Zero in and TimeFuzz: Detection and Mitigation of Cache Side-Channel Attacks

  • ZiHao Wang
  • ShuangHe PengEmail author
  • XinYue Guo
  • WenBin Jiang
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11359)


Cache Side Channel Attack (CSCA) works by monitoring security critical operations and recovering the secret or private information according to the accesses by the victim. Previous efforts on CSCA detection only rely on global statistics information, which leads to some drawbacks. To meet these challenges, Zero in and TimeFuzz (ZITF), a wide-coverage, high-accuracy mitigation scheme of CSCA based on Intel-PIN is presented here. The key point of ZITF is the combination of local features and global features, which can achieve a more accurate detection and mitigation to CSCA. To reduce the impact on other benign processes, a way to time fuzz suspicious processes is used by tampering with the time information required. The comparative experiments on benign processes and malicious processes show that ZITF really works and outperforms the previous work in several ways. In addition, the experiment also proves that ZITF can also be applied to the detection and mitigation of Flush-Flush and Meltdown attack.


Detection Mitigation Cache side channel attack Intel-PIN 


  1. 1.
    Zhang, Y., Juels, A., Oprea, A., Reiter, M.K.: HomeAlone: co-residency detection in the cloud via side-channel analysis. In: IEEE Symposium on Security & Privacy, vol. 9, no. 1, pp. 313–328 (2011)Google Scholar
  2. 2.
    Herath, N., Fogh, A.: These are Not Your Grand Daddy’s CPU Performance Counters - CPU Hardware Performance Counters for Security. Black Hat 2015 Briefings, August 2015Google Scholar
  3. 3.
    Payer, M.: HexPADS: a platform to detect “Stealth” attacks. In: Caballero, J., Bodden, E., Athanasopoulos, E. (eds.) ESSoS 2016. LNCS, vol. 9639, pp. 138–154. Springer, Cham (2016). Scholar
  4. 4.
    Chiappetta, M., Savas, E., Yilmaz, C.: Real time detection of cache-based side-channel attacks using hardware performance counters. Appl. Soft Comput. 49, 1162–1174 (2016)CrossRefGoogle Scholar
  5. 5.
    Luk, C.K., et al.: Pin: building customized program analysis tools with dynamic instrumentation. In: Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2005) (2005)Google Scholar
  6. 6.
    Yarom, Y., Falkner, K.: FLUSH+RELOAD: a high resolution, low noise, L3 cache side-channel attack. In: Usenix Conference on Security Symposium, pp. 719–732 (2014)Google Scholar
  7. 7.
    Liu, F., Yarom, Y., Ge, Q., Heiser, G., Lee, R.B.: Last-level cache side-channel attacks are practical. In: IEEE Symposium on Security & Privacy, pp. 605–622 (2015)Google Scholar
  8. 8.
    Gruss, D., Maurice, C., Wagner, K., Mangard, S.: Flush+Flush: a fast and stealthy cache attack. In: Caballero, J., Zurutuza, U., Rodríguez, R.J. (eds.) DIMVA 2016. LNCS, vol. 9721, pp. 279–299. Springer, Cham (2016). Scholar
  9. 9.
    Zhang, Y., Juels, A., Reiter, M.K., Ristenpart, T.: Cross-tenant side channel attacks in PaaS clouds. In: 21st ACM Conference on Computer and Communications Security, November 2014Google Scholar
  10. 10.
    Apecechea, G.I., Inci, M.S., Eisenbarth, T., Sunar, B.: Fine grain cross-VM attacks on Xen and VMware are possible! Technical report 2014/248, IACR Cryptology ePrint Archive, April 2014Google Scholar
  11. 11.
    Irazoqui, G., Inci, M.S., Eisenbarth, T., Sunar, B.: Wait a minute! A fast, cross-VM attack on AES. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 299–319. Springer, Cham (2014). Scholar
  12. 12.
