Abstract
In the current, fast paced development of computer hardware, hardware manufacturers often focus on an expedited time to market paradigm or on maximum throughput. This inevitably leads to a number of unintentional hardware vulnerabilities. These vulnerabilities can be exploited to launch devastating hardware attacks and as a result compromise the privacy of end-users. Microarchitectural attacks—the exploit of the microarchitectural behaviour of modern computer systems, is an example of such a hardware attack, and also the central focus of this paper. This type of attack can exploit microarchitectural performance of processor implementations, which in turn can potentially expose hidden hardware states. Microarchitectural attacks compromise the security of computational environments even within advanced protection mechanisms such as virtualisation and sandboxes. In light of these security threats against modern computing hardware, a detailed survey of recent attacks that exploit microarchitectural elements in modern, shared computing hardware were performed from a Digital Forensic perspective. It is demonstrated that the CPU (central processing unit) is an attractive resource to be targeted by attackers, and show that adversaries could potentially use microarchitectural cache-based side-channel attacks to extract and analytically examine sensitive data from their victims. This study only focuses on cache-based attacks as opposed to other variants of side-channel attacks, which have a broad application range. The paper makes three major contributions to the body of knowledge: Firstly in terms of the broadness of the scope of the analysis and a detailed examination of the means by which the data is analysed for performing side channel attacks, secondly with regards to how novel uses of data can facilitate side channel attacks, and thirdly also in the provision of an agenda for directing future research.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Kocher PC, Rohatgi P, Jaffe JM (2017) Secure boot with resistance to differential power analysis and other external monitoring attacks. US Patent 9,569,623
Kocher P, Jaffe J, Jun B, Rohatgi P (2011) Introduction to differential power analysis. J Cryptogr Eng 1(1):5–27
Schramm K, Leander G, Felke P, Paar C (2004) A collision-attack on aes. In: International workshop on cryptographic hardware and embedded systems. Springer, pp 163–175
Homma N, Aoki T, Satoh A (2021) Electromagnetic information leakage for side-channel analysis of cryptographic modules. In: IEEE international symposium on electromagnetic compatibility. IEEE, pp 97–102
Zhang T, Lee RB (2014) Secure cache modeling for measuring side-channel leakage. Technical Report. Princeton University
Gullasch D, Bangerter E, Krenn S (2011) Cache games—bringing access-based cache attacks on aes to practice. In: 2011 IEEE symposium on security and privacy. IEEE, pp 490–505
Osvik DA, Shamir A, Tromer E (2006) Cache attacks and countermeasures: the case of aes. In: Cryptographers’ track at the RSA conference. Springer, pp 1–20
Aciiçmez O (2007) Yet another microarchitectural attack: exploiting i-cache. In: Proceedings of the 2007 ACM workshop on Computer security architecture. ACM, pp 11–18
Acıçmez O et al (2009) Microarchitectural attacks and countermeasures. In: Cryptographic engineering. Springer, pp 475–504
Bosman E, Razavi K, Bos H, Giuffrida C (2016) Dedupest machina: memory deduplication as an advanced exploitation vector. In: 2016 IEEE symposium on security and privacy (SP). IEEE, pp 987–1004
Fournaris A, Fraile LP, Koufopavlou O (2017) Exploiting hardware vulnerabilities to attack embedded system devices: a survey of potent microarchitectural attacks. Electronics 6(3):52
Wiley J (2008) Security engineering: a guide to building dependable distributed systems, 2ed Editio, pp 239–274
Liu F, Yarom Y, Ge Q, Heiser G, Lee RB (2015) Last-level cache side-channel attacks are practical. In: 2015 IEEE symposium on security and privacy. IEEE, pp 605–622
Ristenpart T, Tromer E, Shacham H, Savage S (2009) Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: Proceedings of the 16th ACM conference on computer and communications security. ACM, pp 199–212
Yarom Y, Falkner K (2014) Flush+ reload: a high resolution, low noise, l3 cache side-channel attack. In: 23rd USENIX security symposium (USENIX security 14), pp 719–732
Zhang Y, Juels A, Reiter MK, Ristenpart T (2014) Cross-tenant side-channel attacks in paas clouds. In: Proceedings of the 2014 ACM SIGSAC conference on computer and communications security. ACM, pp 990–1003
