Scribd Logo
Upload

Welcome to Scribd!

  • 53 views

    Lecture-6 (Cache Attacks) CS665-Fall 2018: Secure Memory Systems

    Uploaded by

    alan
    This document discusses cache attack techniques such as flush+reload, evict+reload, and prime+probe. It explains the steps of each technique, including mapping shared memory, flushing/evicting cache blocks, reloading blocks, and measuring cache hit/miss. It notes issues like requiring page sharing, finding eviction sets, and timing considerations. The document also covers variants like flush+flush and highlights subtle aspects of these cache-based side-channel attacks.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Lecture-6 (Cache Attacks) CS665-Fall 2018: Secure Memory Systems

    Uploaded by

    alan
    53 views25 pages
    This document discusses cache attack techniques such as flush+reload, evict+reload, and prime+probe. It explains the steps of each technique, including mapping shared memory, flushing/evicting cache blocks, reloading blocks, and measuring cache hit/miss. It notes issues like requiring page sharing, finding eviction sets, and timing considerations. The document also covers variants like flush+flush and highlights subtle aspects of these cache-based side-channel attacks.

    Original Description:

    L6 details

    Original Title

    L6

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document discusses cache attack techniques such as flush+reload, evict+reload, and prime+probe. It explains the steps of each technique, including mapping shared memory, flushing/evicting cache blocks, reloading blocks, and measuring cache hit/miss. It notes issues like requiring page sharing, finding eviction sets, and timing considerations. The document also covers variants like flush+flush and highlights subtle aspects of these cache-based side-channel attacks.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    53 views25 pages

    Lecture-6 (Cache Attacks) CS665-Fall 2018: Secure Memory Systems

    Uploaded by

    alan
    This document discusses cache attack techniques such as flush+reload, evict+reload, and prime+probe. It explains the steps of each technique, including mapping shared memory, flushing/evicting cache blocks, reloading blocks, and measuring cache hit/miss. It notes issues like requiring page sharing, finding eviction sets, and timing considerations. The document also covers variants like flush+flush and highlights subtle aspects of these cache-based side-channel attacks.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 25

    Lecture-6 (Cache Attacks)

    CS665-Fall 2018
    Secure Memory Systems

    Biswa@CSE-IITK
    Before That: Bit of Crypto (Information)

    Modular exponentiation, be mod n

    Exponent e is used for decryption

    Your password ~ Exponent e

    CS665: Fall 2018 Biswabandan Panda, CSE@IITK 2


    Then

    0 0 1 0 1
    CS665: Fall 2018 Biswabandan Panda, CSE@IITK 3
    Flush (Evict) + Reload
    Step 0:Spy maps the shared
    library, shared in the cache

    LLC

    CS665: Fall 2018 Biswabandan Panda, CSE@IITK 4


    Flush + Reload
    Step 0:Spy maps the shared
    library, shared in the cache
    Step 1:Spy flushes the cache
    Clflush block

    LLC

    CS665: Fall 2018 Biswabandan Panda, CSE@IITK 5


    Flush + Reload
    Step 0:Spy maps the shared
    library, shared in the cache
    Step 1:Spy flushes the cache
    block

    Step 2: Victim reloads the


    LLC
    cache block

    CS665: Fall 2018 Biswabandan Panda, CSE@IITK 6


    Flush + Reload
    Step 0:Spy maps the shared
    library, shared in the cache
    Step 1:Spy flushes the cache
    Hit, block
    Voila
    Step 2: Victim reloads the
    LLC
    cache block
    Step 3: Spy reloads the cache
    block (hit/miss)
    CS665: Fall 2018 Biswabandan Panda, CSE@IITK 7
    What are the Cache Block Addresses?

