Attack Directories, Not Caches: Side Channel Attacks in a Non-Inclusive World Mengjia Yan , Read Sprabery, Bhargava Gopireddy, Christopher W. Fletcher, Roy Campbell, Josep Torrellas University of Illinois at Urbana-Champaign S&P’19 May 21
Cache Side Channel Attacks Are Popular And Effective Attack Platforms Target Applications VM Isolation Victim Attacker VM VM Core Core Core Core L1 L1 L1 L1 Shared LLC 2
Why another cache side channel attack? 3
Cache Side Channel Attacks on Inclusive Caches Flush+Reload Flush+Flush Flush+Flush Conflict-based attacks. Prime+Probe Prime+Abort Only demonstrated on Evict+Reload inclusive cache hierarchies. Invalidate+Transfer Flush+Prefetch …… . 4
New Intel Processors Use Non-inclusive Caches New Intel CPU Cache Architecture Boosts Protection Against Side-Channel Attacks Skylake-X/SP (released in 2017) We challenge this assumption and prove that it is wrong 5
Inclusive Caches v.s. Non-inclusive Caches o Inclusive: Private L2 lines are also present in LLC o Non-inclusive: Private L2 lines may or may not be present in LLC private private L2 L2 shared shared LLC LLC ( non-inclusive ) ( inclusive ) 6
Challenges of Conflict-based Attacks o Lack of Visibility into the Victim’s Private Cache Target address Attacker’s addresses victim victim attacker attacker evict an cache 0 cache 0 cache 1 cache 1 inclusion victim private Victim’s line L2 does not exist in LLC shared insert to LLC. LLC insert to LLC. No conflict cache conflict. No inclusion victim Inclusion Victim (b) non-inclusive cache (a) inclusive cache 7
The Inclusive Directory Structure in Skylake-X o Directory (snoop filter): tracks presence information for cache lines 1000 0000 o TD holds directory entries for lines in LLC slice o ED holds directory entries for lines in L2 but not LLC o Directory is inclusive cache lines …… …… …… …… …… …… Shared …… …… …… …… …… …… LLC traditional extended slice The new attack directory directory (TD) (ED) surface! 8
Prime+Probe Attacks on Skylake-X o The attacker causes conflicts in ED Prime à evict victim’s line from L2 to LLC directory cache victim attacker entry line core 0 core 1 Private Target … …… address L2 … …… Attacker's cache lines addresses …… …… …… …… …… …… Shared inclusion …… …… …… …… LLC …… …… victim traditional slice extended directory directory (TD) (ED) 9
Prime+Probe Attacks on Skylake-X o The victim re-accesses the line Probe à Directory entry reloaded and attacker can observe attacker victim core 1 core 0 directory cache Private entry line … …… L2 Target … …… …… address cache lines Attacker's …… …… …… addresses …… …… Shared …… …… …… …… …… LLC …… …… …… slice traditional extended directory directory (TD) (ED) 10
Evaluation on RSA Encryption Algorithm o Square-and-Multiply Exponentiation (GnuPG 1.4.13) for i = n-1 to 0 do r = sqr(r) mod n if e i == 1 then r = mul(r, b) mod n end end 11
Evaluation Trace Epoch ID Access latencies measured in the probe operation in Prime+Probe. A sequence of “01010111011001” can be deduced as part of the exponent. 12
More in the Paper o Eviction set construction algorithm o Steps of reverse engineering the directory structure o A multi-threaded high-bandwidth Evict+Reload attack o Attack results on AMD machines 13
Countermeasures o Increase directory associativity à unrealistic o Way-partition of the directory à not feasible SecDir: A Secure Directory to Defeat Directory Side Channel Attacks [ISCA’19] Mengjia Yan, Jen-Yang Wen, Christopher W. Fletcher, and Josep Torrellas University of Illinois at Urbana-Champaign 14
Main Contributions Reverse engineer First two cache attacks Evaluate on RSA the directory structure on non-inclusive caches Directory = The unified structure for conflict-based cache attacks 15
Thank You! 16
Recommend
More recommend
