Skip to main content
SpringerLink
Log in

An Investigation of Microarchitectural Cache-Based Side-Channel Attacks from a Digital Forensic Perspective: Methods of Exploits and Countermeasures

  • Chapter
  • First Online:
Artificial Intelligence in Cyber Security: Impact and Implications

  • 1401 Accesses

Abstract

In the current, fast paced development of computer hardware, hardware manufacturers often focus on an expedited time to market paradigm or on maximum throughput. This inevitably leads to a number of unintentional hardware vulnerabilities. These vulnerabilities can be exploited to launch devastating hardware attacks and as a result compromise the privacy of end-users. Microarchitectural attacks—the exploit of the microarchitectural behaviour of modern computer systems, is an example of such a hardware attack, and also the central focus of this paper. This type of attack can exploit microarchitectural performance of processor implementations, which in turn can potentially expose hidden hardware states. Microarchitectural attacks compromise the security of computational environments even within advanced protection mechanisms such as virtualisation and sandboxes. In light of these security threats against modern computing hardware, a detailed survey of recent attacks that exploit microarchitectural elements in modern, shared computing hardware were performed from a Digital Forensic perspective. It is demonstrated that the CPU (central processing unit) is an attractive resource to be targeted by attackers, and show that adversaries could potentially use microarchitectural cache-based side-channel attacks to extract and analytically examine sensitive data from their victims. This study only focuses on cache-based attacks as opposed to other variants of side-channel attacks, which have a broad application range. The paper makes three major contributions to the body of knowledge: Firstly in terms of the broadness of the scope of the analysis and a detailed examination of the means by which the data is analysed for performing side channel attacks, secondly with regards to how novel uses of data can facilitate side channel attacks, and thirdly also in the provision of an agenda for directing future research.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 149.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 199.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 199.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Kocher PC, Rohatgi P, Jaffe JM (2017) Secure boot with resistance to differential power analysis and other external monitoring attacks. US Patent 9,569,623

    Google Scholar 

  2. Kocher P, Jaffe J, Jun B, Rohatgi P (2011) Introduction to differential power analysis. J Cryptogr Eng 1(1):5–27

    Article  Google Scholar 

  3. Schramm K, Leander G, Felke P, Paar C (2004) A collision-attack on aes. In: International workshop on cryptographic hardware and embedded systems. Springer, pp 163–175

    Google Scholar 

  4. Homma N, Aoki T, Satoh A (2021) Electromagnetic information leakage for side-channel analysis of cryptographic modules. In: IEEE international symposium on electromagnetic compatibility. IEEE, pp 97–102

    Google Scholar 

  5. Zhang T, Lee RB (2014) Secure cache modeling for measuring side-channel leakage. Technical Report. Princeton University

    Google Scholar 

  6. Gullasch D, Bangerter E, Krenn S (2011) Cache games—bringing access-based cache attacks on aes to practice. In: 2011 IEEE symposium on security and privacy. IEEE, pp 490–505

    Google Scholar 

  7. Osvik DA, Shamir A, Tromer E (2006) Cache attacks and countermeasures: the case of aes. In: Cryptographers’ track at the RSA conference. Springer, pp 1–20

    Google Scholar 

  8. Aciiçmez O (2007) Yet another microarchitectural attack: exploiting i-cache. In: Proceedings of the 2007 ACM workshop on Computer security architecture. ACM, pp 11–18

    Google Scholar 

  9. Acıçmez O et al (2009) Microarchitectural attacks and countermeasures. In: Cryptographic engineering. Springer, pp 475–504

    Google Scholar 

  10. Bosman E, Razavi K, Bos H, Giuffrida C (2016) Dedupest machina: memory deduplication as an advanced exploitation vector. In: 2016 IEEE symposium on security and privacy (SP). IEEE, pp 987–1004