Zhang Y, Juels A, Reiter MK, Ristenpart T (2012) Cross-VM side channels and their use to extract private keys. In: Proceedings of the 2012 ACM conference on Computer and communications security. ACM, pp 305–316
Zhang Y, Li M, Bai K, Yu M, Zang W (2012) Incentive compatible moving target defense against VM-colocation attacks in clouds. In: IFIP international information security conference. Springer, pp 388–399
Ge Q, Yarom Y, Cock D, Heiser G (2018) A survey of microarchitectural timing attacks and countermeasures on contemporary hardware. J Cryptogr Eng 8(1):1–27
Heiser G (2021) How to steal encryption keys: your cloud is not as secure as you may think!. Microkerneldude
Herdrich A, Verplanke E, Autee P, Illikkal R, Gianos C, Singhal R, Iyer R (2016) Cache qos: from concept to reality in the intel registered xeon registered processor e5-2600 v3 product family. In: 2016 IEEE international symposium on high performance computer architecture (HPCA)
Lenoski DL, Weber W-D (2014) Scalable shared-memory multiprocessing. Elsevier
Lee Y, Kim J, Jang H, Yang H, Kim J, Jeong J, Lee JW (2015) A fully associative, tagless dram cache. In: ACM SIGARCH computer architecture news, vol 43. ACM, pp 211–222
Ahn J, Yoo S, Choi K (2014) Dasca: dead write prediction assisted sttram cache architecture. In: 2014 IEEE 20th international symposium on high performance computer architecture (HPCA). IEEE, pp 25–36
Sardashti S, Seznec A, Wood DA (2014) Skewed compressed caches. In: Proceedings of the 47th annual IEEE/ACM international symposium on microarchitecture. IEEE Computer Society, pp 331–342
Starke WJ, Stuecheli J, Daly DM, Dodson JS, Auernhammer F, Sagmeister PM, Guthrie GL, Marino CF, Siegel M, Blaner B (2015) The cache and memory subsystems of the IBM power8 processor. IBM J Res Dev 59(1):1–3
Yeh T-Y, Marr DT, Patt YN (1993) Increasing the instruction fetch rate via multiple branch prediction and a branch address cache. Int Conf Supercomput 93:67–76
González A, Aliagas C, Valero M (1995) A data cache with multiple caching strategies tuned to different types of locality. In: International conference on supercomputing. Citeseer, pp 338–347
Mancuso R, Dudko R, Betti E, Cesati M, Caccamo M, Pellizzoni R (2013) Real-time cache management framework for multi-core architectures. In: 2013 IEEE 19th real-time and embedded technology and applications symposium (RTAS). IEEE, pp 45–54
Liang Y, Mitra T (2010) Instruction cache locking using temporal reuse profile. In: Proceedings of the 47th design automation conference. ACM, pp 344–349
Altmeyer S, Maiza C, Reineke J (2010) Resilience analysis: tightening the crpd bound for set-associative caches. In: ACM sigplan notices, vol 45. ACM, pp 153–162
Vinothini S, Thirumalai CS, Vijayaragavan R, Senthil Kumar M (2015) A cubic based set associative cache encoded mapping. Int Res J Eng Technol (IRJET) 2(02)
Hellisp. CC BY-SA 3.0, An illustration of different ways in which memory locations can be cached by particular cache locations. http://creativecommons.org/licenses/by-sa/3.0/. via Wikimedia Commons
Microsoft (2017) Mitigate threats by using Windows 10 security features. https://docs.microsoft.com/en-us/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10. Accessed 30 Jan 2021
Percival C (2005) Cache missing for fun and profit
Irazoqui G, Inci MS, Eisenbarth T, Sunar B (2014) Wait a minute! a fast, cross-vm attack on aes. In: International workshop on recent advances in intrusion detection. Springer, pp 299–319
Inci MS, Gulmezoglu B, Irazoqui G, Eisenbarth T, Sunar B (2016) Cache attacks enable bulk key recovery on the cloud. In: International conference on cryptographic hardware and embedded systems. Springer, pp 368–388
Apecechea GI, Inci MS, Eisenbarth T, Sunar B (2014) Fine grain cross-vm attacks on xen and vmware are possible!. IACR Cryptol ePrint Arch 248
Schwarz M, Weiser S, Gruss D, Maurice C, Mangard S (2017) Malware guard extension: using sgx to conceal cache attacks. In: International conference on detection of intrusions and Malware, and vulnerability assessment. Springer, pp 3–24
Agrawal D, Baktir S, Karakoyunlu D, Rohatgi P, Sunar B (2007) Trojan detection using ic fingerprinting. In: 2007 IEEE symposium on security and privacy (SP’07). IEEE, pp 296–310
Page D (2002) Theoretical use of cache memory as a cryptanalytic side-channel. IACR Cryptol ePrint Arch 169
Jingfei K, Onur A, Jean-Pierre S, Huiyang Z (2012) Architecting against software cache-based side-channel attacks. IEEE Trans Comput 62(7):1276–1288
