Skip to main content
SpringerLink
Log in

CHASM: Security Evaluation of Cache Mapping Schemes

  • Conference paper
  • First Online:
Embedded Computer Systems: Architectures, Modeling, and Simulation (SAMOS 2020)

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 12471))

Included in the following conference series:

Abstract

Cache side-channel attacks have become a significant security threat across a variety of hardware architectures. By observing which sets of a cache are accessed by the victim, the attacker gleans critical information about the address bits in the victim’s access, thereby revealing portions of secret keys used by encryption algorithms (or other sensitive information). Fundamentally, this ability to deduce information about addresses given the accessed sets depends on knowing (or discovering) how addresses are mapped to cache sets by hardware.

In this work, we evaluate the security of the various cache mapping functions. Using an information-theoretic formulation, our framework (denoted CHASM) estimates the number of address bits that are likely leaked by different mapping schemes. Our analysis leads to several new insights. One, all one-to-one schemes that map n set-index address bits to \(2^n\) set-indices leak all n bits. Two, based on memory footprint, programs often leak several additional (viz., tag) bits (e.g., AES leaks 39 bits out of 42 at L2). Three, tag bits leak even with the use of address space layout randomization (16–33 bits). Four, the use of huge pages in order to reduce pressure on TLBs increases leakage (5 additional bits on average). Since many of these techniques have opposing impact on performance and security, we use a new security-delay ratio metric to jointly evaluate mapping schemes for both performance and security.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    In this paper we do not directly address attacks based on speculative execution or techniques to mitigate them.

  2. 2.

    Partitioning techniques do not prevent certain types of attacks [35].

  3. 3.

    Mapping schemes are discussed in Sect. 3 and workloads in Sect. 5.

  4. 4.

    For small bit counts, a table lookup can be used.

  5. 5.

    In the original work, this scheme was applied to the shared L3 cache.

  6. 6.

    In our case, leakage in bit i would depend on all other 40–50 bits requiring \(2^{40}-2^{50}\) probabilities to be estimated.

  7. 7.

    We stop at \(a_6\) as bits \(a_0\) through \(a_5\) are block offset bits that have no impact on cache mapping. In this paper we assume 64-byte cache blocks.

  8. 8.

    As stated previously, we assume a 64-byte cache line size, and 48-bit addresses.

  9. 9.

    SPEC and Cryptography workloads exhibit similar trends and for brevity, we omit their details here.

  10. 10.

    For lack of space, we omitted the Rotate-3 scheme as its leakage is exactly the same as that of Modulo.

References

  1. Huge Pages - The Linux Kernel Archives. https://www.kernel.org/doc/Documentation/vm/hugetlbpage.txt

  2. Pagemap, From the Userspace Perspective. https://www.kernel.org/doc/Documentation/vm/pagemap.txt

  3. Transparent Hugepage Support. https://www.kernel.org/doc/Documentation/vm/transhuge.txt

  4. Ambrose, J.A., Ragel, R.G., Jayasinghe, D., Li, T., Parameswaran, S.: Side channel attacks in embedded systems: a tale of hostilities and deterrence. In: Sixteenth International Symposium on Quality Electronic Design, pp. 452–459, March 2015

    Google Scholar 

  5. Bernstein, D.J.: Cache-timing attacks on AES. Technical report (2005)

    Google Scholar 

  6. Bonneau, J., Mironov, I.: Cache-collision timing attacks against AES. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 201–215. Springer, Heidelberg (2006). https://doi.org/10.1007/11894063_16

    Chapter  Google Scholar 

  7. Doweck, J., et al.: Inside 6th-generation intel core: new microarchitecture code-named Skylake. IEEE Micro 37(2), 52–62 (2017)

    Article  Google Scholar 

  8. Doychev, G., Feld, D., Köpf, B., Mauborgne, L., Reineke, J.: CacheAudit: a tool for the static analysis of cache side channels. In: Proceedings of the 22nd USENIX Conference on Security, Series SEC 2013, pp. 431–446. USENIX Association, Berkeley (2013). http://dl.acm.org/citation.cfm?id=2534766.2534804

  9. Givargis, T.: Improved indexing for cache miss reduction in embedded systems. In: Proceedings of the 40th Annual Design Automation Conference, Series, DAC 2003 (2003). https://doi.org/10.1145/775832.776052

