Abstract
Cloud computing is convenient to provide adequate resources for tenants, but it suffers from information disclosure risks because hardware resources are shared among multiple tenants. For example, secret information in the shared cache can be inferred by other malicious processes, which is called cache-based attacks. To defeat against such attacks, many detection methods have been proposed. However, most of the existing detection mechanisms completely rely on the hardware performance counters (HPCs) and induce high false positives in detecting attacks. This paper proposes an accurate detector named CBA-Detector to detect cache-based side-channel attacks in real time. CBA-Detector is composed of an offline analysis phase and an online detection phase. The former analyzes the hardware events generated by sample programs. Then it extracts features from these events to train machine learning models. Based on the models, the latter monitors active processes in real time to discover suspicious processes. These suspicious processes will be checked again at the instruction level by customized Pintools, which effectively eliminates false positives. As shown in our experiments, CBA-Detector can accurately identify attacks in real time and introduces 4.4% overhead on PARSEC and about 10% overhead on web server.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Briongos, S., Irazoqui, G., Malagón, P., Eisenbarth, T.: CacheShield: detecting cache attacks through self-observation. In: CODASPY 2018, pp. 224–235 (2018)
Chiappetta, M., Savas, E., Yilmaz, C.: Real time detection of cache-based side-channel attacks using hardware performance counters. Appl. Soft Comput. 49, 1162–1174 (2016)
Das, S., Werner, J., Antonakakis, M., Polychronakis, M., Monrose, F.: SoK: the challenges, pitfalls, and perils of using hardware performance counters for security. In: 2019 IEEE Symposium on Security and Privacy (SP) (2019)
Gruss, D., Lettner, J., Schuster, F., Ohrimenko, O., Haller, I., Costa, M.: Strong and efficient cache side-channel protection using hardware transactional memory. In: USENIX Security, pp. 217–233 (2017)
Gruss, D., Maurice, C., Wagner, K., Mangard, S.: Flush+Flush: a fast and stealthy cache attack. In: Caballero, J., Zurutuza, U., Rodríguez, R.J. (eds.) DIMVA 2016. LNCS, vol. 9721, pp. 279–299. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-40667-1_14
Kim, T., Peinado, M., Mainar-Ruiz, G.: STEALTHMEM: system-level protection against cache-based side channel attacks in the cloud. In: USENIX Security, pp. 189–204 (2012)
Kocher, P., et al.: Spectre attacks: exploiting speculative execution. CoRR abs/1801.01203 (2018)
Lipp, M., et al.: Meltdown. CoRR abs/1801.01207 (2018)
Liu, F., et al.: CATalyst: defeating last-level cache side channel attacks in cloud computing. In: HPCA, pp. 406–418 (2016)
Liu, F., Yarom, Y., Ge, Q., Heiser, G., Lee, R.B.: Last-level cache side-channel attacks are practical. In: SP, pp. 605–622 (2015)
Mushtaq, M., Akram, A., Bhatti, M.K., Chaudhry, M., Lapotre, V., Gogniat, G.: NIGHTs-WATCH: a cache-based side-channel intrusion detector using hardware performance counters. In: HASP, pp. 1:1–1:8 (2018)
Payer, M.: HexPADS: a platform to detect “Stealth” attacks. In: Caballero, J., Bodden, E., Athanasopoulos, E. (eds.) ESSoS 2016. LNCS, vol. 9639, pp. 138–154. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-30806-7_9
Intel Pin: Intel pin dynamic binary instrumentation tool (2012). https://software.intel.com/en-us/articles/pin-a-dynamic-binary-instrumentation-tool. Accessed 20 Apr 2019
Sabbagh, M., Fei, Y., Wahl, T., Ding, A.A.: SCADET: a side-channel attack detection tool for tracking Prime+Probe. In: ICCAD 2018, p. 107 (2018)
Terpstra, D., Jagode, H., You, H., Dongarra, J.J.: Collecting performance data with PAPI-C. In: Müller, M., Resch, M., Schulz, A., Nagel, W. (eds.) International Workshop on Parallel Tools for High Performance Computing 2009, pp. 157–173. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-11261-4_11
Wang, Z.H., Peng, S.H., Guo, X.Y., Jiang, W.B.: Zero in and TimeFuzz: detection and mitigation of cache side-channel attacks. In: Lanet, J.-L., Toma, C. (eds.) SECITC 2018. LNCS, vol. 11359, pp. 410–424. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-12942-2_31
Yarom, Y., Falkner, K.: FLUSH+RELOAD: a high resolution, low noise, L3 cache side-channel attack. In: USENIX Security, pp. 719–732 (2014)
Zhang, T., Zhang, Y., Lee, R.B.: CloudRadar: a real-time side-channel attack detection system in clouds. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds.) RAID 2016. LNCS, vol. 9854, pp. 118–140. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45719-2_6
Acknowlegements
This work was supported by National Natural Science Foundation of China (No. 61772204, No. 61732014).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Zheng, B., Gu, J., Weng, C. (2019). CBA-Detector: An Accurate Detector Against Cache-Based Attacks Using HPCs and Pintools. In: Yew, PC., Stenström, P., Wu, J., Gong, X., Li, T. (eds) Advanced Parallel Processing Technologies. APPT 2019. Lecture Notes in Computer Science(), vol 11719. Springer, Cham. https://doi.org/10.1007/978-3-030-29611-7_9
Download citation
DOI: https://doi.org/10.1007/978-3-030-29611-7_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-29610-0
Online ISBN: 978-3-030-29611-7
eBook Packages: Computer ScienceComputer Science (R0)
