Skip to main content
SpringerLink
Log in

Analysis of Secure Caches Using a Three-Step Model for Timing-Based Attacks

  • Published:
Journal of Hardware and Systems Security Aims and scope Submit manuscript

Abstract

Many secure cache designs have been proposed in literature with the aim of mitigating different types of cache timing–based attacks. However, there has so far been no systematic analysis of how these secure cache designs can, or cannot, protect against different types of the timing-based attacks. To provide a means of analyzing the caches, this paper presents a novel three-step modeling approach that is used to exhaustively enumerate all the possible cache timing–based vulnerabilities. The model covers not only attacks that leverage cache accesses or flushes from the local processor core, but also attacks that leverage changes in the cache state due to the cache coherence protocol actions from remote cores. Moreover, both conventional attacks and speculative execution attacks are considered. With the list of all possible cache timing vulnerabilities derived from the three-step model, this work further manually analyzes each of the existing secure cache designs to show which types of timing-based side-channel vulnerabilities each secure cache can mitigate. Based on the security analysis of the existing secure cache designs using the new three-step model, this paper further summarizes different techniques gleaned from the secure cache designs and their ability help mitigate different types of cache timing–based vulnerabilities.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3

Similar content being viewed by others

Notes

  1. For a hit-based vulnerabilities, the attacker is able to learn the full address of the victim’s sensitive data, while for the miss-based vulnerabilities, the attacker usually can learn the cache index of the victim’s sensitive data. For more details of these vulnerabilities’ categorizations, please refer to Section 3.3.3.

  2. Invalidation is fast when the corresponding address which is to be invalidated does not exist in the cache since no operation is needed for the invalidation.

  3. Two existing papers give slightly different definitions for an “SP” cache; thus, we selected to define a new cache, the SP cache, that combines secure cache features of the Secret-Protecting cache from [27] with secure cache features of the Static-Partitioned cache from [20].

References

  1. Acıiçmez O, Koç ÇK (2006) Trace-driven cache attacks on AES (short paper). In: International conference on information and communications security. Springer, pp 112–121

  2. Agrawal D, Archambeault B, Rao JR, Rohatgi P (2002) The EM side-channel (s). In: International workshop on cryptographic hardware and embedded systems. Springer, pp 29–45

  3. Bernstein DJ (2005) Cache-timing attacks on AES

  4. Binkert N, Beckmann B, Black G, Reinhardt SK, Saidi A, Basu A, Hestness J, Hower DR, Krishna T, Sardashti S et al (2011) The gem5 simulator. ACM SIGARCH computer architecture news 39 (2):1–7

    Article  Google Scholar 

  5. Bonneau J, Mironov I (2006) Cache-collision timing attacks against AES. In: International workshop on cryptographic hardware and embedded systems. Springer, pp 201–215

  6. Borghoff J, Canteaut A, Güneysu T, Kavun EB, Knezevic M, Knudsen LR, Leander G, Nikov V, Paar C, Rechberger C et al (2012) Prince–a low-latency block cipher for pervasive computing applications. In: International conference on the theory and application of cryptology and information security. Springer, pp 208–225

  7. Bourgeat T, Lebedev I, Wright A, Zhang S, Devadas S et al (2019) MI6: Secure enclaves in a speculative out-of-order processor. In: Proceedings of the 52nd Annual IEEE/ACM International Symposium on Microarchitecture. ACM, pp 42–56

  8. Chen S, Liu F, Mi Z, Zhang Y, Lee RB, Chen H, Wang X (2018) Leveraging hardware transactional memory for cache side-channel defenses. In: Proceedings of the 2018 on Asia conference on computer and communications security. ACM, pp 601– 608

  9. Clark SS, Ransford B, Rahmati A, Guineau S, Sorber J, Xu W, Fu K (2013) Wattsupdoc: power side channels to nonintrusively discover untargeted malware on embedded medical devices. In: Presented as part of the 2013 USENIX workshop on health information technologies

  10. Costan V, Lebedev IA, Devadas S (2016) Sanctum: minimal hardware extensions for strong software isolation. In: USENIX security symposium, pp 857–874

  11. Deng S, Xiong W, Szefer J (2018) Cache timing side-channel vulnerability checking with computation tree logic. In: Proceedings of the 7th international workshop on hardware and architectural support for security and privacy. ACM, p. 2