  10. Hazelwood, K.M., Klauser, A.: A dynamic binary instrumentation engine for the ARM architecture. In: Hong, S., Wolf, W.H., Flautner, K., Kim, T. (eds.) Proceedings of the 2006 International Conference on Compilers, Architecture, and Synthesis for Embedded Systems, CASES 2006, Seoul, Korea, 22–25 October 2006 (2006). https://doi.org/10.1145/1176760.1176793

  11. He, Z., Lee, R.B.: How secure is your cache against side-channel attacks? In: Proceedings of the 50th Annual IEEE/ACM International Symposium on Microarchitecture, Series MICRO-50 2017, pp. 341–353. ACM, New York (2017). https://doi.org/10.1145/3123939.3124546

  12. Henning, J.L.: SPEC CPU2006 benchmark descriptions. SIGARCH Comput. Archit. News 34(4), 1–17 (2006). https://doi.org/10.1145/1186736.1186737

    Article  Google Scholar 

  13. Intel: Introduction to Cache Allocation Technology in the Intel® Xeon® processor E5 v4 family (2016). https://software.intel.com/en-us/articles/introduction-to-cache-allocation-technology

  14. Issa, I., Wagner, A.B., Kamath, S.: An operational approach to information leakage. CoRR, vol. abs/1807.07878 (2018). http://arxiv.org/abs/1807.07878

  15. Kavi, K., Nwachukwu, I., Fawibe, A.: A comparative analysis of performance improvement schemes for cache memories. Comput. Electr. Eng. 38(2), 243–257 (2012). https://doi.org/10.1016/j.compeleceng.2011.12.008

    Article  Google Scholar 

  16. Kharbutli, M., Irwin, K., Solihin, Y., Lee, J.: Using prime numbers for cache indexing to eliminate conflict misses. In: Proceedings of the 10th International Symposium on High Performance Computer Architecture, Series HPCA 2004, p. 288. IEEE Computer Society, Washington, DC (2004). https://doi.org/10.1109/HPCA.2004.10015

  17. Kiriansky, V., Lebedev, I., Amarasinghe, S., Devadas, S., Emer, J.: DAWG: a defense against cache timing attacks in speculative execution processors. In: Proceedings of the 51st Annual IEEE/ACM International Symposium on Microarchitecture, Series MICRO-51, pp. 974–987. IEEE Press, Piscataway (2018). https://doi.org/10.1109/MICRO.2018.00083

  18. Liu, F., Yarom, Y., Ge, Q., Heiser, G., Lee, R.B.: Last-level cache side-channel attacks are practical. In: Proceedings of the 2015 IEEE Symposium on Security and Privacy, Series SP 2015, pp. 605–622. IEEE Computer Society, Washington, DC (2015). https://doi.org/10.1109/SP.2015.43

  19. Luk, C.-K., et al.: Pin: building customized program analysis tools with dynamic instrumentation. In: Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation, Series PLDI 2005, pp. 190–200. ACM, New York (2005). https://doi.org/10.1145/1065010.1065034

  20. Maurice, C., Le Scouarnec, N., Neumann, C., Heen, O., Francillon, A.: Reverse engineering Intel last-level cache complex addressing using performance counters. In: Bos, H., Monrose, F., Blanc, G. (eds.) RAID 2015. LNCS, vol. 9404, pp. 48–65. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26362-5_3

    Chapter  Google Scholar 

  21. Mushtaq, M., Akram, A., Bhatti, M.K., Rais, R.N.B., Lapotre, V., Gogniat, G.: Run-time detection of prime + probe side-channel attack on AES encryption algorithm. In: 2018 Global Information Infrastructure and Networking Symposium (GIIS), pp. 1–5, October 2018

    Google Scholar 

  22. Nwachukwu, I., Kavi, K., Ademola, F., Yan, C.: Evaluation of techniques to improve cache access uniformities. In: 2011 International Conference on Parallel Processing, pp. 31–40, September 2011

    Google Scholar 

  23. Pax: Address space layout randomization ASLR (2003). http://pax.grsecuritynet/docs/aslr.txt

  24. Qureshi, M.K.: CEASER: mitigating conflict-based cache attacks via encrypted-address and remapping. In: Proceedings of the 51st Annual IEEE/ACM International Symposium on Microarchitecture, Series MICRO-51, pp. 775–787. IEEE Press, Piscataway (2018). https://doi.org/10.1109/MICRO.2018.00068