    Kayaalp, M., et al.: RIC: relaxed inclusion caches for mitigating LLC side-channel attacks. In: Design Automation Conference (2017)Google Scholar
  13. 13.
    Irazoqui, G., Eisenbarth, T., Sunar, B.: S\$A: a shared cache attack that works across cores and defies VM sandboxing-and its application to AES. In: 36th IEEE Symposium on Security and Privacy, May 2015Google Scholar
  14. 14.
    Inci, M.S., Gulmezoglu, B., Irazoqui, G., Eisenbarth, T., Sunar, B.: Seriously, get off my cloud! cross-VM RSA key recovery in a public cloud. Cryptology ePrint Archive, Report 2015/898 (2015)Google Scholar
  15. 15.
    Varadarajan, V., Ristenpart, T., Swift, M.: Scheduler-based defenses against cross-VM side-channels. In: 23rd USENIX Conference on Security Symposium, pp. 687–702. USENIX Association (2014)Google Scholar
  16. 16.
    Wang, Z., Lee, R.B.: New cache designs for thwarting software cachebased side channel attacks. In: 34th Annual International Symposium on Computer Architecture, pp. 494–505 (2007)Google Scholar
  17. 17.
    Wang, Z., Lee, R.B.: A novel cache architecture with enhanced performance and security. In: 41st Annual IEEE/ACM International Symposium on Microarchitecture, pp. 83–93 (2008)Google Scholar
  18. 18.
    Liu, F., Lee, R.B.: Random fill cache architecture. In: 47th IEEE/ACM Symposium on Microarchitecture, pp. 203–215, December 2014Google Scholar
  19. 19.
    Keramidas, G., Antonopoulos, A., Serpanos, D., Kaxiras, S.: Non-deterministic caches: a simple and effective defense against side channel attacks. Des. Autom. Embed. Syst. 12, 221–230 (2008)CrossRefGoogle Scholar
  20. 20.
    Raj, H., Nathuji, R., Singh, A., England, P.: Resource management for isolation enhanced cloud services. In: 2009 ACM Cloud Computing Security Workshop, pp. 77–84, November 2009Google Scholar
  21. 21.
    Shi, J., Song, X., Chen, H., Zang, B.: Limiting cache-based sidechannel in multi-tenant cloud using dynamic page coloring. In: 41st International Conference on Dependable Systems and Networks Workshops, pp. 194–199 (2011)Google Scholar
  22. 22.
    Kim, T., Peinado, M., Mainar-Ruiz, G.: STEALTHMEM: system-level protection against cache-based side channel attacks in the cloud. In: 21st USENIX Conference on Security Symposium (2012)Google Scholar
  23. 23.
    Liu, C., Harris, A., Maas, M., Hicks, M., Tiwari, M., Shi, E.: Ghostrider: a hardware-software system for memory trace oblivious computation. In: Twentieth International Conference on Architectural Support for Programming Languages and Operating Systems, pp. 87–101. ACM (2015)Google Scholar
  24. 24.
    Luk, C.-K., et al.: Pin: building customized program analysis tools with dynamic instrumentation. In: Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2005) (2005)Google Scholar
  25. 25.
    Bruening, D., Garnett, T., Amarasinghe, S.: An infrastructure for adaptive dynamic optimization. In: Proceedings of the International Symposium on Code Generation and Optimization (CGO 2003) (2003)Google Scholar
  26. 26.
    Liu, F., et al.: CATalyst: defeating last-level cache side channel attacks in cloud computing. In: IEEE Symposium on High-Performance Computer Architecture, Barcelona, Spain (2016)Google Scholar
  27. 27.
    Lipp, M., et al.: Meltdown.
  28. 28.
    Kocher, P., et al.: Spectre Attacks: Exploiting Speculative Execution.

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • ZiHao Wang
    • 1
  • ShuangHe Peng
    • 1
    Email author
  • XinYue Guo
    • 1
  • WenBin Jiang
    • 1
  1. 1.Beijing Key Laboratory of Security and Privacy in Intelligent TransportationBeijing Jiaotong UniversityBeijingChina

Personalised recommendations