  12. Domnitser L, Jaleel A, Loew J, Abu-Ghazaleh N, Ponomarev D (2012) Non-monopolizable caches: low-complexity mitigation of cache side channel attacks. ACM Transactions on Architecture and Code Optimization (TACO) 8(4):35

    Google Scholar 

  13. Doychev G, Köpf B (2017) Rigorous analysis of software countermeasures against cache attacks. In: Proceedings of the 38th ACM SIGPLAN conference on programming language design and implementation. ACM, pp 406–421

    Article  Google Scholar 

  14. Doychev G, Köpf B, Mauborgne L, Reineke J (2015) CacheAudit: a tool for the static analysis of cache side channels. ACM Transactions on information and system security (TISSEC) 18(1):4

    Article  Google Scholar 

  15. Gruss D, Lettner J, Schuster F, Ohrimenko O, Haller I, Costa M (2017) Strong and efficient cache side-channel protection using hardware transactional memory. In: USENIX security symposium, pp 217–233

  16. Gruss D, Maurice C, Wagner K, Mangard S (2016) Flush+ flush: a fast and stealthy cache attack. In: International conference on detection of intrusions and malware, and vulnerability assessment. Springer, pp 279–299

  17. Gruss D, Spreitzer R, Mangard S (2015) Cache template attacks: automating attacks on inclusive last-level caches. In: USENIX security symposium, pp 897–912

  18. Guanciale R, Nemati H, Baumann C, Dam M (2016) Cache storage channels: alias-driven attacks and verified countermeasures. In: 2016 IEEE symposium on security and privacy (SP). IEEE, pp 38–55

  19. Gullasch D, Bangerter E, Krenn S (2011) Cache games–bringing access-based cache attacks on AES to practice. In: 2011 IEEE symposium on security and privacy (SP). IEEE, pp 490–505

  20. He Z, Lee RB (2017) How secure is your cache against side-channel attacks?. In: Proceedings of the 50th annual IEEE/ACM international symposium on microarchitecture. ACM, pp 341–353

  21. Intel C (2015) Improving real-time performance by utilizing cache allocation technology. Intel Corporation

  22. Kayaalp M, Khasawneh KN, Esfeden HA, Elwell J, Abu-Ghazaleh N, Ponomarev D, Jaleel A (2017) RIC: relaxed inclusion caches for mitigating LLC side-channel attacks. In: 2017 54th ACM/EDAC/IEEE design automation conference (DAC). IEEE, pp 1–6

  23. Keramidas G, Antonopoulos A, Serpanos DN, Kaxiras S (2008) Non deterministic caches: a simple and effective defense against side channel attacks. Des Autom Embed Syst 12(3):221–230

    Article  Google Scholar 

  24. Kessler RE, Hill MD (1992) Page placement algorithms for large realindexed caches. ACM Trans Comput Syst (TOCS) 10(4):338–359

    Article  Google Scholar 

  25. Kiriansky V, Lebedev I, Amarasinghe S, Devadas S, Emer J (2018) DAWG: a defense against cache timing attacks in speculative execution processors. In: 2018 51st Annual IEEE/ACM international symposium on microarchitecture (MICRO). IEEE, pp. 974–987

  26. Kocher P, Genkin D, Gruss D, Haas W, Hamburg M, Lipp M, Mangard S, Prescher T, Schwarz M, Yarom Y (2018) Spectre attacks: exploiting speculativeexecution. In: 2019 IEEE Symposium on Security and Privacy (SP). IEEE, pp 1–19

  27. Lee RB, Kwan P, McGregor JP, Dwoskin J, Wang Z (2005) Architecture for protecting critical secrets in microprocessors. In: ACM SIGARCH computer architecture news, vol 33. IEEE Computer Society, pp 2–13

    Article  Google Scholar 

  28. Lee Y, Waterman A, Avizienis R, Cook H, Sun C, Stojanović V, Asanović K (2014) A 45nm 1.3 GHz 16.7 double-precision GFLOPS/W RISC-V processor with vector accelerators. In: European solid state circuits conference (ESSCIRC), ESSCIRC 2014-40th. IEEE, pp 199–202

  29. Liu F, Ge Q, Yarom Y, Mckeen F, Rozas C, Heiser G, Lee RB (2016) CATalyst: defeating last-level cache side channel attacks in cloud computing. In: 2016 IEEE international symposium on high performance computer architecture (HPCA). IEEE, pp 406–418

