Skip to main content
SpringerLink
Log in

Reverse Engineering Intel Last-Level Cache Complex Addressing Using Performance Counters

  • Conference paper
  • First Online:
Research in Attacks, Intrusions, and Defenses (RAID 2015)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9404))

Included in the following conference series:

Abstract

Cache attacks, which exploit differences in timing to perform covert or side channels, are now well understood. Recent works leverage the last level cache to perform cache attacks across cores. This cache is split in slices, with one slice per core. While predicting the slices used by an address is simple in older processors, recent processors are using an undocumented technique called complex addressing. This renders some attacks more difficult and makes other attacks impossible, because of the loss of precision in the prediction of cache collisions.

In this paper, we build an automatic and generic method for reverse engineering Intel’s last-level cache complex addressing, consequently rendering the class of cache attacks highly practical. Our method relies on CPU hardware performance counters to determine the cache slice an address is mapped to. We show that our method gives a more precise description of the complex addressing function than previous work. We validated our method by reversing the complex addressing functions on a diverse set of Intel processors. This set encompasses Sandy Bridge, Ivy Bridge and Haswell micro-architectures, with different number of cores, for mobile and server ranges of processors. We show the correctness of our function by building a covert channel. Finally, we discuss how other attacks benefit from knowing the complex addressing of a cache, such as sandboxed rowhammer.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    For the Xeon range (servers): processors of the micro-architecture Sandy Bridge in [9], Ivy Bridge in [11], and Haswell in [12]. For the Core range (mobiles and workstations), in [10] for the three aforementioned micro-architectures.

  2. 2.

    At the time of camera ready, Espresso has been running without providing any results for more than 2000 h on a table of more than 100.000.000 lines, which only represents the sixth of the 64 GB of memory of the machine.

References

  1. Benger, N., van de Pol, J., Smart, N.P., Yarom, Y.: “Ooh Aah.. Just a Little Bit”: a small amount of side channel can go a long way. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 75–92. Springer, Heidelberg (2014)

    Google Scholar 

  2. Chrome Developers. Native Client. https://developer.chrome.com/native-client. Accessed 2 June 2015

  3. Chrome Developers. Native Client Revision 13809, September 2014. http://src.chromium.org/viewvc/native_client?revision=13809&view=revision. Accessed 2 June 2015

  4. Crama, Y., Hammer, P.L.: Boolean Functions: Theory, Algorithms, and Applications. Cambridge University Press, New York (2011)

    Book  Google Scholar 

  5. Demme, J., Maycock, M., Schmitz, J., Tang, A., Waksman, A., Sethumadhavan, S., Stolfo, S.: On the feasibility of online malware detection with performance counters. ACM SIGARCH Comput. Architect. News 41(3), 559–570 (2013)

    Article  Google Scholar 

  6. Gruss, D., Maurice, C., Mangard, S.: Rowhammer.js: a remote software-induced fault attack in JavaScript. arXiv:1507.06955v1 (2015)

  7. Gruss, D., Spreitzer, R., Mangard, S.: Cache template attacks: automating attacks on inclusive last-level caches. In: Proceedings of the 24th USENIX Security Symposium (2015)

    Google Scholar 

  8. Hund, R., Willems, C., Holz, T.: Practical timing side channel attacks against kernel space ASLR. In: Proceedings of the 2013 IEEE Symposium on Security and Privacy (S&P 2013), pp. 191–205. IEEE, May 2013

    Google Scholar 

  9. Intel. Intel\(\textregistered \) Xeon\(\textregistered \) Processor E5–2600 Product Family Uncore Performance Monitoring Guide. 327043–001:1–136 (2012)

    Google Scholar 

  10. Intel. Intel\(\textregistered \) 64 and IA-32 Architectures Software Developer’s Manual, vol. 3 (3A, 3B & 3C): System Programming Guide. 3(253665) (2014)

    Google Scholar 

  11. Intel. Intel\(\textregistered \) Xeon\(\textregistered \) Processor E5 v2 and E7 v2 Product Families Uncore Performance Monitoring Reference Manual. 329468–002:1–200 (2014)