    0 0 1 0 1
    CS665: Fall 2018 Biswabandan Panda, CSE@IITK 8
    Flush + Flush
    Step 0:Spy maps the shared
    library, shared in the cache

    LLC

    CS665: Fall 2018 Biswabandan Panda, CSE@IITK 9


    Flush + Flush
    Step 0:Spy maps the shared
    library, shared in the cache
    Step 1:Spy flushes the cache
    Clflush block

    LLC

    CS665: Fall 2018 Biswabandan Panda, CSE@IITK 10


    Flush + Flush
    Step 0:Spy maps the shared
    library, shared in the cache
    Step 1:Spy flushes the cache
    block

    Step 2: Victim reloads the


    LLC
    cache block

    CS665: Fall 2018 Biswabandan Panda, CSE@IITK 11


    Flush + Flush
    Step 0:Spy maps the shared
    library, shared in the cache
    Step 1:Spy flushes the cache
    block
    Voila
    Step 2: Victim reloads the
    LLC
    cache block
    Step 3: Spy flushes the cache
    block again
    CS665: Fall 2018 Biswabandan Panda, CSE@IITK 12
    Confused?

    CS665: Fall 2018 Biswabandan Panda, CSE@IITK 13


    Clflush

    On a hit at the LLC, clflush has to flush L1+L2 of the victim too

    On a miss at the LLC, do nothing (faster than hits)

    CS665: Fall 2018 Biswabandan Panda, CSE@IITK 14


    Clflush [DIMVA ‘16]

    CS665: Fall 2018 Biswabandan Panda, CSE@IITK 15


    Prime + Probe

    CS665: Fall 2018 Biswabandan Panda, CSE@IITK 16


    Prime + Probe
    Step 0:Spy fills the entire
    shared cache

    LLC

    It’s the Memory Stupid :) Biswabandan Panda, CSE@IITK 17


    Prime + Probe
    Step 0:Spy fills the entire
    shared cache (sets)
    Step 1: Victim evicts cache
    blocks while running

    LLC

    CS665: Fall 2018 Biswabandan Panda, CSE@IITK 18


    Prime + Probe
    Step 0:Spy fills the entire
    shared cache
    Step 1: Victim evicts cache
    Voila blocks while running

    Step 2: Spy probes the cache


    LLC
    set

    If misses then victim


    has accessed the set
    CS665: Fall 2018 Biswabandan Panda, CSE@IITK 19
    Covert Channel
    Step 0: Receiver gets data from
    L1 (fast, bit “0”)
    Step 1: Sender thrashes LLC
    and back-invalidates L1

    Step 2: Receiver gets data from


    LLC
    DRAM (slow, bit “1”)

    CS665: Fall 2018 Biswabandan Panda, CSE@IITK 20


    The Subtle Issues

    • Flush + Reload: Demands Page Sharing, Fine-grained, low-noise


    (variant is flush+flush)

    • Evict + Reload: An alternative for Flush + Reload, Almost equally


    effective (variant is Evict + Time)

    • Prime + Probe: Does not demand page sharing, coarse grained, high-
    noise, need to find out the eviction set

    CS665: Fall 2018 Biswabandan Panda, CSE@IITK 21


    More Subtle Issues: Flush + Reload

    • Works across CPU sockets

    • Works on non-inclusive caches

    • However, it can only recover statically allocated data

    CS665: Fall 2018 Biswabandan Panda, CSE@IITK 22


    More Subtle Issues: Evict + Reload

    • No flush instruction

    • Attacker can use huge pages

    • Applicable to processors without clflush instruction

    • Only work with inclusive caches in the same CPU socket

    • Need information about LLC slices

    CS665: Fall 2018 Biswabandan Panda, CSE@IITK 23


    Subtle Issues with Prime+Probe

    • Need to create an eviction set(s): Refer “LLC side-channels are


    practical”

    • LLC slicing information is needed: Need to reverse engineer

    CS665: Fall 2018 Biswabandan Panda, CSE@IITK 24


    The Notion of Time

    • Gap between Evict and Reload, Flush and Reload, Prime and Probe

    • A subtle parameter for a successful attack

    CS665: Fall 2018 Biswabandan Panda, CSE@IITK 25

    You might also like