  30. Liu F, Lee RB (2014) Random fill cache architecture. In: 2014 47th annual IEEE/ACM international symposium on microarchitecture (MICRO). IEEE, pp 203–215

  31. Liu F, Wu H, Mai K, Lee RB (2016) Newcache: secure cache architecture thwarting cache side-channel attacks. IEEE Micro 36(5):8–16

    Article  Google Scholar 

  32. Luk CK, Cohn R, Muth R, Patil H, Klauser A, Lowney G, Wallace S, Reddi VJ, Hazelwood K (2005) Pin: building customized program analysis tools with dynamic instrumentation. In: ACM sigplan notices, vol 40. ACM, pp 190–200

  33. Masti RJ, Rai D, Ranganathan A, Müller C., Thiele L, Capkun S (2015) Thermal covert channels on multi-core platforms. In: 24th USENIX security symposium (USENIX security 15), pp 865–880

  34. Osvik DA, Shamir A, Tromer E (2006) Cache attacks and countermeasures: the case of AES. In: Cryptographers’ track at the RSA conference. Springer, pp 1–20

  35. Patel A, Afram F, Chen S, Ghose K (2011) MARSS: A full system simulator for multicore x86 CPUs. In: 2011 48th ACM/EDAC/IEEE design automation conference (DAC). IEEE, pp 1050–1055

  36. Percival C (2005) Cache missing for fun and profit. BSDCan 2005, Ottawa, 2005. http://www.daemonology.net/papers/htt.pdf

  37. Hammarlund P, Martinez AJ, Bajwa AA, Hill DL, Hallnor E, Jiang H, Dixon M, Derr M, Hunsaker M, Kumar R, Osborne RB (2014) Haswell: The fourth-generation intel core processor. IEEE Micro. 10;34(2):6–20

    Article  Google Scholar 

  38. Qureshi MK (2018) CEASER: mitigating conflict-based cache attacks via encrypted-address and remapping. In: 2018 51St annual IEEE/ACM international symposium on microarchitecture (MICRO). IEEE, pp 775–787

  39. Sanchez D, Kozyrakis C (2013) ZSIm: fast and accurate microarchitectural simulation of thousand-core systems. In: ACM SIGARCH computer architecture news, vol 41. ACM, pp 475–486

  40. Schwarz M, Schwarzl M, Lipp M, Gruss D (2018) NetSpectre: read arbitrary memory over network. In: European Symposium on Research in Computer Security. Springer, pp 279–299

  41. Seznec A (1993) A case for two-way skewed-associative caches. ACM SIGARCH computer architecture news 21(2):169–178

    Article  Google Scholar 

  42. Sharkey J, Ponomarev D, Ghose K (2005) M-sim: a flexible, multithreaded architectural simulation environment. Techenical report, Department of Computer Science State University of New York at Binghamton. In: Technical Report 2001/2, Compaq Computer Corporation, Aug. 2001

  43. Shivakumar P, Jouppi NP (2001) Cacti 3.0: an integrated cache timing, power and area model. In: Technical Report 2001/2, Compaq Computer Corporation, Aug. 2001.

  44. Taylor G, Davies P, Farmwald M (1990) The TLB slice-a low-cost high-speed address translation mechanism. In: 17th annual international symposium on computer architecture, 1990. Proceedings. IEEE, pp 355–363

  45. Thoziyoor S, Muralimanohar N, Ahn JH, Jouppi NP (2008) CACTI 5.1. Technical Report HPL-2008-20, HP Labs

  46. Trippel C, Lustig D, Martonosi M (2018) MeltdownPrime and SpectrePrime: automatically-synthesized attacks exploiting invalidation-based coherence protocols. arXiv:1802.03802

  47. Wang S, Wang P, Liu X, Zhang D, Wu D (2017) CacheD: identifying cache-based timing channels in production software. In: 26th USENIX security symposium. USENIX association

  48. Wang Y, Ferraiuolo A, Zhang D, Myers AC, Suh GE (2016) SecDCP: secure dynamic cache partitioning for efficient timing channel protection. In: 2016 53nd ACM/EDAC/IEEE design automation conference (DAC). IEEE, pp 1–6

  49. Wang Z, Lee RB (2007) New cache designs for thwarting software cache-based side channel attacks. In: ACM SIGARCH computer architecture news, vol 35. ACM, pp 494–505