    Google Scholar 

  11. Fournaris A, Fraile LP, Koufopavlou O (2017) Exploiting hardware vulnerabilities to attack embedded system devices: a survey of potent microarchitectural attacks. Electronics 6(3):52

    Article  Google Scholar 

  12. Wiley J (2008) Security engineering: a guide to building dependable distributed systems, 2ed Editio, pp 239–274

    Google Scholar 

  13. Liu F, Yarom Y, Ge Q, Heiser G, Lee RB (2015) Last-level cache side-channel attacks are practical. In: 2015 IEEE symposium on security and privacy. IEEE, pp 605–622

    Google Scholar 

  14. Ristenpart T, Tromer E, Shacham H, Savage S (2009) Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: Proceedings of the 16th ACM conference on computer and communications security. ACM, pp 199–212

    Google Scholar 

  15. Yarom Y, Falkner K (2014) Flush+ reload: a high resolution, low noise, l3 cache side-channel attack. In: 23rd USENIX security symposium (USENIX security 14), pp 719–732

    Google Scholar 

  16. Zhang Y, Juels A, Reiter MK, Ristenpart T (2014) Cross-tenant side-channel attacks in paas clouds. In: Proceedings of the 2014 ACM SIGSAC conference on computer and communications security. ACM, pp 990–1003

    Google Scholar 

  17. Zhang Y, Juels A, Reiter MK, Ristenpart T (2012) Cross-VM side channels and their use to extract private keys. In: Proceedings of the 2012 ACM conference on Computer and communications security. ACM, pp 305–316

    Google Scholar 

  18. Zhang Y, Li M, Bai K, Yu M, Zang W (2012) Incentive compatible moving target defense against VM-colocation attacks in clouds. In: IFIP international information security conference. Springer, pp 388–399

    Google Scholar 

  19. Ge Q, Yarom Y, Cock D, Heiser G (2018) A survey of microarchitectural timing attacks and countermeasures on contemporary hardware. J Cryptogr Eng 8(1):1–27

    Article  Google Scholar 

  20. Heiser G (2021) How to steal encryption keys: your cloud is not as secure as you may think!. Microkerneldude

    Google Scholar 

  21. Herdrich A, Verplanke E, Autee P, Illikkal R, Gianos C, Singhal R, Iyer R (2016) Cache qos: from concept to reality in the intel registered xeon registered processor e5-2600 v3 product family. In: 2016 IEEE international symposium on high performance computer architecture (HPCA)

    Google Scholar 

  22. Lenoski DL, Weber W-D (2014) Scalable shared-memory multiprocessing. Elsevier

    Google Scholar 

  23. Lee Y, Kim J, Jang H, Yang H, Kim J, Jeong J, Lee JW (2015) A fully associative, tagless dram cache. In: ACM SIGARCH computer architecture news, vol 43. ACM, pp 211–222

    Google Scholar 

  24. Ahn J, Yoo S, Choi K (2014) Dasca: dead write prediction assisted sttram cache architecture. In: 2014 IEEE 20th international symposium on high performance computer architecture (HPCA). IEEE, pp 25–36

    Google Scholar 

  25. Sardashti S, Seznec A, Wood DA (2014) Skewed compressed caches. In: Proceedings of the 47th annual IEEE/ACM international symposium on microarchitecture. IEEE Computer Society, pp 331–342

    Google Scholar 

  26. Starke WJ, Stuecheli J, Daly DM, Dodson JS, Auernhammer F, Sagmeister PM, Guthrie GL, Marino CF, Siegel M, Blaner B (2015) The cache and memory subsystems of the IBM power8 processor. IBM J Res Dev 59(1):1–3

    Google Scholar 

  27. Yeh T-Y, Marr DT, Patt YN (1993) Increasing the instruction fetch rate via multiple branch prediction and a branch address cache. Int Conf Supercomput 93:67–76

    Google Scholar 

  28. González A, Aliagas C, Valero M (1995) A data cache with multiple caching strategies tuned to different types of locality. In: International conference on supercomputing. Citeseer, pp 338–347

