TY - GEN
T1 - ReplayConfusion
T2 - 49th Annual IEEE/ACM International Symposium on Microarchitecture, MICRO 2016
AU - Yan, Mengjia
AU - Shalabi, Yasser
AU - Torrellas, Josep
N1 - Publisher Copyright:
© 2016 IEEE.
PY - 2016/12/14
Y1 - 2016/12/14
N2 - Cache-based covert channel attacks use highly-Tuned shared-cache conflict misses to pass information from a trojan to a spy process. Detecting such attacks is very challenging. State of the art detection mechanisms do not consider the general characteristics of such attacks and, instead, focus on specific communication protocols. As a result, they fail to detect attacks using different protocols and, hence, have limited coverage. In this paper, we make the following observation about these attacks: not only are the malicious accesses highly tuned to the mapping of addresses to the caches; they also follow a distinctive cadence as bits are being received. Changing the mapping of addresses to the caches substantially disrupts the conflict miss patterns, but retains the cadence. This is in contrast to benign programs. Based on this observation, we propose a novel, high-coverage approach to detect cache-based covert channel attacks. It is called ReplayConfusion, and is based on Record and deterministic Replay (RnR). After a program's execution is recorded, it is deterministically replayed using a different mapping of addresses to the caches. We then analyze the difference between the cache miss rate timelines of the two runs. If the difference function is both sizable and exhibits a periodic pattern, it indicates that there is an attack. This paper also introduces a new taxonomy of cache-based covert channel attacks, and shows that ReplayConfusion uncovers examples from all the categories. Finally, ReplayConfusion only needs simple hardware.
AB - Cache-based covert channel attacks use highly-Tuned shared-cache conflict misses to pass information from a trojan to a spy process. Detecting such attacks is very challenging. State of the art detection mechanisms do not consider the general characteristics of such attacks and, instead, focus on specific communication protocols. As a result, they fail to detect attacks using different protocols and, hence, have limited coverage. In this paper, we make the following observation about these attacks: not only are the malicious accesses highly tuned to the mapping of addresses to the caches; they also follow a distinctive cadence as bits are being received. Changing the mapping of addresses to the caches substantially disrupts the conflict miss patterns, but retains the cadence. This is in contrast to benign programs. Based on this observation, we propose a novel, high-coverage approach to detect cache-based covert channel attacks. It is called ReplayConfusion, and is based on Record and deterministic Replay (RnR). After a program's execution is recorded, it is deterministically replayed using a different mapping of addresses to the caches. We then analyze the difference between the cache miss rate timelines of the two runs. If the difference function is both sizable and exhibits a periodic pattern, it indicates that there is an attack. This paper also introduces a new taxonomy of cache-based covert channel attacks, and shows that ReplayConfusion uncovers examples from all the categories. Finally, ReplayConfusion only needs simple hardware.
UR - http://www.scopus.com/inward/record.url?scp=85009347928&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85009347928&partnerID=8YFLogxK
U2 - 10.1109/MICRO.2016.7783742
DO - 10.1109/MICRO.2016.7783742
M3 - Conference contribution
AN - SCOPUS:85009347928
T3 - Proceedings of the Annual International Symposium on Microarchitecture, MICRO
BT - MICRO 2016 - 49th Annual IEEE/ACM International Symposium on Microarchitecture
PB - IEEE Computer Society
Y2 - 15 October 2016 through 19 October 2016
ER -