Neve M, Seifert J-P (2006) Advances on access-driven cache attacks on aes. In: International workshop on selected areas in cryptography. Springer, pp 147–162
Zhang T, Zhang Y, Lee RB (2016) Cloudradar: a real-time side-channel attack detection system in clouds. In: International symposium on research in attacks, intrusions, and defenses. Springer, pp 118–140
Gruss D, Lipp M, Schwarz M, Genkin D, Juffinger J, O’Connell S, Schoechl W, Yarom Y (2018) Another flip in the wall of rowhammer defenses. In: 2018 IEEE symposium on security and privacy (SP). IEEE, pp 245–261
Reza M, Amin H-F, Richard H, Farshad M, Mak S, Shahid S (2018) Are timing-based side-channel attacks feasible in shared, modern computing hardware? Int J Organiz Collect Intell (IJOCI) 8(2):32–59
Crane S, Homescu A, Brunthaler S, Larsen P, Franz M (2015) Thwarting cache side-channel attacks through dynamic software diversity. In: NDSS, pp 8–11
Yarom Y, Benger N (2014) Recovering openssl ecdsa nonces using the flush+ reload cache side-channel attack. IACR Cryptol ePrint Arch, p 140
Oren Y, Kemerlis VP, Sethumadhavan S, Keromytis AD (2015) The spy in the sandbox: practical cache attacks in javascript and their implications. In: Proceedings of the 22nd ACM SIGSAC conference on computer and communications security. ACM, pp 1406–1418
Weiß M, Heinz B, Stumpf F (2012) A cache timing attack on aes in virtualization environments. In: International conference on financial cryptography and data security. Springer, pp 314–328
Liu F, Ge Q, Yarom Y, Mckeen F, Rozas C, Heiser G, Lee RB (2016) Catalyst: defeating last-level cache side channel attacks in cloud computing. In: 2016 IEEE international symposium on high performance computer architecture (HPCA). IEEE, pp 406–418
Godfrey MM, Zulkernine M (2014) Preventing cache-based side-channel attacks in a cloud environment. IEEE Trans Cloud Comput 2(4):395–408
Varadarajan V, Ristenpart T, Swift M (2014) Scheduler-based defenses against cross-vm side-channels. In: 23rd USENIX security symposium (USENIX security 14), pp 687–702
Irazoqui G, Eisenbarth T, Sunar B (2016) Cross processor cache attacks. In: Proceedings of the 11th ACM on Asia conference on computer and communications security. ACM, pp 353–364
Gruss D, Spreitzer R, Mangard S (2015) Cache template attacks: automating attacks on inclusive last-level caches. In: 24th USENIX security symposium (USENIX security 15), pp 897–912
Pessl P, Gruss D, Maurice C, Schwarz M, Mangard S (2016) DRAMA: exploiting DRAM addressing for cross-cpu attacks. In: 25th USENIX security symposium (USENIX security 16), pp 565–581
Gruss D, Maurice C, Wagner K, Mangard S. Flush + flush: a fast and stealthy cache attack. In: International conference on detection of intrusions and Malware, and vulnerability assessment. Springer, pp 279–299
Lipp M, Gruss D, Spreitzer R, Maurice C, Mangard S (2016) Armageddon: cache attacks on mobile devices. In: 25th USENIX security symposium (USENIX security 16), pp 549–564
Bruinderink LG, Hülsing A, Lange T, Yarom Y (2016) Flush, gauss, and reload—A cache attack on the bliss lattice-based signature scheme. In: International conference on cryptographic hardware and embedded systems. Springer, pp 323–345
Backes M, Nürnberger S (2014) Oxymoron: making fine-grained memory randomization practical by allowing code sharing. In: 23rd USENIX security symposium (USENIX security 14), pp 433–447
Zhou Z, Reiter MK, Zhang Y (2016) A software approach to defeating side channels in last-level caches. In: Proceedings of the 2016 ACM SIGSAC conference on computer and communications security. ACM, pp 871–882
Evtyushkin D, Ponomarev D, Abu-Ghazaleh N (2016) Jump over aslr: attacking branch predictors to bypass aslr. In: The 49th annual IEEE/ACM international symposium on microarchitecture. IEEE Press, p 40
Gruss D, Maurice C, Mangard S (2016) Rowhammer. js: a remote software-induced fault attack in javascript. In: International conference on detection of intrusions and malware, and vulnerability assessment. Springer, pp 300–321
Gruss D, Maurice C, Fogh A, Lipp M, Mangard S (2016) Prefetch side-channel attacks: bypassing smap and kernel aslr. In: Proceedings of the 2016 ACM SIGSAC conference on computer and communications security. ACM, pp 368–379
Hund R, Willems C, Holz T (2013) Practical timing side channel attacks against kernel space aslr. In: 2013 IEEE symposium on security and privacy. IEEE, pp 191–205
Jang Y, Lee S, Kim T (2016) Breaking kernel address space layout randomization with intel tsx. In: Proceedings of the 2016 ACM SIGSAC conference on computer and communications security. ACM, pp 380–392