    Google Scholar 

  29. Mancuso R, Dudko R, Betti E, Cesati M, Caccamo M, Pellizzoni R (2013) Real-time cache management framework for multi-core architectures. In: 2013 IEEE 19th real-time and embedded technology and applications symposium (RTAS). IEEE, pp 45–54

    Google Scholar 

  30. Liang Y, Mitra T (2010) Instruction cache locking using temporal reuse profile. In: Proceedings of the 47th design automation conference. ACM, pp 344–349

    Google Scholar 

  31. Altmeyer S, Maiza C, Reineke J (2010) Resilience analysis: tightening the crpd bound for set-associative caches. In: ACM sigplan notices, vol 45. ACM, pp 153–162

    Google Scholar 

  32. Vinothini S, Thirumalai CS, Vijayaragavan R, Senthil Kumar M (2015) A cubic based set associative cache encoded mapping. Int Res J Eng Technol (IRJET) 2(02)

    Google Scholar 

  33. Hellisp. CC BY-SA 3.0, An illustration of different ways in which memory locations can be cached by particular cache locations. http://creativecommons.org/licenses/by-sa/3.0/. via Wikimedia Commons

  34. Microsoft (2017) Mitigate threats by using Windows 10 security features. https://docs.microsoft.com/en-us/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10. Accessed 30 Jan 2021

  35. Percival C (2005) Cache missing for fun and profit

    Google Scholar 

  36. Irazoqui G, Inci MS, Eisenbarth T, Sunar B (2014) Wait a minute! a fast, cross-vm attack on aes. In: International workshop on recent advances in intrusion detection. Springer, pp 299–319

    Google Scholar 

  37. Inci MS, Gulmezoglu B, Irazoqui G, Eisenbarth T, Sunar B (2016) Cache attacks enable bulk key recovery on the cloud. In: International conference on cryptographic hardware and embedded systems. Springer, pp 368–388

    Google Scholar 

  38. Apecechea GI, Inci MS, Eisenbarth T, Sunar B (2014) Fine grain cross-vm attacks on xen and vmware are possible!. IACR Cryptol ePrint Arch 248

    Google Scholar 

  39. Schwarz M, Weiser S, Gruss D, Maurice C, Mangard S (2017) Malware guard extension: using sgx to conceal cache attacks. In: International conference on detection of intrusions and Malware, and vulnerability assessment. Springer, pp 3–24

    Google Scholar 

  40. Agrawal D, Baktir S, Karakoyunlu D, Rohatgi P, Sunar B (2007) Trojan detection using ic fingerprinting. In: 2007 IEEE symposium on security and privacy (SP’07). IEEE, pp 296–310

    Google Scholar 

  41. Page D (2002) Theoretical use of cache memory as a cryptanalytic side-channel. IACR Cryptol ePrint Arch 169

    Google Scholar 

  42. Jingfei K, Onur A, Jean-Pierre S, Huiyang Z (2012) Architecting against software cache-based side-channel attacks. IEEE Trans Comput 62(7):1276–1288

    Article  MathSciNet  Google Scholar 

  43. Neve M, Seifert J-P (2006) Advances on access-driven cache attacks on aes. In: International workshop on selected areas in cryptography. Springer, pp 147–162

    Google Scholar 

  44. Zhang T, Zhang Y, Lee RB (2016) Cloudradar: a real-time side-channel attack detection system in clouds. In: International symposium on research in attacks, intrusions, and defenses. Springer, pp 118–140

    Google Scholar 

  45. Gruss D, Lipp M, Schwarz M, Genkin D, Juffinger J, O’Connell S, Schoechl W, Yarom Y (2018) Another flip in the wall of rowhammer defenses. In: 2018 IEEE symposium on security and privacy (SP). IEEE, pp 245–261

