Loading [a11y]/accessibility-menu.js
Are Coherence Protocol States Vulnerable to Information Leakage? | IEEE Conference Publication | IEEE Xplore
Subscribe
ADVANCED SEARCH
Conferences >2018 IEEE International Sympo...

Are Coherence Protocol States Vulnerable to Information Leakage?

PDF
Fan Yao; Milos Doroslovacki; Guru Venkataramani
All Authors

Abstract:

Most commercial multi-core processors incorporate hardware coherence protocols to support efficient data transfers and updates between their constituent cores. While hard...Show More

Metadata

Abstract:

Most commercial multi-core processors incorporate hardware coherence protocols to support efficient data transfers and updates between their constituent cores. While hardware coherence protocols provide immense benefits for application performance by removing the burden of software-based coherence, we note that understanding the security vulnerabilities posed by such oft-used, widely-adopted processor features is critical for secure processor designs in the future. In this paper, we demonstrate a new vulnerability exposed by cache coherence protocol states. We present novel insights into how adversaries could cleverly manipulate the coherence states on shared cache blocks, and construct covert timing channels to illegitimately communicate secrets to the spy. We demonstrate 6 different practical scenarios for covert timing channel construction. In contrast to prior works, we assume a broader adversary model where the trojan and spy can either exploit explicitly shared read-only physical pages (e.g., shared library code), or use memory deduplication feature to implicitly force create shared physical pages. We demonstrate how adversaries can manipulate combinations of coherence states and data placement in different caches to construct timing channels. We also explore how adversaries could exploit multiple caches and their associated coherence states to improve transmission bandwidth with symbols encoding multiple bits. Our experimental results on commercial systems show that the peak transmission bandwidths of these covert timing channels can vary between 700 to 1100 Kbits/sec. To the best of our knowledge, our study is the first to highlight the vulnerability of hardware cache coherence protocols to timing channels that can help computer architects to craft effective defenses against exploits on such critical processor features.
Published in: 2018 IEEE International Symposium on High Performance Computer Architecture (HPCA)
Date of Conference: 24-28 February 2018
Date Added to IEEE Xplore: 29 March 2018
ISBN Information:
Electronic ISSN: 2378-203X
DOI: 10.1109/HPCA.2018.00024
Conference Location: Vienna, Austria
References is not available for this document.
Contents

I. Introduction

Cyber attacks, that exploit malicious insiders and exfiltrate secret information, are a growing concern for computer users. Covert channels are one such class of insider threats, where a trojan process, that has access to sensitive user-related information (e.g., user's personal data), secretly exfiltrates the data to a spy process even when the underlying system security policy explicitly prohibits any such communication [1]. Also, note that the trojan cannot directly reveal secrets to the outside world (since system security auditors can be easily catch such activity), and has to rely on covert modes of operation to exfiltrate secrets to the spy. In contrast to side channels where a victim process unwittingly exposes sensitive application profile to the spy monitoring its activity, covert channels work by intentional collusion between two malicious processes, namely the trojan and spy.