Roglia GF, Martignoni L, Paleari R, Bruschi D (2009) Surgically returning to randomized lib (c). In: 2009 annual computer security applications conference. IEEE, pp 60–69
Chirag M, Dhiren P, Bhavesh B, Hiren P, Avi P, Muttukrishnan R (2013) A survey of intrusion detection techniques in cloud. J Netw Comput Appl 36(1):42–57
John D, Matthew M, Jared S, Adrian T, Adam W, Simha S, Salvatore S (2013) On the feasibility of online malware detection with performance counters. ACM SIGARCH Comput Arch News 41(3):559–570
Keke G, Meikang Q, Lixin T, Yongxin Z (2016) Intrusion detection techniques for mobile cloud computing in heterogeneous 5g. Secur Commun Netw 9(16):3049–3058
Bhuyan MH, Bhattacharyya DK, Kalita JK (2013) Network anomaly detection: methods, systems and tools. IEEE Commun Surv Tutor 16(1):303–336
Gideon C, Hu J (2013) A semantic approach to host-based intrusion detection systems using contiguousand discontiguous system call patterns. IEEE Trans Comput 63(4):807–819
Weller-Fahy DJ, Borghetti BJ, Sodemann AA (2014) A survey of distance and similarity measures used within network intrusion anomaly detection. IEEE Commun Surv Tutor 17(1):70–91
Roberto P, Davide A, Prahlad F, Giorgio G, Wenke L (2009) Mcpad: a multiple classifier system for accurate payload-based anomaly detection. Comput Netw 53(6):864–881
Maurice C, Scouarnec NL, Neumann C, Heen O, Francillon A (2015) Reverse engineering intel last-level cache complex addressing using performance counters. In: International symposium on recent advances in intrusion detection. Springer, pp 48–65
Hu C, Liu J (2010) Method and apparatus for dynamic voltage and frequency scaling. US Patent 7,730,340
Tang A, Sethumadhavan S, Stolfo SJ (2014) Unsupervised anomaly-based malware detection using hardware features. In: International workshop on recent advances in intrusion detection. Springer, pp 109–129
Irazoqui G, Eisenbarth T, Sunar B (2015) S a: a shared cache attack that works across cores and defies vm sandboxing—And its application to aes. In: 2015 IEEE symposium on security and privacy. IEEE, pp 591–604
Liu F, Lee RB (2014) Random fill cache architecture. In: Proceedings of the 47th annual IEEE/ACM international symposium on microarchitecture. IEEE Computer Society, pp 203–215
Zhang Y, Reiter MK (2013) Düppel: retrofitting commodity operating systems to mitigate cache side channels in the cloud. In: Proceedings of the 2013 ACM SIGSAC conference on computer and communications security. ACM, pp 827–838
Seibert J, Okhravi H, Söderström E (2014) Information leaks without memory disclosures: Remote side channel attacks on diversified code. In: Proceedings of the 2014 ACM SIGSAC conference on computer and communications security. ACM, pp 54–65
Chen J, Venkataramani G (2014) Cc-hunter: uncovering covert timing channels on shared processor hardware. In: 2014 47th annual IEEE/ACM international symposium on microarchitecture. IEEE, pp 216–228
Wang Z, Lee RB (2007) New cache designs for thwarting software cache-based side channel attacks. ACM SIGARCH Comput Arch News 35(2):494–505
Page D (2005) Partitioned cache architecture as a Ä—ide-channel defence mechanism
Kim T, Peinado M, Mainar-Ruiz G (2012) STEALTHMEM: system-level protection against cache-based side channel attacks in the cloud. In: Presented as part of the 21st USENIX security symposium (USENIX security 12), pp 189–204
Goran D, Boris K, Laurent M, Jan R (2015) Cacheaudit: a tool for the static analysis of cache side channels. ACM Trans Inf Syst Secur (TISSEC) 18(1):4
Leonid D, Aamer J, Jason L, Nael A-G, Dmitry P (2012) Non-monopolizable caches: low-complexity mitigation of cache side channel attacks. ACM Trans Arch Code Optim (TACO) 8(4):35
Bernstein DJ, Schwabe P (2018) New aes software speed records. In: International conference on cryptology in India. Springer, pp 322–336
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this chapter
Cite this chapter
Montasari, R., Tait, B., Jahankhani, H., Carroll, F. (2021). An Investigation of Microarchitectural Cache-Based Side-Channel Attacks from a Digital Forensic Perspective: Methods of Exploits and Countermeasures. In: Montasari, R., Jahankhani, H. (eds) Artificial Intelligence in Cyber Security: Impact and Implications. Advanced Sciences and Technologies for Security Applications. Springer, Cham. https://doi.org/10.1007/978-3-030-88040-8_11
Download citation
DOI: https://doi.org/10.1007/978-3-030-88040-8_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-88039-2
Online ISBN: 978-3-030-88040-8
eBook Packages: Computer ScienceComputer Science (R0)