    Google Scholar 

  46. Reza M, Amin H-F, Richard H, Farshad M, Mak S, Shahid S (2018) Are timing-based side-channel attacks feasible in shared, modern computing hardware? Int J Organiz Collect Intell (IJOCI) 8(2):32–59

    Article  Google Scholar 

  47. Crane S, Homescu A, Brunthaler S, Larsen P, Franz M (2015) Thwarting cache side-channel attacks through dynamic software diversity. In: NDSS, pp 8–11

    Google Scholar 

  48. Yarom Y, Benger N (2014) Recovering openssl ecdsa nonces using the flush+ reload cache side-channel attack. IACR Cryptol ePrint Arch, p 140

    Google Scholar 

  49. Oren Y, Kemerlis VP, Sethumadhavan S, Keromytis AD (2015) The spy in the sandbox: practical cache attacks in javascript and their implications. In: Proceedings of the 22nd ACM SIGSAC conference on computer and communications security. ACM, pp 1406–1418

    Google Scholar 

  50. Weiß M, Heinz B, Stumpf F (2012) A cache timing attack on aes in virtualization environments. In: International conference on financial cryptography and data security. Springer, pp 314–328

    Google Scholar 

  51. Liu F, Ge Q, Yarom Y, Mckeen F, Rozas C, Heiser G, Lee RB (2016) Catalyst: defeating last-level cache side channel attacks in cloud computing. In: 2016 IEEE international symposium on high performance computer architecture (HPCA). IEEE, pp 406–418

    Google Scholar 

  52. Godfrey MM, Zulkernine M (2014) Preventing cache-based side-channel attacks in a cloud environment. IEEE Trans Cloud Comput 2(4):395–408

    Article  Google Scholar 

  53. Varadarajan V, Ristenpart T, Swift M (2014) Scheduler-based defenses against cross-vm side-channels. In: 23rd USENIX security symposium (USENIX security 14), pp 687–702

    Google Scholar 

  54. Irazoqui G, Eisenbarth T, Sunar B (2016) Cross processor cache attacks. In: Proceedings of the 11th ACM on Asia conference on computer and communications security. ACM, pp 353–364

    Google Scholar 

  55. Gruss D, Spreitzer R, Mangard S (2015) Cache template attacks: automating attacks on inclusive last-level caches. In: 24th USENIX security symposium (USENIX security 15), pp 897–912

    Google Scholar 

  56. Pessl P, Gruss D, Maurice C, Schwarz M, Mangard S (2016) DRAMA: exploiting DRAM addressing for cross-cpu attacks. In: 25th USENIX security symposium (USENIX security 16), pp 565–581

    Google Scholar 

  57. Gruss D, Maurice C, Wagner K, Mangard S. Flush + flush: a fast and stealthy cache attack. In: International conference on detection of intrusions and Malware, and vulnerability assessment. Springer, pp 279–299

    Google Scholar 

  58. Lipp M, Gruss D, Spreitzer R, Maurice C, Mangard S (2016) Armageddon: cache attacks on mobile devices. In: 25th USENIX security symposium (USENIX security 16), pp 549–564

    Google Scholar 

  59. Bruinderink LG, Hülsing A, Lange T, Yarom Y (2016) Flush, gauss, and reload—A cache attack on the bliss lattice-based signature scheme. In: International conference on cryptographic hardware and embedded systems. Springer, pp 323–345

    Google Scholar 

  60. Backes M, Nürnberger S (2014) Oxymoron: making fine-grained memory randomization practical by allowing code sharing. In: 23rd USENIX security symposium (USENIX security 14), pp 433–447

    Google Scholar 

  61. Zhou Z, Reiter MK, Zhang Y (2016) A software approach to defeating side channels in last-level caches. In: Proceedings of the 2016 ACM SIGSAC conference on computer and communications security. ACM, pp 871–882