    Google Scholar 

  12. Intel. Intel\(\textregistered \) Xeon\(\textregistered \) Processor E5 v3 Family Uncore Performance Monitoring Reference Manual. 331051–001:1–232 (2014)

    Google Scholar 

  13. Irazoqui, G., Eisenbarth, T., Sunar, B.: Lucky 13 strikes back. In: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security (AsiaCCS 2015), pp. 85–96 (2015)

    Google Scholar 

  14. Irazoqui, G., Eisenbarth, T., Sunar, B.: S\(\$\)A: a shared cache attack that works across cores and defies VM sandboxing–and its application to AES. In: Proceedings of the 36th IEEE Symposium on Security and Privacy (S&P 2015) (2015)

    Google Scholar 

  15. Irazoqui, G., Eisenbarth, T., Sunar, B.: Systematic reverse engineering of cache slice selection in Intel processors. In: Proceedings of the 18th EUROMICRO Conference on Digital System Design (2015)

    Google Scholar 

  16. Irazoqui, G., Inci, M.S., Eisenbarth, T., Sunar, B.: Wait a minute! A fast, Cross-VM attack on AES. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 299–319. Springer, Heidelberg (2014)

    Google Scholar 

  17. Irazoqui, G., IncI, M.S., Eisenbarth, T., Sunar, B.: Know thy neighbor: crypto library detection in cloud. Proc. Priv. Enhancing Technol. 1(1), 25–40 (2015)

    Google Scholar 

  18. Jahagirdar, S., George, V., Sodhi, I., Wells, R.: Power management of the third generation Intel Core micro architecture formerly codenamed Ivy Bridge. In: Hot Chips 2012 (2012). http://hotchips.org/wp-content/uploads/hc_archives/hc24/HC24-1-Microprocessor/HC24.28.117-HotChips_IvyBridge_Power_04.pdf. Accessed 16 July 2015

  19. Kim, D.-H., Nair, P.J., Qureshi, M.K.: Architectural support for mitigating row hammering in DRAM memories. IEEE Comput. Archit. Lett. 14(1), 9–12 (2014)

    Article  Google Scholar 

  20. Liu, F., Yarom, Y., Ge, Q., Heiser, G., Lee, R.B.: Last-level cache side-channel attacks are practical. In: Proceedings of the 36th IEEE Symposium on Security and Privacy (S&P 2015) (2015)

    Google Scholar 

  21. Malone, C., Zahran, M., Karri, R.: Are hardware performance counters a cost effective way for integrity checking of programs. In: Proceedings of the Sixth ACM Workshop on Scalable Trusted Computing (2011)

    Google Scholar 

  22. Maurice, C., Neumann, C., Heen, O., Francillon, A.: C5: cross-cores cache covert channel. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 46–64. Springer, Heidelberg (2015)

    Chapter  Google Scholar 

  23. Neve, M., Seifert, J.-P.: Advances on access-driven cache attacks on AES. In: Biham, E., Youssef, A.M. (eds.) SAC 2006. LNCS, vol. 4356, pp. 147–162. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  24. Oren, Y., Kemerlis, V.P., Sethumadhavan, S., Keromytis, A.D.: The spy in the sandbox: practical cache attacks in JavaScript and their implications. In: Proceedings of the 22nd ACM Conference on Computer and Communications Security (CCS 2015) (2015)

    Google Scholar 

  25. Osvik, Dag Arne, Shamir, Adi, Tromer, Eran: Cache attacks and countermeasures: the case of AES. In: Pointcheval, David (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  26. Percival, C.: Cache missing for fun and profit. In: Proceedings of BSDCan, pp. 1–13 (2005)

    Google Scholar 

  27. Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS 2009), pp. 199–212 (2009)

    Google Scholar 

  28. Seaborn, M.: Exploiting the DRAM rowhammer bug to gain kernel privileges, March 2015. http://googleprojectzero.blogspot.fr/2015/03/exploiting-dram-rowhammer-bug-to-gain.html. Accessed 2 June 2015

