nach oben

Erschienen in:

2015 | OriginalPaper | Buchkapitel

Reverse Engineering Intel Last-Level Cache Complex Addressing Using Performance Counters

verfasst von : Clémentine Maurice, Nicolas Le Scouarnec, Christoph Neumann, Olivier Heen, Aurélien Francillon

Erschienen in: Research in Attacks, Intrusions, and Defenses

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Cache attacks, which exploit differences in timing to perform covert or side channels, are now well understood. Recent works leverage the last level cache to perform cache attacks across cores. This cache is split in slices, with one slice per core. While predicting the slices used by an address is simple in older processors, recent processors are using an undocumented technique called complex addressing. This renders some attacks more difficult and makes other attacks impossible, because of the loss of precision in the prediction of cache collisions.

In this paper, we build an automatic and generic method for reverse engineering Intel’s last-level cache complex addressing, consequently rendering the class of cache attacks highly practical. Our method relies on CPU hardware performance counters to determine the cache slice an address is mapped to. We show that our method gives a more precise description of the complex addressing function than previous work. We validated our method by reversing the complex addressing functions on a diverse set of Intel processors. This set encompasses Sandy Bridge, Ivy Bridge and Haswell micro-architectures, with different number of cores, for mobile and server ranges of processors. We show the correctness of our function by building a covert channel. Finally, we discuss how other attacks benefit from knowing the complex addressing of a cache, such as sandboxed rowhammer.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Physical-Layer Detection of Hardware Keyloggers

Nächstes Kapitel Hardware-Assisted Fine-Grained Code-Reuse Attack Detection

For the Xeon range (servers): processors of the micro-architecture Sandy Bridge in [9], Ivy Bridge in [11], and Haswell in [12]. For the Core range (mobiles and workstations), in [10] for the three aforementioned micro-architectures.

At the time of camera ready, Espresso has been running without providing any results for more than 2000 h on a table of more than 100.000.000 lines, which only represents the sixth of the 64 GB of memory of the machine.

Benger, N., van de Pol, J., Smart, N.P., Yarom, Y.: “Ooh Aah.. Just a Little Bit”: a small amount of side channel can go a long way. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 75–92. Springer, Heidelberg (2014)

Chrome Developers. Native Client. https://developer.chrome.com/native-client. Accessed 2 June 2015

Chrome Developers. Native Client Revision 13809, September 2014. http://src.chromium.org/viewvc/native_client?revision=13809&view=revision. Accessed 2 June 2015

Crama, Y., Hammer, P.L.: Boolean Functions: Theory, Algorithms, and Applications. Cambridge University Press, New York (2011)CrossRef

Demme, J., Maycock, M., Schmitz, J., Tang, A., Waksman, A., Sethumadhavan, S., Stolfo, S.: On the feasibility of online malware detection with performance counters. ACM SIGARCH Comput. Architect. News 41(3), 559–570 (2013)CrossRef

Gruss, D., Maurice, C., Mangard, S.: Rowhammer.js: a remote software-induced fault attack in JavaScript. arXiv:1507.06955v1 (2015)

Gruss, D., Spreitzer, R., Mangard, S.: Cache template attacks: automating attacks on inclusive last-level caches. In: Proceedings of the 24th USENIX Security Symposium (2015)

Hund, R., Willems, C., Holz, T.: Practical timing side channel attacks against kernel space ASLR. In: Proceedings of the 2013 IEEE Symposium on Security and Privacy (S&P 2013), pp. 191–205. IEEE, May 2013

Intel. Intel$\textregistered $ Xeon$\textregistered $ Processor E5–2600 Product Family Uncore Performance Monitoring Guide. 327043–001:1–136 (2012)

10.

Intel. Intel$\textregistered $ 64 and IA-32 Architectures Software Developer’s Manual, vol. 3 (3A, 3B & 3C): System Programming Guide. 3(253665) (2014)

11.

Intel. Intel$\textregistered $ Xeon$\textregistered $ Processor E5 v2 and E7 v2 Product Families Uncore Performance Monitoring Reference Manual. 329468–002:1–200 (2014)

12.

Intel. Intel$\textregistered $ Xeon$\textregistered $ Processor E5 v3 Family Uncore Performance Monitoring Reference Manual. 331051–001:1–232 (2014)

13.

Irazoqui, G., Eisenbarth, T., Sunar, B.: Lucky 13 strikes back. In: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security (AsiaCCS 2015), pp. 85–96 (2015)

14.

Irazoqui, G., Eisenbarth, T., Sunar, B.: S$\$$A: a shared cache attack that works across cores and defies VM sandboxing–and its application to AES. In: Proceedings of the 36th IEEE Symposium on Security and Privacy (S&P 2015) (2015)

15.

Irazoqui, G., Eisenbarth, T., Sunar, B.: Systematic reverse engineering of cache slice selection in Intel processors. In: Proceedings of the 18th EUROMICRO Conference on Digital System Design (2015)

16.

Irazoqui, G., Inci, M.S., Eisenbarth, T., Sunar, B.: Wait a minute! A fast, Cross-VM attack on AES. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 299–319. Springer, Heidelberg (2014)

17.

Irazoqui, G., IncI, M.S., Eisenbarth, T., Sunar, B.: Know thy neighbor: crypto library detection in cloud. Proc. Priv. Enhancing Technol. 1(1), 25–40 (2015)

18.

Jahagirdar, S., George, V., Sodhi, I., Wells, R.: Power management of the third generation Intel Core micro architecture formerly codenamed Ivy Bridge. In: Hot Chips 2012 (2012). http://hotchips.org/wp-content/uploads/hc_archives/hc24/HC24-1-Microprocessor/HC24.28.117-HotChips_IvyBridge_Power_04.pdf. Accessed 16 July 2015

19.

Kim, D.-H., Nair, P.J., Qureshi, M.K.: Architectural support for mitigating row hammering in DRAM memories. IEEE Comput. Archit. Lett. 14(1), 9–12 (2014)CrossRef

20.

Liu, F., Yarom, Y., Ge, Q., Heiser, G., Lee, R.B.: Last-level cache side-channel attacks are practical. In: Proceedings of the 36th IEEE Symposium on Security and Privacy (S&P 2015) (2015)

21.

Malone, C., Zahran, M., Karri, R.: Are hardware performance counters a cost effective way for integrity checking of programs. In: Proceedings of the Sixth ACM Workshop on Scalable Trusted Computing (2011)

22.

Maurice, C., Neumann, C., Heen, O., Francillon, A.: C5: cross-cores cache covert channel. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 46–64. Springer, Heidelberg (2015) CrossRef

23.

Neve, M., Seifert, J.-P.: Advances on access-driven cache attacks on AES. In: Biham, E., Youssef, A.M. (eds.) SAC 2006. LNCS, vol. 4356, pp. 147–162. Springer, Heidelberg (2007) CrossRef

24.

Oren, Y., Kemerlis, V.P., Sethumadhavan, S., Keromytis, A.D.: The spy in the sandbox: practical cache attacks in JavaScript and their implications. In: Proceedings of the 22nd ACM Conference on Computer and Communications Security (CCS 2015) (2015)

25.

Osvik, Dag Arne, Shamir, Adi, Tromer, Eran: Cache attacks and countermeasures: the case of AES. In: Pointcheval, David (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer, Heidelberg (2006) CrossRef

26.

Percival, C.: Cache missing for fun and profit. In: Proceedings of BSDCan, pp. 1–13 (2005)

27.

Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS 2009), pp. 199–212 (2009)

28.

Seaborn, M.: Exploiting the DRAM rowhammer bug to gain kernel privileges, March 2015. http://googleprojectzero.blogspot.fr/2015/03/exploiting-dram-rowhammer-bug-to-gain.html. Accessed 2 June 2015

29.

Seaborn, M.: L3 cache mapping on Sandy Bridge CPUs, April 2015. http://lackingrhoticity.blogspot.fr/2015/04/l3-cache-mapping-on-sandy-bridge-cpus.html. Accessed 2 June 2015

30.

Tromer, E., Osvik, D.A., Shamir, A.: Efficient cache attacks on AES, and countermeasures. J. Cryptology 23(1), 37–71 (2010)CrossRefMathSciNetMATH

31.

Uhsadel, L., Georges, A., Verbauwhede, I.: Exploiting hardware performance counters. In: Proceedings of the 5th International Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC 2008), pp. 59–67 (2008)

32.

Willems, C., Hund, R., Fobian, A., Felsch, D., Holz, T.: Down to the bare metal: using processor features for binary analysis. In: Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC 2012), pp. 189–198 (2012)

33.

Wu, Z., Xu, Z., Wang, H.: Whispers in the hyper-space: high-speed covert channel attacks in the cloud. In: Proceedings of the 21st USENIX Security Symposium (2012)

34.

Xia, Y., Liu, Y., Chen, H., Zang, B.: CFIMon: detecting violation of control flow integrity using performance counters. In: Proceedings of the 42th International Conference on Dependable Systems and Networks (DSN 2012), pp. 1–12 (2012)

35.

Xu, Y., Bailey, M., Jahanian, F., Joshi, K., Hiltunen, M., Schlichting, R.: An exploration of L2 cache covert channels in virtualized environments. In: Proceedings of the 3rd ACM Cloud Computing Security Workshop (CCSW 2011), pp. 29–40 (2011)

36.

Yarom, Y., Falkner, K.: Flush+Reload: a high resolution, low noise, L3 cache side-channel attack. In: Proceedings of the 23th USENIX Security Symposium (2014)

37.

Zhang, Y., Juels, A., Reiter, M.K., Ristenpart, T.: Cross-VM side channels and their use to extract private keys. In: Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS 2012) (2012)

38.

Zhang, Y., Juels, A., Reiter, M.K., Ristenpart, T.: Cross-tenant side-channel attacks in PaaS clouds. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS 2014), pp. 990–1003. ACM Press, New York (2014)

Titel: Reverse Engineering Intel Last-Level Cache Complex Addressing Using Performance Counters
verfasst von: Clémentine Maurice
Nicolas Le Scouarnec
Christoph Neumann
Olivier Heen
Aurélien Francillon
Verlag: Springer International Publishing
Buch: Research in Attacks, Intrusions, and Defenses
Print ISBN: 978-3-319-26361-8

Electronic ISBN: 978-3-319-26362-5

Copyright-Jahr: 2015
DOI: https://doi.org/10.1007/978-3-319-26362-5_3

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"