CBA-Detector: An Accurate Detector Against Cache-Based Attacks Using HPCs and Pintools

  • Beilei ZhengEmail author
  • Jianan Gu
  • Chuliang Weng
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11719)


Cloud computing is convenient to provide adequate resources for tenants, but it suffers from information disclosure risks because hardware resources are shared among multiple tenants. For example, secret information in the shared cache can be inferred by other malicious processes, which is called cache-based attacks. To defeat against such attacks, many detection methods have been proposed. However, most of the existing detection mechanisms completely rely on the hardware performance counters (HPCs) and induce high false positives in detecting attacks. This paper proposes an accurate detector named CBA-Detector to detect cache-based side-channel attacks in real time. CBA-Detector is composed of an offline analysis phase and an online detection phase. The former analyzes the hardware events generated by sample programs. Then it extracts features from these events to train machine learning models. Based on the models, the latter monitors active processes in real time to discover suspicious processes. These suspicious processes will be checked again at the instruction level by customized Pintools, which effectively eliminates false positives. As shown in our experiments, CBA-Detector can accurately identify attacks in real time and introduces 4.4% overhead on PARSEC and about 10% overhead on web server.


Cache-based side-channel attacks Hardware performance counters Pintools False positives 



This work was supported by National Natural Science Foundation of China (No. 61772204, No. 61732014).


  1. 1.
    Briongos, S., Irazoqui, G., Malagón, P., Eisenbarth, T.: CacheShield: detecting cache attacks through self-observation. In: CODASPY 2018, pp. 224–235 (2018)Google Scholar
  2. 2.
    Chiappetta, M., Savas, E., Yilmaz, C.: Real time detection of cache-based side-channel attacks using hardware performance counters. Appl. Soft Comput. 49, 1162–1174 (2016)CrossRefGoogle Scholar
  3. 3.
    Das, S., Werner, J., Antonakakis, M., Polychronakis, M., Monrose, F.: SoK: the challenges, pitfalls, and perils of using hardware performance counters for security. In: 2019 IEEE Symposium on Security and Privacy (SP) (2019)Google Scholar
  4. 4.
    Gruss, D., Lettner, J., Schuster, F., Ohrimenko, O., Haller, I., Costa, M.: Strong and efficient cache side-channel protection using hardware transactional memory. In: USENIX Security, pp. 217–233 (2017)Google Scholar
  5. 5.
    Gruss, D., Maurice, C., Wagner, K., Mangard, S.: Flush+Flush: a fast and stealthy cache attack. In: Caballero, J., Zurutuza, U., Rodríguez, R.J. (eds.) DIMVA 2016. LNCS, vol. 9721, pp. 279–299. Springer, Cham (2016). Scholar
  6. 6.
    Kim, T., Peinado, M., Mainar-Ruiz, G.: STEALTHMEM: system-level protection against cache-based side channel attacks in the cloud. In: USENIX Security, pp. 189–204 (2012)Google Scholar
  7. 7.
    Kocher, P., et al.: Spectre attacks: exploiting speculative execution. CoRR abs/1801.01203 (2018)Google Scholar
  8. 8.
    Lipp, M., et al.: Meltdown. CoRR abs/1801.01207 (2018)Google Scholar
  9. 9.
    Liu, F., et al.: CATalyst: defeating last-level cache side channel attacks in cloud computing. In: HPCA, pp. 406–418 (2016)Google Scholar
  10. 10.
    Liu, F., Yarom, Y., Ge, Q., Heiser, G., Lee, R.B.: Last-level cache side-channel attacks are practical. In: SP, pp. 605–622 (2015)Google Scholar
  11. 11.
    Mushtaq, M., Akram, A., Bhatti, M.K., Chaudhry, M., Lapotre, V., Gogniat, G.: NIGHTs-WATCH: a cache-based side-channel intrusion detector using hardware performance counters. In: HASP, pp. 1:1–1:8 (2018)Google Scholar
  12. 12.
    Payer, M.: HexPADS: a platform to detect “Stealth” attacks. In: Caballero, J., Bodden, E., Athanasopoulos, E. (eds.) ESSoS 2016. LNCS, vol. 9639, pp. 138–154. Springer, Cham (2016). Scholar
  13. 13.
    Intel Pin: Intel pin dynamic binary instrumentation tool (2012). Accessed 20 Apr 2019
  14. 14.
    Sabbagh, M., Fei, Y., Wahl, T., Ding, A.A.: SCADET: a side-channel attack detection tool for tracking Prime+Probe. In: ICCAD 2018, p. 107 (2018)Google Scholar
  15. 15.
    Terpstra, D., Jagode, H., You, H., Dongarra, J.J.: Collecting performance data with PAPI-C. In: Müller, M., Resch, M., Schulz, A., Nagel, W. (eds.) International Workshop on Parallel Tools for High Performance Computing 2009, pp. 157–173. Springer, Heidelberg (2010). Scholar
  16. 16.
    Wang, Z.H., Peng, S.H., Guo, X.Y., Jiang, W.B.: Zero in and TimeFuzz: detection and mitigation of cache side-channel attacks. In: Lanet, J.-L., Toma, C. (eds.) SECITC 2018. LNCS, vol. 11359, pp. 410–424. Springer, Cham (2019). Scholar
  17. 17.
    Yarom, Y., Falkner, K.: FLUSH+RELOAD: a high resolution, low noise, L3 cache side-channel attack. In: USENIX Security, pp. 719–732 (2014)Google Scholar
  18. 18.
    Zhang, T., Zhang, Y., Lee, R.B.: CloudRadar: a real-time side-channel attack detection system in clouds. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds.) RAID 2016. LNCS, vol. 9854, pp. 118–140. Springer, Cham (2016). Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.School of Data Science and EngineeringEast China Normal UniversityShanghaiChina

Personalised recommendations