Abstract
Cache attacks, which exploit differences in timing to perform covert or side channels, are now well understood. Recent works leverage the last level cache to perform cache attacks across cores. This cache is split in slices, with one slice per core. While predicting the slices used by an address is simple in older processors, recent processors are using an undocumented technique called complex addressing. This renders some attacks more difficult and makes other attacks impossible, because of the loss of precision in the prediction of cache collisions.
In this paper, we build an automatic and generic method for reverse engineering Intel’s last-level cache complex addressing, consequently rendering the class of cache attacks highly practical. Our method relies on CPU hardware performance counters to determine the cache slice an address is mapped to. We show that our method gives a more precise description of the complex addressing function than previous work. We validated our method by reversing the complex addressing functions on a diverse set of Intel processors. This set encompasses Sandy Bridge, Ivy Bridge and Haswell micro-architectures, with different number of cores, for mobile and server ranges of processors. We show the correctness of our function by building a covert channel. Finally, we discuss how other attacks benefit from knowing the complex addressing of a cache, such as sandboxed rowhammer.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
At the time of camera ready, Espresso has been running without providing any results for more than 2000 h on a table of more than 100.000.000 lines, which only represents the sixth of the 64 GB of memory of the machine.
References
Benger, N., van de Pol, J., Smart, N.P., Yarom, Y.: “Ooh Aah.. Just a Little Bit”: a small amount of side channel can go a long way. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 75–92. Springer, Heidelberg (2014)
Chrome Developers. Native Client. https://developer.chrome.com/native-client. Accessed 2 June 2015
Chrome Developers. Native Client Revision 13809, September 2014. http://src.chromium.org/viewvc/native_client?revision=13809&view=revision. Accessed 2 June 2015
Crama, Y., Hammer, P.L.: Boolean Functions: Theory, Algorithms, and Applications. Cambridge University Press, New York (2011)
Demme, J., Maycock, M., Schmitz, J., Tang, A., Waksman, A., Sethumadhavan, S., Stolfo, S.: On the feasibility of online malware detection with performance counters. ACM SIGARCH Comput. Architect. News 41(3), 559–570 (2013)
Gruss, D., Maurice, C., Mangard, S.: Rowhammer.js: a remote software-induced fault attack in JavaScript. arXiv:1507.06955v1 (2015)
Gruss, D., Spreitzer, R., Mangard, S.: Cache template attacks: automating attacks on inclusive last-level caches. In: Proceedings of the 24th USENIX Security Symposium (2015)
Hund, R., Willems, C., Holz, T.: Practical timing side channel attacks against kernel space ASLR. In: Proceedings of the 2013 IEEE Symposium on Security and Privacy (S&P 2013), pp. 191–205. IEEE, May 2013
Intel. Intel\(\textregistered \) Xeon\(\textregistered \) Processor E5–2600 Product Family Uncore Performance Monitoring Guide. 327043–001:1–136 (2012)
Intel. Intel\(\textregistered \) 64 and IA-32 Architectures Software Developer’s Manual, vol. 3 (3A, 3B & 3C): System Programming Guide. 3(253665) (2014)
Intel. Intel\(\textregistered \) Xeon\(\textregistered \) Processor E5 v2 and E7 v2 Product Families Uncore Performance Monitoring Reference Manual. 329468–002:1–200 (2014)
Intel. Intel\(\textregistered \) Xeon\(\textregistered \) Processor E5 v3 Family Uncore Performance Monitoring Reference Manual. 331051–001:1–232 (2014)
Irazoqui, G., Eisenbarth, T., Sunar, B.: Lucky 13 strikes back. In: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security (AsiaCCS 2015), pp. 85–96 (2015)
Irazoqui, G., Eisenbarth, T., Sunar, B.: S\(\$\)A: a shared cache attack that works across cores and defies VM sandboxing–and its application to AES. In: Proceedings of the 36th IEEE Symposium on Security and Privacy (S&P 2015) (2015)
Irazoqui, G., Eisenbarth, T., Sunar, B.: Systematic reverse engineering of cache slice selection in Intel processors. In: Proceedings of the 18th EUROMICRO Conference on Digital System Design (2015)
Irazoqui, G., Inci, M.S., Eisenbarth, T., Sunar, B.: Wait a minute! A fast, Cross-VM attack on AES. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 299–319. Springer, Heidelberg (2014)
Irazoqui, G., IncI, M.S., Eisenbarth, T., Sunar, B.: Know thy neighbor: crypto library detection in cloud. Proc. Priv. Enhancing Technol. 1(1), 25–40 (2015)