  50. Wang Z, Lee RB (2008) A novel cache architecture with enhanced performance and security. In: 2008 41st IEEE/ACM international symposium on Microarchitecture, 2008. MICRO-41. IEEE, pp 83–93

  51. Werner M, Unterluggauer T, Giner L, Schwarz M, Gruss D, Mangard S (2019) ScatterCache: thwarting cache attacks via cache set randomization. In: 28th USENIX security symposium (USENIX Security 19). USENIX Association, Santa Clara, CA. https://www.usenix.org/conference/usenixsecurity19/presentation/werner

  52. Yan M, Choi J, Skarlatos D, Morrison A, Fletcher C, Torrellas J (2018) InvisiSpec: making speculative execution invisible in the cache hierarchy. In: 2018 51st annual IEEE/ACM international symposium on microarchitecture (MICRO). IEEE, pp 428–441

  53. Yan M, Gopireddy B, Shull T, Torrellas J (2017) Secure hierarchy-aware cache replacement policy (SHARP): defending against cache-based side channel attacks. In: Proceedings of the 44th annual international symposium on computer architecture. ACM, pp 347–360

  54. Yao F, Doroslovacki M, Venkataramani G (2018) Are coherence protocol states vulnerable to information leakage?. In: 2018 IEEE international symposium on high performance computer architecture (HPCA). IEEE, pp 168–179

  55. Yarom Y, Falkner K (2014) FLUSH+ RELOAD: a high resolution, low noise, L3 cache side-channel attack. In: USENIX security symposium, pp 719–732

  56. Zhang D, Askarov A, Myers AC (2012) Language-based control and mitigation of timing channels. ACM SIGPLAN Not 47(6):99–110

    Article  Google Scholar 

  57. Zhang D, Wang Y, Suh GE, Myers AC (2015) A hardware design language for timing-sensitive information-flow security. In: ACM SIGARCH computer architecture news, vol 43. ACM, pp 503–516

  58. Zhang S, Wright A, Bourgeat T, Arvind A (2018) Composable building blocks to open up processor design. In: 2018 51st annual IEEE/ACM international symposium on microarchitecture (MICRO). IEEE, pp 68–81

  59. Zhang T, Lee RB (2014) New models of cache architectures characterizing information leakage from cache side channels. In: Proceedings of the 30th annual computer security applications conference. ACM, pp 96–105

  60. Zhang Y, Parikh D, Sankaranarayanan K, Skadron K, Stan M (2003) HotLeakage: a temperature-aware model of subthreshold and gate leakage for architects. University of Virginia Dept of Computer Science Tech Report CS-2003 5

Download references

Acknowledgments

This work was support in part by NSF grants 1651945 and 1813797; and through Semiconductor Research Corporation (SRC) under GRC Task 2844.001.

Author information

Authors and Affiliations

  1. Yale University, New Haven, CT, 06520, USA

    Shuwen Deng, Wenjie Xiong & Jakub Szefer

Authors
  1. Shuwen Deng
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Wenjie Xiong
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jakub Szefer
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Shuwen Deng.

Additional information

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Appendices

Appendix A: Attack Strategies Descriptions

This appendix gives overview of the attack strategies, shown in Tables 2 and 3 in Section 3. For each attack strategy, an overview of the three steps of the strategy is given. Some of the strategies are similar, and some may not be precise, but we keep and use the original names as they were assigned in prior work. One advantage of our three-step model is that it gives precise definition of each attack. Nevertheless, the attack strategy names used before (and added by us for strategies which did not have such names) may be useful to recall the attacks’ high-level operation.

Cache Internal Collision

In Step 1, cache block’s data is invalidated by flushing or eviction done by either the attacker or the victim. Then, the victim accesses secret data in Step 2. Finally, the victim accesses data at a known address in Step 3, if there is a cache hit, then it reveals that there is an internal collision and leaks value of u.

Flush + Reload

In Step 1, either the attacker or the victim invalidates the cache block’s data by flushing or eviction. Then, the victim access secret data in Step 2. Finally, the attacker tries to access some data in Step 2 using a known address. If a cache hit is observed, then addresses from last two steps are the same, and the attacker learns the secret address. This strategy has similar Step 1 and Step 2 as Cache Internal Collision vulnerability, but for Step 3, it is the attacker who does the reload access.

Reload + Time (New Name Assigned in this Paper)

In Step 1, secret data is invalidated by the victim. Then, the attacker does some known data access in Step 2 that could possibly bring back the invalidated the victim’s secret data in Step 1. In Step 3, if the victim reloads the secret data, a cache hit is observed and the attacker can derive the secret data’s address.

Flush + Probe (New Name Assigned in this Paper)

In Step 1, the victim or the attacker access some known address. In Step 2, the victim invalidates secret data. In Step 3, reloading of Step 1’s data and observation of a cache miss will help the attacker learn that the secret data maps to the known address from Step 1.

Evict + Time

In Step 1, some victim’s secret data is put into the cache by the victim itself. In Step 2, the attacker evicts a specific cache set by performing a memory related operation that is not a flush. In Step 3, the victim reloads secret data, and if a cache miss is observed, the will learn the secret data’s cache set information. This attack has similar Step 1 and Step 3 as Flush + Time vulnerability, but for Step 2, in Evict + Time, the attacker invalidates some known address allowing it to find the full address of the secret data, instead of evicting a cache set to only find the secret data’s cache index as in the Flush + Time attack.

Prime + Probe

In Step 1, the attacker primes the cache set using data at address known to the attacker. In Step 2, the victim accesses the secret data, which possibly evicts data from Step 1. In Step 3, the attacker probes each cache set and if a cache miss is observed, the attacker knowns the secret data maps to the cache set he or she primed.

Bernstein’s Attack

This attack strategy leverages the victim’s internal interference to trigger the miss-based attack. For one case, the victim does the same secret data access in Step 1 and Step 3 while in Step 2, the victim tries to evict one whole cache set’s data by known data accesses. If cache miss is observed in Step 3, that will tell the attacker the cache set is the one secret data maps to. For another case, the victim primes and probe a cache set in Step 1 and Step 3 driven by the attacker while in Step 2, the victim tries to access the secret data. Similar to the first case, observing cache miss in Step 3 tells the attacker the cache set is the one secret data maps to.

Evict + Probe (New Name Assigned in this Paper)

In Step 1, victim evict the cache set using the access to a data at an address known to the attacker. In Step 2, the victim accesses secret data, which possibly evicts data from Step 1. In Step 3, the attacker probes each cache set using the same data as in Step 1, if a cache miss is observed the attacker knowns the secret data maps to the cache set he or she primed. This attack strategy has similar Step 2 and Step 3 as Prime + Probe attack, but for Step 1, it is the victim that does the eviction accesses.

Prime + Time (New Name Assigned in this Paper)

In Step 1, the attacker primes the cache set using access to data at an address known to the attacker. In Step 2, the victim accesses secret data, which possibly evicts data from Step 1. In Step 3, the victim probes each cache set using the same data Step 1, if a cache miss is observed the attacker knowns the secret data maps to the cache set he or she primed in Step 1. This attack strategy has similar Step 1 and Step 2 as Prime + Probe attack, but for Step 3, it is the victim that does the probing accesses.

Flush + Time (New Name Assigned in this Paper)

The victim accesses the same secret data in Step 1 and Step 3; while in Step 2, the attacker tries to invalidate data at a known address. If cache miss is observed in Step 3, that will tell the attacker the data address he or she invalidated in Step 2 maps to the secret data.

Invalidation

related (new names assigned in this paper): Vulnerabilities that have names ending with “invalidation” in Table 3 correspond to the vulnerabilities that have the same name (except for the “invalidation” part) in Table 2. The difference between each set of corresponding vulnerabilities is that the vulnerabilities ending with “invalidation” use invalidation related operation in the last step to derive the timing information, rather than the normal memory access related operations.

Appendix B: Soundness Analysis of the Three-Step Model

In this section, we analyze the soundness of the three-step model to demonstrate that the three-step model can cover all possible timing-based cache vulnerabilities in normal caches. If there is a vulnerability that is represented using more than three steps, the steps can be reduced to only three steps, or a three-step sub-pattern can be found in the longer representation.

In the below analysis, we use β to denote the number of memory-related operations, i.e., steps, in a representation of a vulnerability. We show that β = 1 is not sufficient to represent a vulnerability, β = 2 covers some vulnerabilities but not all, β = 3 represents all the vulnerabilities, and β > 3 can be reduced to only three steps, or a three-step sub-pattern can be found in the longer representation. Known addresses refer to all the cache states that interference with the data a, aalias and d Unknown address refers u. An access to a known memory address is denoted as known_access_operation, and an invalidation of a known memory address is denoted as known_inv_operation. The known_access_operation and known_inv_operation together make up not_u_operation s. An unknown memory related operation (containing u) is denoted as u_operation.