  25. Shelor, C., Kavi, K.: Moola: multicore cache simulator. In: 30th International Conference on Computers and Their Applications, CATA-2015 (2015)

    Google Scholar 

  26. Trilla, D., Hernandez, C., Abella, J., Cazorla, F.: Cache side-channel attacks and time-predictability in high-performance critical real-time systems, pp. 1–6, June 2018

    Google Scholar 

  27. Tromer, E., Osvik, D.A., Shamir, A.: Efficient cache attacks on AES, and countermeasures. J. Cryptol. 23(1), 37–71 (2010). https://doi.org/10.1007/s00145-009-9049-y

    Article  MathSciNet  MATH  Google Scholar 

  28. Umbelino, P.: ASLR cache attack defeats address space layout randomization (2017). https://hackaday.com/2017/02/15/aslrcache-attack-defeats-address-space-layout-randomization/

  29. Wagner, I., Eckhoff, D.: Technical privacy metrics: a systematic survey. CoRR, vol. abs/1512.00327 (2015). http://arxiv.org/abs/1512.00327

  30. Werner, M., Unterluggauer, T., Giner, L., Schwarz, M., Gruss, D., Mangard, S.: ScatterCache: thwarting cache attacks via cache set randomization. In: Heninger, N., Traynor, P. (eds.) 28th USENIX Security Symposium, USENIX Security 2019, Santa Clara, CA, USA, 14–16 August 2019 (2019). https://www.usenix.org/conference/usenixsecurity19/presentation/werner

  31. Yarom, Y., Falkner, K.: Flush+reload: a high resolution, low noise, L3 cache side-channel attack. In: Proceedings of the 23rd USENIX Conference on Security Symposium, Series SEC 2014 (2014). http://dl.acm.org/citation.cfm?id=2671225.2671271

  32. Yarom, Y., Ge, Q., Liu, F., Lee, R.B., Heiser, G.: Mapping the intel last-level cache. Cryptology ePrint Archive, Report 2015/905 (2015). https://eprint.iacr.org/2015/905

  33. Zankl, A., Heyszl, J., Sigl, G.: Automated detection of instruction cache leaks in modular exponentiation software. In: Lemke-Rust, K., Tunstall, M. (eds.) CARDIS 2016. LNCS, vol. 10146, pp. 228–244. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-54669-8_14

    Chapter  Google Scholar 

  34. Zhang, N., Sun, K., Shands, D., Lou, W., Hou, Y.T.: TruSpy: cache side-channel information leakage from the secure world on arm devices. Cryptology ePrint Archive, Report 2016/980 (2016). https://eprint.iacr.org/2016/980

  35. Zhang, Y.: Cache side channels: state of the art and research opportunities. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, Series CCS 2017, pp. 2617–2619. ACM, New York (2017). https://doi.org/10.1145/3133956.3136064

Download references

Author information

Authors and Affiliations

  1. University of North Texas, Denton, TX, USA

    Fernando Mosquera, Nagendra Gulur, Krishna Kavi, Gayatri Mehta & Hua Sun

Authors
  1. Fernando Mosquera
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Nagendra Gulur
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Krishna Kavi
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Gayatri Mehta
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Hua Sun
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Fernando Mosquera .

Editor information

Editors and Affiliations

  1. Department of Computer Science and Engineering, University of California San Diego, La Jolla, CA, USA

    Alex Orailoglu

  2. Department of Electrical and Computer Engineering, Fraunhofer IESE, Kaiserslautern, Germany

    Matthias Jung

  3. Department of Computer Science, Friedrich-Alexander University, Erlangen, Germany

    Marc Reichenbach

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Mosquera, F., Gulur, N., Kavi, K., Mehta, G., Sun, H. (2020). CHASM: Security Evaluation of Cache Mapping Schemes. In: Orailoglu, A., Jung, M., Reichenbach, M. (eds) Embedded Computer Systems: Architectures, Modeling, and Simulation. SAMOS 2020. Lecture Notes in Computer Science(), vol 12471. Springer, Cham. https://doi.org/10.1007/978-3-030-60939-9_17

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-60939-9_17

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-60938-2

  • Online ISBN: 978-3-030-60939-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation