question on modern systems, due to trends in cache hierarchy design moving away from inclusive cache hierarchies. In this paper, we reverse engineer the structure of the directory in a sliced, non-inclusive cache hierarchy, and prove that the directory can be used to bootstrap conflict-based cache attacks on the last-level cache. We design the first cross-core Prime+Probe attack on non-inclusive caches. This attack works with minimal assumptions: the adversary does not need to share any virtual memory with the victim, nor run on the same processor core. We also show the first high-bandwidth Evict+Reload attack on the same hardware. We demonstrate both attacks by extracting key bits during RSA operations in GnuPG on a state-of-the-art non-inclusive Intel Skylake-X server.

AB - Although clouds have strong virtual memory isolation guarantees, cache attacks stemming from shared caches have proved to be a large security problem. However, despite the past effectiveness of cache attacks, their viability has recently been called into question on modern systems, due to trends in cache hierarchy design moving away from inclusive cache hierarchies. In this paper, we reverse engineer the structure of the directory in a sliced, non-inclusive cache hierarchy, and prove that the directory can be used to bootstrap conflict-based cache attacks on the last-level cache. We design the first cross-core Prime+Probe attack on non-inclusive caches. This attack works with minimal assumptions: the adversary does not need to share any virtual memory with the victim, nor run on the same processor core. We also show the first high-bandwidth Evict+Reload attack on the same hardware. We demonstrate both attacks by extracting key bits during RSA operations in GnuPG on a state-of-the-art non-inclusive Intel Skylake-X server.

KW - Cache-side-channel-attack

KW - Directory

KW - Evict+Reload

KW - Flush+Reload

KW - Non-inclusive-cache

KW - Prime+Probe

UR - http://www.scopus.com/inward/record.url?scp=85072923902&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85072923902&partnerID=8YFLogxK

U2 - 10.1109/SP.2019.00004

DO - 10.1109/SP.2019.00004

M3 - Conference contribution

AN - SCOPUS:85072923902

T3 - Proceedings - IEEE Symposium on Security and Privacy

SP - 888

EP - 904

BT - Proceedings - 2019 IEEE Symposium on Security and Privacy, SP 2019

PB - Institute of Electrical and Electronics Engineers Inc.

ER -