1.1 B.1 Patterns with β = 1

When β = 1, there is only one memory-related operation, and it is not possible to create interference between memory-related operations since two memory-related operations are the minimum requirement for an interference. Furthermore, β = 1 corresponds to the three-step pattern with both Step 1 and Step 2 being ⋆, since the cache state ⋆ gives no information, and Step 3 being the one operation. These types of patterns are all examined by the cache three-step simulator and none of these types are found to be effective. Consequently, a vulnerability cannot exit when β = 1.

1.2 B.2 Patterns with β = 2

When β = 2, it satisfies the minimum requirement of an interference for memory related operations and corresponds to the three-step cases where Step 1 is ⋆, and Step 2 and Step 3 are the two operations. These types are all examined by the cache three-step simulator and some of them belong to Weak Vulnerabilities, like {\(\star \rightsquigarrow A_{a} \rightsquigarrow V_{u}\)}. Therefore, three-step cases where Step 1 is ⋆ have corresponding effective vulnerabilities shown in Table 2. Consequently, β = 2 can represent some weak vulnerabilities, but not all vulnerabilities as there exist some that are represented with three steps, as discussed next.

1.3 B.3 Patterns with β = 3

When β = 3, we have tested all possible combinations of three-step memory related operations in Section 3.3 using our cache simulator for the three-step model. We found that there are in total 72 types of Strong Vulnerabilities and 64 types of Weak Vulnerabilities that are represented by patterns with β = 3 steps. Consequently, β = 3 can represent all the vulnerabilities (including some weak ones where Step 1 is ⋆). Using more steps to represent vulnerabilities is not necessary, as discussed next.

1.4 B.4 Patterns with β > 3

When β > 3, the pattern of memory-related operations for a vulnerability can be reduced using the following rules:

1.4.1 B.4.1 Subdivision Rules

First, a set of subdivision rules is used to divide the long pattern into shorter patterns, following the below rules. Each subdivision rule should be applied recursively before applying the next rule.

Subdivision Rule 1::

If the longer pattern contains a sub-pattern such as {\(...\rightsquigarrow \star \rightsquigarrow ...\)}, the longer pattern can be divided into two separate patterns, where ⋆ is assigned as Step 1 of the second pattern. This is because ⋆ gives no timing information, and the attacker loses track of the cache state after ⋆. This rule should be recursively applied until there are no sub-patterns left with a ⋆ in the middle or as last step (⋆ in the last step will be deleted) in the longer pattern.

Subdivision Rule 2::

Next, if a pattern (derived after recursive application of the Rule 1 contains a sub-pattern such as {\(...\rightsquigarrow A_{inv}/V_{inv} \rightsquigarrow ...\)}, the longer pattern can be divided into two separate patterns, where Ainv/Vinv is assigned as Step 1 of the second pattern. This is because Ainv/Vinv will flush all the timing information of the current block and it can be used as the flushing step for Step 1, e.g., vulnerability {\(A_{inv} \rightsquigarrow V_{u} \rightsquigarrow A_{a} (fast)\)} shown in Table 2. Ainv/Vinv cannot be a candidate for middle steps or the last step because it will flush all timing information, making the attacker unable to deduce the final timing with victim’s sensitive address translation information. This rule should be recursively applied until there are no sub-patterns left with a Ainv/Vinv in the middle or the last step (Ainv/Vinv in the last step will be deleted).

1.4.2 B.4.2 Simplification Rules

For each of the patterns resulting from the subdivision of the original pattern, we define Commute Rule s, Union Rule s, and Reduction Rule s for a each set of two adjacent steps in these remaining patterns. In Table 7, we show all the possible cases of the rule applying conditions for each adjacent two steps, regardless of the attacker’s access (A) or the victim’s access (V ). The table shows whether the corresponding two steps can be commuted, reduced or unioned (and the reduced or the unioned result if the rules can be applied).

Table 7 Rules for combining two adjacent steps
Full size table

1.4.3 B.4.2.1 Commute Rules

Suppose there are two adjacent steps M and N for a memory sequences \(\{...\rightsquigarrow M\rightsquigarrow N \rightsquigarrow ...\}\). If commuting M and N lead to the same observation result, i.e., \(\{...\rightsquigarrow M\rightsquigarrow N \rightsquigarrow ...\}\) and \(\{...\rightsquigarrow N\rightsquigarrow M \rightsquigarrow ...\}\) will have the same timing observation information in the final step for the attacker, we can freely exchange the place of M and N in this pattern. In this case, we have more chance to Reduce and Union the steps within the memory sequence by the following Rule s. In the possible commuting process, we will try every possible combinations to commute different pairs of two steps that are able to apply the Commute Rule s and then further apply Reduce Rule s and Union Rule s to see whether the commute is effective, i.e., there can be steps reduced or unioned after the proper commuting process. The following two adjacent memory-related operations can be commuted:

  • Commute Rule 1: For two adjacent steps, if one step is a known_access_operation and another step is a known_inv_operation. and the addresses they refer to are different, these two steps can be commuted no matter which position of the two steps they are in within the whole memory sequence. It will show a “yes” for the corresponding two-step pattern for the Commute Rule 1 column if these two can be commuted in Table 7.

  • Commute Rule 2: A superset of two-step patterns that can apply Commute Rule 1 can be commuted if the second step of these two adjacent steps is not the last step in the whole memory sequence. There are some two adjacent steps that can only be commuted if the second step of these two adjacent steps is not the last step in the whole memory sequence. There will be a “yes” for the corresponding two-step pattern for the Commute Rule 2 column and a “no” for the corresponding two-step pattern for the Commute Rule 1 column in Table 7.

1.4.4 B.4.2.2 Reduction Rules

If the memory sequence after applying Commute Rule s have a sub-pattern that has two adjacent steps both related to known addresses or both related to unknown address (including repeating states), the two adjacent steps can be reduced to only one following the reduction rules (if the two-step pattern has “yes” for the Column “Union Rule or Reduce Rule” and has no Union result for the “Combined Step” Column in Table 7.

  • Reduction Rule 1: For two u_operation s, although u is unknown, both of the accesses target on the same u so can be reduced to only keep the second access in the memory sequence.

  • Reduction Rule 2: For two known adjacent memory access–related operations (known_access_operation), they always result in a deterministic state of the second memory access–related cache block, so these two steps can be reduced to only one step.

  • Reduction Rule 3: For two adjacent steps, if one step is known_access_operation and another one is known_inv_operation, no matter what order they have, and the address they refer to is the same, these two can be reduced to one step, which is the second step.

1.4.5 B.4.2.3 Union Rules

Suppose there are two adjacent steps M and N for memory sequences \(\{...\rightsquigarrow M\rightsquigarrow N \rightsquigarrow ...\}\). If combining M and N leads to the same timing observation result, i.e., \(\{...\rightsquigarrow M\rightsquigarrow N \rightsquigarrow ...\}\) and \(\{...\rightsquigarrow Union(M,N) \rightsquigarrow ...\}\) will have the same timing observation information in the final step for the attacker, we can combine step M and N to be a joint one step for this memory sequence, defined as Union(M,N). Two adjacent steps that can be combined are discussed in the following cases:

  • Union Rule 1: Two invalidations to two known different memory addresses can be applied Union Rule 1. known_inv_operation are two operations both invalidating some known address; therefore, they can be combined to only one step. The Union Rule can be continuously done to union all the adjacent invalidation step that invalidates known different memory addresses.

1.4.6 B.4.2.4 Final Check Rules

Each long memory sequence will recursively apply these three categorizations of the rules in the order: Commute Rule s first to put known_access_operation s and known_inv_operation that targets the same address as near as possible, and u_operation s and not_u_operation s are putting together as much as possible. The Reduced Rule s are then checked and applied to the processed memory sequence to reduce the steps. Then, the Union Rule is applied to the processed memory sequence.

The recursion at each application to these three categorizations of the rules should be always applied and reduce at least one step until the resulting sequence matches one of the two possible cases:

  • the long (β > 3) memory sequence with u_operation and not_u_operation is further reduced to a sequence where there are at most three steps in the following patterns, or less:

    • \(u\_operation \rightsquigarrow not\_u\_operation \rightsquigarrow u\_operation \)

    • \(not\_u\_operation \rightsquigarrow u\_operation \rightsquigarrow not\_u\_operation\)

    There might be possible extra ⋆ or Ainv/Vinv before these three-step pattern, where:

    • An extra ⋆ in the first step will not influence the result and can be directly removed.