    Google Scholar 

  62. Evtyushkin D, Ponomarev D, Abu-Ghazaleh N (2016) Jump over aslr: attacking branch predictors to bypass aslr. In: The 49th annual IEEE/ACM international symposium on microarchitecture. IEEE Press, p 40

    Google Scholar 

  63. Gruss D, Maurice C, Mangard S (2016) Rowhammer. js: a remote software-induced fault attack in javascript. In: International conference on detection of intrusions and malware, and vulnerability assessment. Springer, pp 300–321

    Google Scholar 

  64. Gruss D, Maurice C, Fogh A, Lipp M, Mangard S (2016) Prefetch side-channel attacks: bypassing smap and kernel aslr. In: Proceedings of the 2016 ACM SIGSAC conference on computer and communications security. ACM, pp 368–379

    Google Scholar 

  65. Hund R, Willems C, Holz T (2013) Practical timing side channel attacks against kernel space aslr. In: 2013 IEEE symposium on security and privacy. IEEE, pp 191–205

    Google Scholar 

  66. Jang Y, Lee S, Kim T (2016) Breaking kernel address space layout randomization with intel tsx. In: Proceedings of the 2016 ACM SIGSAC conference on computer and communications security. ACM, pp 380–392

    Google Scholar 

  67. Roglia GF, Martignoni L, Paleari R, Bruschi D (2009) Surgically returning to randomized lib (c). In: 2009 annual computer security applications conference. IEEE, pp 60–69

    Google Scholar 

  68. Chirag M, Dhiren P, Bhavesh B, Hiren P, Avi P, Muttukrishnan R (2013) A survey of intrusion detection techniques in cloud. J Netw Comput Appl 36(1):42–57

    Article  Google Scholar 

  69. John D, Matthew M, Jared S, Adrian T, Adam W, Simha S, Salvatore S (2013) On the feasibility of online malware detection with performance counters. ACM SIGARCH Comput Arch News 41(3):559–570

    Article  Google Scholar 

  70. Keke G, Meikang Q, Lixin T, Yongxin Z (2016) Intrusion detection techniques for mobile cloud computing in heterogeneous 5g. Secur Commun Netw 9(16):3049–3058

    Article  Google Scholar 

  71. Bhuyan MH, Bhattacharyya DK, Kalita JK (2013) Network anomaly detection: methods, systems and tools. IEEE Commun Surv Tutor 16(1):303–336

    Article  Google Scholar 

  72. Gideon C, Hu J (2013) A semantic approach to host-based intrusion detection systems using contiguousand discontiguous system call patterns. IEEE Trans Comput 63(4):807–819

    MATH  Google Scholar 

  73. Weller-Fahy DJ, Borghetti BJ, Sodemann AA (2014) A survey of distance and similarity measures used within network intrusion anomaly detection. IEEE Commun Surv Tutor 17(1):70–91

    Article  Google Scholar 

  74. Roberto P, Davide A, Prahlad F, Giorgio G, Wenke L (2009) Mcpad: a multiple classifier system for accurate payload-based anomaly detection. Comput Netw 53(6):864–881

    Article  Google Scholar 

  75. Maurice C, Scouarnec NL, Neumann C, Heen O, Francillon A (2015) Reverse engineering intel last-level cache complex addressing using performance counters. In: International symposium on recent advances in intrusion detection. Springer, pp 48–65

    Google Scholar 

  76. Hu C, Liu J (2010) Method and apparatus for dynamic voltage and frequency scaling. US Patent 7,730,340

    Google Scholar 

  77. Tang A, Sethumadhavan S, Stolfo SJ (2014) Unsupervised anomaly-based malware detection using hardware features. In: International workshop on recent advances in intrusion detection. Springer, pp 109–129

    Google Scholar 

  78. Irazoqui G, Eisenbarth T, Sunar B (2015) S a: a shared cache attack that works across cores and defies vm sandboxing—And its application to aes. In: 2015 IEEE symposium on security and privacy. IEEE, pp 591–604