  29. Seaborn, M.: L3 cache mapping on Sandy Bridge CPUs, April 2015. http://lackingrhoticity.blogspot.fr/2015/04/l3-cache-mapping-on-sandy-bridge-cpus.html. Accessed 2 June 2015

  30. Tromer, E., Osvik, D.A., Shamir, A.: Efficient cache attacks on AES, and countermeasures. J. Cryptology 23(1), 37–71 (2010)

    Article  MathSciNet  MATH  Google Scholar 

  31. Uhsadel, L., Georges, A., Verbauwhede, I.: Exploiting hardware performance counters. In: Proceedings of the 5th International Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC 2008), pp. 59–67 (2008)

    Google Scholar 

  32. Willems, C., Hund, R., Fobian, A., Felsch, D., Holz, T.: Down to the bare metal: using processor features for binary analysis. In: Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC 2012), pp. 189–198 (2012)

    Google Scholar 

  33. Wu, Z., Xu, Z., Wang, H.: Whispers in the hyper-space: high-speed covert channel attacks in the cloud. In: Proceedings of the 21st USENIX Security Symposium (2012)

    Google Scholar 

  34. Xia, Y., Liu, Y., Chen, H., Zang, B.: CFIMon: detecting violation of control flow integrity using performance counters. In: Proceedings of the 42th International Conference on Dependable Systems and Networks (DSN 2012), pp. 1–12 (2012)

    Google Scholar 

  35. Xu, Y., Bailey, M., Jahanian, F., Joshi, K., Hiltunen, M., Schlichting, R.: An exploration of L2 cache covert channels in virtualized environments. In: Proceedings of the 3rd ACM Cloud Computing Security Workshop (CCSW 2011), pp. 29–40 (2011)

    Google Scholar 

  36. Yarom, Y., Falkner, K.: Flush+Reload: a high resolution, low noise, L3 cache side-channel attack. In: Proceedings of the 23th USENIX Security Symposium (2014)

    Google Scholar 

  37. Zhang, Y., Juels, A., Reiter, M.K., Ristenpart, T.: Cross-VM side channels and their use to extract private keys. In: Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS 2012) (2012)

    Google Scholar 

  38. Zhang, Y., Juels, A., Reiter, M.K., Ristenpart, T.: Cross-tenant side-channel attacks in PaaS clouds. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS 2014), pp. 990–1003. ACM Press, New York (2014)

    Google Scholar 

Download references

Acknowledgments

We would like to thank Mark Seaborn, Mate Soos, Gorka Irazoqui, Thomas Eisenbarth and our anonymous reviewers for their valuable comments and suggestions. We also greatly thank Stefan Mangard and Daniel Gruss for the collaboration on the exploitation of the rowhammer bug in Javascript, for which we applied the findings of this article after its submission.

Author information

Authors and Affiliations

  1. Technicolor, Rennes, France

    Clémentine Maurice, Nicolas Le Scouarnec, Christoph Neumann & Olivier Heen

  2. Eurecom, Sophia Antipolis, France

    Clémentine Maurice & Aurélien Francillon

Authors
  1. Clémentine Maurice
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Nicolas Le Scouarnec
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Christoph Neumann
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Olivier Heen
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Aurélien Francillon
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Clémentine Maurice .

Editor information

Editors and Affiliations

  1. Vrije Universiteit Amsterdam, Amsterdam, Noord-Holland, The Netherlands

    Herbert Bos

  2. University of North Carolina at Chapel H, Chapel-Hill, USA

    Fabian Monrose

  3. Université Paris-Saclay, Evry, France

    Gregory Blanc

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Maurice, C., Le Scouarnec, N., Neumann, C., Heen, O., Francillon, A. (2015). Reverse Engineering Intel Last-Level Cache Complex Addressing Using Performance Counters. In: Bos, H., Monrose, F., Blanc, G. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2015. Lecture Notes in Computer Science(), vol 9404. Springer, Cham. https://doi.org/10.1007/978-3-319-26362-5_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-26362-5_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-26361-8

  • Online ISBN: 978-3-319-26362-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation