Skip to main content
Springer Nature Link
Log in

Covert Timing Channels Exploiting Cache Coherence Hardware: Characterization and Defense

  • Published:
International Journal of Parallel Programming Aims and scope Submit manuscript

Abstract

Information leakage of sensitive data has become one of the fast growing concerns among computer users. With adversaries turning to hardware for exploits, caches are frequently a target for timing channels since they present different timing profiles for cache miss and hit latencies. Such timing channels operate by having an adversary covertly communicate secrets to a spy simply through modulating resource timing without leaving any physical evidence. In this article, we demonstrate a new vulnerability exposed by cache coherence protocols where adversaries could manipulate the coherence states on certain cache blocks to alter cache access timing and communicate secrets illegitimately. Our threat model assumes the trojan and spy can either exploit explicitly shared read-only physical pages (e.g., shared library code), or use memory deduplication feature to implicitly force create shared physical pages. We demonstrate a template that adversaries may use to construct covert timing channels through manipulating combinations of coherence states and data placement in different caches. We investigate several classes of cache coherence protocols, and observe that both directory-based and snoopy protocols can be subject to covert timing channel attacks. We identify that the root cause of the vulnerability to be the existence of access latency difference for cache lines in read-only cache coherence states: Exlusive and Shared. For defense, we propose a slightly modified cache coherence scheme that will enable the last level cache to directly respond to read data requests in these read-only coherence states, and avoid any latency difference that could enable timing channels.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10

Similar content being viewed by others

Notes

  1. Note that other coherence states such as M may also exhibit different latency profiles. However, change to M state will require writes to the cache blocks. Since writes to shared memory will annul silent page sharing (created using KSM), we do not consider these other states.

  2. When the LLC holds a copy of the cache block, the coherence transactions on non-inclusive caches are similar to that of exclusive caches. Therefore, the coherence transactions we listed for non-inclusive caches in Table 3 may be applied to a strictly exclusive cache hierarchy as well.

References

  1. Department of Defense Standard: Trusted computer system evaluation criteria. US Department of Defense (1983)

  2. Venkataramani, G., Chen, J., Doroslovacki, M.: Detecting hardware covert timing channels. IEEE Micro 36, 17–27 (2016)

    Article  Google Scholar 

  3. Chen, A., Moore, W.B., Xiao, H., Haeberlen, A., Phan, L.T.X., Sherr, M., Zhou, W.: Detecting covert timing channels with time-deterministic replay. In: USENIX Symposium on Operating Systems Design and Implementation, pp. 541–554 (2014)

  4. Acıiçmez, O., Brumley, B.B., Grabher, P.: New results on instruction cache attacks. In: International Workshop on Cryptographic Hardware and Embedded Systems, pp. 110–124, Springer (2010)

  5. Aciiçmez, O.: Yet another microarchitectural attack: exploiting I-cache. In: Proceedings of ACM Workshop on Computer Security Architecture, pp. 11–18, ACM (2007)

  6. Xu, Y., Bailey, M., Jahanian, F., Joshi, K., Hiltunen, M., Schlichting, R.: An exploration of L2 cache covert channels in virtualized environments. In: Proceedings of ACM Workshop on Cloud Computing Security, pp. 29–40, ACM (2011)

  7. Liu, F., Yarom, Y., Ge, Q., Heiser, G., Lee, R.B.: Last-level cache side-channel attacks are practical. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 605–622, IEEE (2015)

  8. Yarom, Y., Falkner, K.: Flush + reload: a high resolution, low noise, L3 cache side-channel attack. In: USENIX Security Symposium, pp. 719–732 (2014)

  9. Irazoqui, G., Eisenbarth, T., Sunar, B.: Cross processor cache attacks. In: Proceedings of ACM Asia Conference on Computer and Communications Security, pp. 353–364, ACM (2016)

  10. Yao, F., Doroslovacki, M., Venkataramani, G.: Are coherence protocol states vulnerable to information leakage? In: Proceedings of IEEE International Symposium on High Performance Computer Architecture, pp. 168–179, IEEE (2018)

  11. Liu, F., Lee, R.B.: Random fill cache architecture. In: Proceedings of IEEE/ACM International Symposium on Microarchitecture, pp. 203–215, IEEE (2014)

  12. Wang, Z., Lee, R.B.: New cache designs for thwarting software cache-based side channel attacks. ACM SIGARCH Comput. Archit. News 35(2), 494–505 (2007)

    Article  Google Scholar 

  13. Liu, F., Ge, Q., Yarom, Y., Mckeen, F., Rozas, C., Heiser, G., Lee, R.B.: CATalyst: Defeating last-level cache side channel attacks in cloud computing. In: Proceedings of IEEE International Symposium on High Performance Computer Architecture, pp. 406–418, IEEE (2016)

  14. Wang, Y., Ferraiuolo, A., Zhang, D., Myers, A.C., Suh, G.E.: Secdcp: secure dynamic cache partitioning for efficient timing channel protection. In: Proceedings of IEEE Design Automation Conference, pp. 1–6, IEEE (2016)

  15. Intel QuickPath Architecture. http://www.intel.com/pressroom/archive/reference/whitepaper_QuickPath.pdf (2012). Accessed Jan 2018

  16. Conway, P., Kalyanasundharam, N., Donley, G., Lepak, K., Hughes, B.: Cache hierarchy and memory subsystem of the AMD Opteron processor. IEEE Micro 30(2), 16–29 (2010)

    Article  Google Scholar 

  17. Sorin, D.J., Hill, M.D., Wood, D.A.: A primer on memory consistency and cache coherence. Synth. Lect. Comput. Archit. 6(3), 1–212 (2011)

    Article  Google Scholar 

  18. Waldspurger, C .A.: Memory resource management in VMware ESX server. ACM SIGOPS Operat. Syst. Rev. 36(SI), 181–194 (2002)

    Article  Google Scholar 

  19. Barresi, A., Razavi, K., Payer, M., Gross, T.R.: CAIN: silently breaking ASLR in the cloud. In: USENIX Workshop on Offensive Technologies (2015)

  20. Using Intel VTune Amplifier. https://goo.gl/E9Fp2m (2013). Accessed Jan 2018

  21. Gallager, R.: Low-density parity-check codes. IRE Trans. Inf. Theory 8(1), 21–28 (1962)

    Article  MathSciNet  MATH  Google Scholar 

  22. Binkert, N., Beckmann, B., Black, G., Reinhardt, S .K., Saidi, A., Basu, A., Hestness, J., Hower, D .R., Krishna, T., Sardashti, S., et al.: The gem5 simulator. ACM SIGARCH Comput. Archit. News 39(2), 1–7 (2011)

    Article  Google Scholar 

  23. Bienia, C., Kumar, S., Singh, J.P., Li, K.: The parsec benchmark suite: characterization and architectural implications. In: Proceedings of ACM International Conference on Parallel Architectures and Compilation Techniques, pp. 72–81, ACM (2008)

  24. Gruss, D., Spreitzer, R., Mangard, S.: Cache template attacks: automating attacks on inclusive last-level caches. In: USENIX Security Symposium, pp. 897–912 (2015)

  25. Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: Proceedings of ACM Conference on Computer and Communications Security, pp. 199–212, ACM (2009)

  26. Yao, F., Venkataramani, G., Doroslovacki, M.: Covert timing channels exploiting non-uniform memory access based architectures. In: Proceedings of ACM Great Lakes Symposium on VLSI, pp. 155–160, ACM (2017)

  27. Aciicmez, O., Seifert, J.-P.: Cheap hardware parallelism implies cheap security. In: Proceedings of IEEE Workshop on Fault Diagnosis and Tolerance in Cryptography, pp. 80–91, IEEE (2007)

  28. Evtyushkin, D., Ponomarev, D.: Covert channels through random number generator: mechanisms, capacity estimation and mitigations. In: Proceedings of ACM Conference on Computer and Communications Security, pp. 843–857, ACM (2016)

  29. Wu, Z., Xu, Z., Wang, H.: Whispers in the hyper-space: high-speed covert channel attacks in the cloud. In: USENIX Security Symposium, pp. 159–173 (2012)

  30. Alagappan, M., Rajendran, J.J., Doroslovacki, M., Venkataramani, G.: DFS covert channels on multi-core platforms. In: Proceedings of IEEE International Conference on Very Large Scale Integration, IEEE (2017)

  31. Aciiçmez, O., Koç, C.K., Seifert, J.-P.: On the power of simple branch prediction analysis. In: Proceedings of ACM Symposium on Information, Computer and Communications Security, pp. 312–320, ACM (2007)

  32. Evtyushkin, D., Ponomarev, D., Abu-Ghazaleh, N.: Understanding and mitigating covert channels through branch predictors. ACM Trans. Archit. Code Optim. 13(1), 10 (2016)

    Article  Google Scholar 

  33. Jiang, Z.H., Fei, Y., Kaeli, D.: A complete key recovery timing attack on a GPU. In: Proceeding of IEEE International Symposium on High Performance Computer Architecture, pp. 394–405, IEEE (2016)

  34. Demme, J., Martin, R., Waksman, A., Sethumadhavan, S.: Side-channel vulnerability factor: a metric for measuring information leakage. ACM SIGARCH Comput. Archit. News 40(3), 106–117 (2012)

    Article  Google Scholar 

  35. Chen, J., Venkataramani, G.: An algorithm for detecting contention-based covert timing channels on shared hardware. In: Proceedings of ACM Workshop on Hardware and Architectural Support for Security and Privacy, ACM (2014)

  36. Chen, J., Venkataramani, G.: Cc-hunter: uncovering covert timing channels on shared processor hardware. In: Proceedings of IEEE/ACM International Symposium on Microarchitecture, pp. 216–228, IEEE Computer Society (2014)

  37. Hunger, C., Kazdagli, M., Rawat, A., Dimakis, A., Vishwanath, S., Tiwari, M.: Understanding contention-based channels and using them for defense. In: Proceedings of IEEE International Symposium on High Performance Computer Architecture, pp. 639–650, IEEE (2015)

  38. Yan, M., Shalabi, Y., Torrellas, J.: ReplayConfusion: detecting cache-based covert channel attacks using record and replay. In: Proceedings of IEEE/ACM International Symposium on Microarchitecture, pp. 1–14, IEEE (2016)

  39. Fang, H., Dayapule, S.S., Yao, F., Doroslovački, M., Venkataramani, G.: Prefetch-guard: leveraging hardware prefetchers to defend against cache timing channels (short paper). In: Proceedings of IEEE Symposium on Hardware Oriented Security and Trust, IEEE (2018)

  40. Venkataramani, G., Doudalis, I., Solihin, Y., Prvulovic, M.: Memtracker: an accelerator for memory debugging and monitoring. ACM Trans. Archit. Code Optim. 6, 5 (2009)

    Article  Google Scholar 

  41. Shen, J., Venkataramani, G., Prvulovic, M.: Tradeoffs in fine-grained heap memory protection. In: Proceedings of ACM Workshop on Architectural and System Support for Improving Software Dependability, ACM (2006)

  42. Ferraiuolo, A., Wang, Y., Zhang, D., Myers, A.C., Suh, G.E.: Lattice priority scheduling: low-overhead timing-channel protection for a shared memory controller. In: Proceedings of IEEE International Symposium on High Performance Computer Architecture, pp. 382–393, IEEE (2016)

  43. Zhou, Y., Wagh, S., Mittal, P., Wentzlaff, D.: Camouflage: memory traffic shaping to mitigate timing attacks. In: Proceedings of International Symposium on High Performance Computer Architecture, pp. 337–348, IEEE (2017)

  44. Awad, A., Wang, Y., Shands, D., Solihin, Y.: Obfusmem: a low-overhead access obfuscation for trusted memories. In: Proceedings of ACM International Symposium on Computer Architecture, pp. 107–119, ACM (2017)

Download references

Acknowledgements

This material is based on work supported by the US National Science Foundation under CAREER Award CCF-1149557 and CNS-1618786, and Semiconductor Research Corp. (SRC) contract 2016-TS-2684. Any opinions, findings, conclusions, or recommendations expressed in this article are those of the authors, and do not necessarily reflect those of the NSF or SRC.

Author information

Authors and Affiliations

  1. University of Central Florida, Orlando, FL, USA

    Fan Yao

  2. The George Washington University, Washington, DC, USA

    Miloš Doroslovački & Guru Venkataramani

Authors
  1. Fan Yao
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Miloš Doroslovački
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Guru Venkataramani
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Fan Yao.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Yao, F., Doroslovački, M. & Venkataramani, G. Covert Timing Channels Exploiting Cache Coherence Hardware: Characterization and Defense. Int J Parallel Prog 47, 595–620 (2019). https://doi.org/10.1007/s10766-018-0608-4

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10766-018-0608-4

Keywords