    • If an extra Ainv/Vinv in the first step:

      • If followed by known_access_operation, Ainv/Vinv can be removed due to the actual state further put into the cache block.

      • If followed by known_inv_operation or \(V_{u}^{inv}\), Ainv/Vinv can also be removed since the memory location is repeatedly flushed by the two steps.

      • If followed by Vu, worst case will be \(A^{inv}/V^{inv} \rightsquigarrow V_{u} \rightsquigarrow \\ not\_u\_operation \rightsquigarrow u\_operation\), which is either an effective vulnerability according to Table 2 and reduction rules shown in Section 3.3 or \(A^{inv}/V^{inv} \rightsquigarrow V_{u} \rightsquigarrow A_{d}^{inv}/V_{d}^{inv} \rightsquigarrow u\_operation\), where \(V_{u} \rightsquigarrow A_{d}^{inv}/V_{d}^{inv}\) can further be applied Commute Rule 2 to reduce and be within three steps.

    In this case, the steps are finally within three steps and the checking is done.

  • There exist two adjacent steps that cannot be applied any Rule s above and requires the Rest Checking.

The only left two adjacent steps that cannot be applied by any of the three categorizations of the Rule s are the following:

  • \(\{...\rightsquigarrow A_{a}/V_{a}/A_{a^{alias}}/V_{a^{alias}}/A_{d}/V_{d}/A_{a}^{inv}/V_{a}^{inv}/\)\(A_{a^{alias}}^{inv}/V_{a^{alias}}^{inv} \rightsquigarrow V_{u}\rightsquigarrow ...\}\)

  • \(\{...\rightsquigarrow A_{a}/V_{a}/A_{a^{alias}}/V_{a^{alias}} \rightsquigarrow V_{u}^{inv}\rightsquigarrow ...\}\)

  • \(\{...\rightsquigarrow V_{u} \rightsquigarrow \rightsquigarrow ... A_{a}/V_{a}/A_{a^{alias}}/V_{a^{alias}}/A_{d}/V_{d}/\)\(A_{a}^{inv}/V_{a}^{inv}/A_{a^{alias}}^{inv}/V_{a^{alias}}^{inv}\}\)

  • \(\{...\rightsquigarrow V_{u}^{inv} \rightsquigarrow A_{a}/V_{a}/A_{a^{alias}}/V_{a^{alias}}\rightsquigarrow ...\}\)

We manually checked all of the two adjacent step patterns above and found that adding extra step before or after these two steps can either generate two adjacent step patterns that be processed by the three Rule s, where further step can be reduced, or construct effective vulnerability according to Table 2 and reduction rules shown in Section 3.3, where the corresponding pattern can be treated effective and the checking is done.

1.5 B.4.3 Algorithm for Reducing and Checking Memory Sequence

Algorithm 2 is used to (i) reduce a β-step (β > 3) pattern to a three-step pattern, thus demonstrating that the corresponding β > 3 step pattern actually is equivalent to the output three-step pattern and represents a vulnerability that is captured by an existing three-step pattern, or (ii) demonstrate that the β-step pattern can be mapped to one or more three-step vulnerabilities. It is not possible for a β-step vulnerability pattern to not be either (i) or (ii) after doing the Rule applications Key outcome of our analysis is that any β-step pattern is not a vulnerability, or if it is a vulnerability it maps to either outputs (i) or (ii) of the algorithm.

figure e

Inside the Algorithm 2, contain() represents a function to check if a list contains a corresponding state, is_ineffective() represents a function that checks the corresponding memory sequence does not contain any effective three-steps. has_interval_effective_three_steps() represents a function that check if the corresponding memory sequence can be mapped to one or more three-step vulnerabilities.

1.6 B.4.4 Summary

In conclusion, the three-step model can model all possible timing-based cache vulnerability in normal caches. Vulnerabilities which are represented by more than three steps can be always reduced to one (or more) vulnerabilities from our three-step model, and thus, using more than three step is not necessary.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Deng, S., Xiong, W. & Szefer, J. Analysis of Secure Caches Using a Three-Step Model for Timing-Based Attacks. J Hardw Syst Secur 3, 397–425 (2019). https://doi.org/10.1007/s41635-019-00075-9

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s41635-019-00075-9

Keywords

Search

Navigation