Select All
1.
Department of Defense Standard, Trusted Computer System Evaluation Criteria. US Department of Defense, 1983.
Google Scholar
2.
A. Chen, W. B. Moore, H. Xiao, A. Haeberlen, L. T. X. Phan, M. Sherr, and W. Zhou, “Detecting covert timing channels with time-deterministic replay,” in USENIX Symposium on Operating Systems Design and Implementation, pp. 541–554, 2014.
Google Scholar
3.
Y. Yarom and K. Falkner, “Flush+ reload: a high resolution, low noise, L3 cache side-channel attack,” in USENIX Security Symposium, pp. 719–732, 2014.
Google Scholar
4.
G. Irazoqui, T. Eisenbarth, and B. Sunar, “Cross processor cache attacks,” in Proceedings of Asia Conference on Computer and Communications Security, pp. 353–364, ACM, 2016.
CrossRef Google Scholar
5.
M. M. Martin, M. D. Hill, and D. J. Sorin, “Why on-chip cache coherence is here to stay,” Communications of the ACM, vol. 55, no. 7, pp. 78–89, 2012.
CrossRef Google Scholar
6.
Intel QuickPath Architecture,” 2012. http://www.intel.com/pressroom/archive/reference/whitepaper_QuickPath.pdf.
Google Scholar
7.
P. Conway, N. Kalyanasundharam, G. Donley, K. Lepak, and B. Hughes, “Cache hierarchy and memory subsystem of the AMD Opteron processor,” IEEE Micro, vol. 30, no. 2, pp. 16–29, 2010.
View Article
Google Scholar
8.
P. Conway and B. Hughes, “The AMD Opteron northbridge architecture,” IEEE Micro, vol. 27, no. 2, pp. 10–21, 2007.
View Article
Google Scholar
9.
C. A. Waldspurger, “Memory resource management in VMware ESX server,” ACM SIGOPS Operating Systems Review, vol. 36, no. SI, pp. 181–194, 2002.
CrossRef Google Scholar
10.
A. Barresi, K. Razavi, M. Payer, and T. R. Gross, “CAIN: silently breaking ASLR in the cloud,” in USENIX Workshop on Offensive Technologies, 2015.
Google Scholar
11.
Using Intel VTune Amplifier,” 2013. https://goo.gl/E9Fp2m.
Google Scholar
12.
F. Liu, Y. Yarom, Q. Ge, G. Heiser, and R. B. Lee, “Last-level cache side-channel attacks are practical,” in Proceedings of Symposium on Security and Privacy, pp. 605–622, IEEE, 2015.
View Article
Google Scholar
13.
R. Gallager, “Low-density parity-check codes,” IRE Transactions on Information Theory, vol. 8, no. 1, pp. 21–28, 1962.
View Article
Google Scholar
14.
kcbench. ” https://linux.die.net/man/1/kcbench.
Google Scholar
15.
D. J. Sorin, M. D. Hill, and D. A. Wood, “A primer on memory consistency and cache coherence,” Synthesis Lectures on Computer Architecture, vol. 6, no. 3, pp. 1–212, 2011.
CrossRef Google Scholar
16.
D. Hackenberg, D. Molka, and W. E. Nagel, “Comparing cache architectures and coherency protocols on x86-64 multicore SMP systems,” in Proceedings of International Symposium on Microarchitecture, pp. 413–422, ACM, 2009.
View Article
Google Scholar
17.
D. Molka, D. Hackenberg, R. Schöne, and W. E. Nagel, “Cache Coherence Protocol and Memory Performance of the Intel Haswell-Ep Architecture,” in Proceedings of International Conference on Parallel Processing, pp. 739–748, IEEE, 2015.
View Article
Google Scholar
18.
D. Gruss, R. Spreitzer, and S. Mangard, “Cache template attacks: Automating attacks on inclusive last-level caches,” in USENIX Security Symposium, pp. 897–912, 2015.
Google Scholar
19.
Y. Xu, M. Bailey, F. Jahanian, K. Joshi, M. Hiltunen, and R. Schlichting, “An exploration of L2 cache covert channels in virtualized environments,” in Proceedings of Workshop on Cloud Computing Security, pp. 29–40, ACM, 2011.
CrossRef Google Scholar
20.
T. Ristenpart, E. Tromer, H. Shacham, and S. Savage, “Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds,” in Proceedings of Conference on Computer and Communications Security, pp. 199–212, ACM, 2009.
CrossRef Google Scholar
21.
F. Yao, G. Venkataramani, and M. Doroslovacki, “Covert timing channels exploiting non-uniform memory access based architectures,” in Proceedings of Great Lakes Symposium on VLSI, pp. 155–160, ACM, 2017.
CrossRef Google Scholar
22.
O. Aciicmez and J.-P. Seifert, “Cheap hardware parallelism implies cheap security,” in Proceedings of Workshop on Fault Diagnosis and Tolerance in Cryptography, pp. 80–91, IEEE, 2007.
View Article
Google Scholar
23.
D. Evtyushkin and D. Ponomarev, “Covert channels through random number generator: Mechanisms, capacity estimation and mitigations,” in Proceedings of Conference on Computer and Communications Security, pp. 843–857, ACM, 2016.
CrossRef Google Scholar
24.
Z. Wu, Z. Xu, and H. Wang, “Whispers in the hyper-space: high-speed covert channel attacks in the cloud,” in USENIX Security Symposium, pp. 159–173, 2012.
Google Scholar
25.
M. Alagappan, J. J. Rajendran, M. Doroslovacki, and G. Venkataramani, “DFS covert channels on multi-core platforms,” in Proceedings of International Conference on Very Large Scale Integration, IEEE, 2017.
View Article
Google Scholar
26.
O. Aciiçmez, C. K. Koç, and J.-P. Seifert, “On the power of simple branch prediction analysis,” in Proceedings of Symposium on Information, Computer and Communications Security, pp. 312–320, ACM, 2007.
CrossRef Google Scholar
27.
D. Evtyushkin, D. Ponomarev, and N. Abu-Ghazaleh, “Understanding and mitigating covert channels through branch predictors,” ACM Transactions on Architecture and Code Optimization, vol. 13, no. 1, p. 10, 2016.
CrossRef Google Scholar
28.
Z. H. Jiang, Y. Fei, and D. Kaeli, “A complete key recovery timing attack on a GPU,” in Proceeding of International Symposium on High Performance Computer Architecture, pp. 394–405, IEEE, 2016.
View Article
Google Scholar
29.
J. Demme, R. Martin, A. Waksman, and S. Sethumadhavan, “Side-channel vulnerability factor: a metric for measuring information leakage,” ACM SIGARCH Computer Architecture News, vol. 40, no. 3, pp. 106–117, 2012.
CrossRef Google Scholar
30.
Z. Wang and R. B. Lee, “New cache designs for thwarting software cache-based side channel attacks,” ACM SIGARCH Computer Architecture News, vol. 35, no. 2, pp. 494–505, 2007.
CrossRef Google Scholar

Contact IEEE to Subscribe
More Like This
Automatic Construction of Predictable and High-Performance Cache Coherence Protocols for Multicore Real-Time Systems

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

Published: 2022

A Hardware Platform for Exploring Predictable Cache Coherence Protocols for Real-time Multicores

2021 IEEE 27th Real-Time and Embedded Technology and Applications Symposium (RTAS)

Published: 2021

Show More

References

References is not available for this document.

IEEE Account

Purchase Details

Profile Information

Need Help?

A not-for-profit organization, IEEE is the world's largest technical professional organization dedicated to advancing technology for the benefit of humanity.
© Copyright 2025 IEEE - All rights reserved. Use of this web site signifies your agreement to the terms and conditions.