ReplayConfusion: Detecting cache-based covert channel attacks using record and replay

Mengjia Yan, Yasser Shalabi, Josep Torrellas

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Cache-based covert channel attacks use highly-Tuned shared-cache conflict misses to pass information from a trojan to a spy process. Detecting such attacks is very challenging. State of the art detection mechanisms do not consider the general characteristics of such attacks and, instead, focus on specific communication protocols. As a result, they fail to detect attacks using different protocols and, hence, have limited coverage. In this paper, we make the following observation about these attacks: not only are the malicious accesses highly tuned to the mapping of addresses to the caches; they also follow a distinctive cadence as bits are being received. Changing the mapping of addresses to the caches substantially disrupts the conflict miss patterns, but retains the cadence. This is in contrast to benign programs. Based on this observation, we propose a novel, high-coverage approach to detect cache-based covert channel attacks. It is called ReplayConfusion, and is based on Record and deterministic Replay (RnR). After a program's execution is recorded, it is deterministically replayed using a different mapping of addresses to the caches. We then analyze the difference between the cache miss rate timelines of the two runs. If the difference function is both sizable and exhibits a periodic pattern, it indicates that there is an attack. This paper also introduces a new taxonomy of cache-based covert channel attacks, and shows that ReplayConfusion uncovers examples from all the categories. Finally, ReplayConfusion only needs simple hardware.

Original languageEnglish (US)
Title of host publicationMICRO 2016 - 49th Annual IEEE/ACM International Symposium on Microarchitecture
PublisherIEEE Computer Society
ISBN (Electronic)9781509035083
DOIs
StatePublished - Dec 14 2016
Event49th Annual IEEE/ACM International Symposium on Microarchitecture, MICRO 2016 - Taipei, Taiwan, Province of China
Duration: Oct 15 2016Oct 19 2016

Publication series

NameProceedings of the Annual International Symposium on Microarchitecture, MICRO
Volume2016-December
ISSN (Print)1072-4451

Other

Other49th Annual IEEE/ACM International Symposium on Microarchitecture, MICRO 2016
CountryTaiwan, Province of China
CityTaipei
Period10/15/1610/19/16

ASJC Scopus subject areas

  • Hardware and Architecture

Fingerprint Dive into the research topics of 'ReplayConfusion: Detecting cache-based covert channel attacks using record and replay'. Together they form a unique fingerprint.

Cite this