Jahagirdar, S., George, V., Sodhi, I., Wells, R.: Power management of the third generation Intel Core micro architecture formerly codenamed Ivy Bridge. In: Hot Chips 2012 (2012). http://hotchips.org/wp-content/uploads/hc_archives/hc24/HC24-1-Microprocessor/HC24.28.117-HotChips_IvyBridge_Power_04.pdf. Accessed 16 July 2015
Kim, D.-H., Nair, P.J., Qureshi, M.K.: Architectural support for mitigating row hammering in DRAM memories. IEEE Comput. Archit. Lett. 14(1), 9–12 (2014)
Liu, F., Yarom, Y., Ge, Q., Heiser, G., Lee, R.B.: Last-level cache side-channel attacks are practical. In: Proceedings of the 36th IEEE Symposium on Security and Privacy (S&P 2015) (2015)
Malone, C., Zahran, M., Karri, R.: Are hardware performance counters a cost effective way for integrity checking of programs. In: Proceedings of the Sixth ACM Workshop on Scalable Trusted Computing (2011)
Maurice, C., Neumann, C., Heen, O., Francillon, A.: C5: cross-cores cache covert channel. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 46–64. Springer, Heidelberg (2015)
Neve, M., Seifert, J.-P.: Advances on access-driven cache attacks on AES. In: Biham, E., Youssef, A.M. (eds.) SAC 2006. LNCS, vol. 4356, pp. 147–162. Springer, Heidelberg (2007)
Oren, Y., Kemerlis, V.P., Sethumadhavan, S., Keromytis, A.D.: The spy in the sandbox: practical cache attacks in JavaScript and their implications. In: Proceedings of the 22nd ACM Conference on Computer and Communications Security (CCS 2015) (2015)
Osvik, Dag Arne, Shamir, Adi, Tromer, Eran: Cache attacks and countermeasures: the case of AES. In: Pointcheval, David (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer, Heidelberg (2006)
Percival, C.: Cache missing for fun and profit. In: Proceedings of BSDCan, pp. 1–13 (2005)
Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS 2009), pp. 199–212 (2009)
Seaborn, M.: Exploiting the DRAM rowhammer bug to gain kernel privileges, March 2015. http://googleprojectzero.blogspot.fr/2015/03/exploiting-dram-rowhammer-bug-to-gain.html. Accessed 2 June 2015
Seaborn, M.: L3 cache mapping on Sandy Bridge CPUs, April 2015. http://lackingrhoticity.blogspot.fr/2015/04/l3-cache-mapping-on-sandy-bridge-cpus.html. Accessed 2 June 2015
Tromer, E., Osvik, D.A., Shamir, A.: Efficient cache attacks on AES, and countermeasures. J. Cryptology 23(1), 37–71 (2010)
Uhsadel, L., Georges, A., Verbauwhede, I.: Exploiting hardware performance counters. In: Proceedings of the 5th International Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC 2008), pp. 59–67 (2008)
Willems, C., Hund, R., Fobian, A., Felsch, D., Holz, T.: Down to the bare metal: using processor features for binary analysis. In: Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC 2012), pp. 189–198 (2012)
Wu, Z., Xu, Z., Wang, H.: Whispers in the hyper-space: high-speed covert channel attacks in the cloud. In: Proceedings of the 21st USENIX Security Symposium (2012)
Xia, Y., Liu, Y., Chen, H., Zang, B.: CFIMon: detecting violation of control flow integrity using performance counters. In: Proceedings of the 42th International Conference on Dependable Systems and Networks (DSN 2012), pp. 1–12 (2012)
Xu, Y., Bailey, M., Jahanian, F., Joshi, K., Hiltunen, M., Schlichting, R.: An exploration of L2 cache covert channels in virtualized environments. In: Proceedings of the 3rd ACM Cloud Computing Security Workshop (CCSW 2011), pp. 29–40 (2011)
Yarom, Y., Falkner, K.: Flush+Reload: a high resolution, low noise, L3 cache side-channel attack. In: Proceedings of the 23th USENIX Security Symposium (2014)
Zhang, Y., Juels, A., Reiter, M.K., Ristenpart, T.: Cross-VM side channels and their use to extract private keys. In: Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS 2012) (2012)
Zhang, Y., Juels, A., Reiter, M.K., Ristenpart, T.: Cross-tenant side-channel attacks in PaaS clouds. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS 2014), pp. 990–1003. ACM Press, New York (2014)
Acknowledgments
We would like to thank Mark Seaborn, Mate Soos, Gorka Irazoqui, Thomas Eisenbarth and our anonymous reviewers for their valuable comments and suggestions. We also greatly thank Stefan Mangard and Daniel Gruss for the collaboration on the exploitation of the rowhammer bug in Javascript, for which we applied the findings of this article after its submission.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Maurice, C., Le Scouarnec, N., Neumann, C., Heen, O., Francillon, A. (2015). Reverse Engineering Intel Last-Level Cache Complex Addressing Using Performance Counters. In: Bos, H., Monrose, F., Blanc, G. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2015. Lecture Notes in Computer Science(), vol 9404. Springer, Cham. https://doi.org/10.1007/978-3-319-26362-5_3
Download citation
DOI: https://doi.org/10.1007/978-3-319-26362-5_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-26361-8
Online ISBN: 978-3-319-26362-5
eBook Packages: Computer ScienceComputer Science (R0)