    Google Scholar 

  79. Liu F, Lee RB (2014) Random fill cache architecture. In: Proceedings of the 47th annual IEEE/ACM international symposium on microarchitecture. IEEE Computer Society, pp 203–215

    Google Scholar 

  80. Zhang Y, Reiter MK (2013) Düppel: retrofitting commodity operating systems to mitigate cache side channels in the cloud. In: Proceedings of the 2013 ACM SIGSAC conference on computer and communications security. ACM, pp 827–838

    Google Scholar 

  81. Seibert J, Okhravi H, Söderström E (2014) Information leaks without memory disclosures: Remote side channel attacks on diversified code. In: Proceedings of the 2014 ACM SIGSAC conference on computer and communications security. ACM, pp 54–65

    Google Scholar 

  82. Chen J, Venkataramani G (2014) Cc-hunter: uncovering covert timing channels on shared processor hardware. In: 2014 47th annual IEEE/ACM international symposium on microarchitecture. IEEE, pp 216–228

    Google Scholar 

  83. Wang Z, Lee RB (2007) New cache designs for thwarting software cache-based side channel attacks. ACM SIGARCH Comput Arch News 35(2):494–505

    Article  Google Scholar 

  84. Page D (2005) Partitioned cache architecture as a Ä—ide-channel defence mechanism

    Google Scholar 

  85. Kim T, Peinado M, Mainar-Ruiz G (2012) STEALTHMEM: system-level protection against cache-based side channel attacks in the cloud. In: Presented as part of the 21st USENIX security symposium (USENIX security 12), pp 189–204

    Google Scholar 

  86. Goran D, Boris K, Laurent M, Jan R (2015) Cacheaudit: a tool for the static analysis of cache side channels. ACM Trans Inf Syst Secur (TISSEC) 18(1):4

    Google Scholar 

  87. Leonid D, Aamer J, Jason L, Nael A-G, Dmitry P (2012) Non-monopolizable caches: low-complexity mitigation of cache side channel attacks. ACM Trans Arch Code Optim (TACO) 8(4):35

    Google Scholar 

  88. Bernstein DJ, Schwabe P (2018) New aes software speed records. In: International conference on cryptology in India. Springer, pp 322–336

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Hillary Rodham Clinton School of Law, Swansea University, Singleton Park, Swansea, SA2 8PP, UK

    Reza Montasari

  2. School of Computing, University of South Africa, Unisa Science Campus, Florida, Johannesburg, 1709, South Africa

    Bobby Tait

  3. Information Security and Cyber Criminology, Northumbria University, 110 Middlesex Street, London, E1 7HT, UK

    Hamid Jahankhani

  4. School of Technologies, Cardiff Metropolitan Univfersity, Llandaff Campus, Western Avenue, Cardiff, CF5 2YB, UK

    Fiona Carroll

Authors
  1. Reza Montasari
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Bobby Tait
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Hamid Jahankhani
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Fiona Carroll
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Reza Montasari .

Editor information

Editors and Affiliations

  1. Hillary Rodham Clinton School of Law, Swansea University, Swansea, UK

    Reza Montasari

  2. Northumbria University, London, UK

    Hamid Jahankhani

Rights and permissions

Reprints and permissions

Copyright information

© 2021 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Montasari, R., Tait, B., Jahankhani, H., Carroll, F. (2021). An Investigation of Microarchitectural Cache-Based Side-Channel Attacks from a Digital Forensic Perspective: Methods of Exploits and Countermeasures. In: Montasari, R., Jahankhani, H. (eds) Artificial Intelligence in Cyber Security: Impact and Implications. Advanced Sciences and Technologies for Security Applications. Springer, Cham. https://doi.org/10.1007/978-3-030-88040-8_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-88040-8_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-88039-2

  • Online ISBN: 978-3-030-88040-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation