Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mengjia Yan, Yasser Shalabi, Josep Torrellas

Published byRodger Jennings Modified over 6 years ago

Similar presentations

Presentation on theme: "Mengjia Yan, Yasser Shalabi, Josep Torrellas"— Presentation transcript:

1 ReplayConfusion: Detecting Cache-based Covert Channel Attacks Using Record and Replay
Mengjia Yan, Yasser Shalabi, Josep Torrellas University of Illinois at Urbana-Champaign Say uiuc MICRO October 2016

2 Mengjia Yan | ReplayConfusion
Motivation Cache-based covert channel attacks Communicate through cache conflicts Serious security threat Ubiquitous attack scenario: cloud Bypass security policy; no trace left Existing solutions unable to detect all attacks Contribution: ReplayConfusion High-coverage detection mechanism Trojan (sender) Spy (receiver) Core L1 Core L1 Core L1 Core L1 LLC Cache Explain trojan better Trojan process : malicious process inject into a victim process has secret information and leak it to a spy process It has malicious component, but appear to legal to users Starts with the motivation is there is a type of attack: …. Ebds with our contribution replayconfusion is a mechanism that provides high-coverage detect for this attack

3 Contribution: ReplayConfusion
Mengjia Yan | ReplayConfusion Contribution: ReplayConfusion Observations: Trojan/Spy rely on specific mapping addressescaches Attack follows a repeating pattern when transmitting Effects: Substantially disrupt cache miss pattern Retain the repeating pattern Change mapping of addressescaches Re-mapping is different for each process ? Cache misses Explain record and replay first, non-deterministic events into a log Finish by Saying separate attackers from benign programs RnR: as program executes, record ND into a log and obtain timeline from PMU Cache miss rate timeline!! record cache replay (different mapping) Cache misses cache

4 Mengjia Yan | ReplayConfusion
Outline Background Attack Protocols ReplayConfusion Observations Detection Framework Detection Example Summary

5 Cache-based Covert Channel Attack
Mengjia Yan | ReplayConfusion Cache-based Covert Channel Attack Basic cache organization: Slice(i.e. Bank), Set, Way Cache mapping function Approach: Prime+Probe Cache Mapping Function Slice ID Set ID Tag Physical Address Can be reverse engineered trojan spy prime 1 1 Example: 2 groups From now on, I use one access to represent multiple accesses to sets Probe fills all cache sets, so it can be used as next prime stage Slice 0 Slice 1 Set 0 probe 1 1 Set 1 Time

6 Taxonomy of Attack Protocols
Mengjia Yan | ReplayConfusion Taxonomy of Attack Protocols trojan spy Round-robin Parallel Round-Robin Time Parallel 1 1 Attack Protocols Single Group ReplayConfusion detects all the attacks Space Multiple Groups 1 1 The paper presents taxonomy of existing .. Through cache conflicts. Time Time group 0 group 1 slice0 slice1 set0 set1 slice0 slice1 set0 set1 slice0 slice1 set0 set1

7 Mengjia Yan | ReplayConfusion
Observations Observation 1: Trojan/spy rely on a specific cache mapping function Observation 2: Attack follows a repeating pattern when transmitting slice0 slice1 set0 set1 trojan group 0 1 spy group 1 slice0 slice1 set0 set1 1 1 slice0 slice1 set0 set1 1 Time

8 ReplayConfusion Detection Approach
Mengjia Yan | ReplayConfusion ReplayConfusion Detection Approach Observations: Trojan/Spy rely on a specific cache mapping function Attack follows a repeating pattern when transmitting Effects: Substantially disrupt cache miss pattern Retain the repeating pattern Change mapping of addressescaches Re-mapping is different for each process ? Cache misses Move boxes to fit text record cache Replay (different mapping) Cache misses cache

9 Replay Confusion Detection Approach
Mengjia Yan | ReplayConfusion Replay Confusion Detection Approach ? record cache Cache misses Cache misses Replay cache Record and Replay Design new HW mapping addresses  caches Analyze cache miss rate timelines To implement ReplayConfusion, we need to support three mechanisms Capo/a:/ Existing mature technique e.g. Capo, Cyrus … Requirements: Small impact on benign programs Big impact on attacks Look for a repeating pattern in the timeline of the cache miss rate difference

10 Designing New Cache Mapping Functions
Mengjia Yan | ReplayConfusion Designing New Cache Mapping Functions Goal Small impact on benign programs Big impact on attacks Set Index Function Swap or flip bits within index field Set Index Tag Block Offset Phys Addr Use the swap for later Slice Selection Function Replace the bits in the function with nearby ones xor Slice ID

11 Analyzing Cache Miss Rate Timelines
Mengjia Yan | ReplayConfusion Analyzing Cache Miss Rate Timelines Compute timeline of the difference in cache miss rates (Recording miss rate timeline) – (Replay miss rate timeline) Use auto-correlation* to detect repeating pattern in the timeline of the cache miss rate difference Look for a fluctuating pattern in the auto-correlation Benign programs Attacks Diff Value Small values mostly Large values when transmitting Diff Pattern No pattern Repeating pattern Compute the timeline difference of cache miss rate *A statistical technique that discovers repeating patterns in a signal.

12 Mengjia Yan | ReplayConfusion
Detection Example Experiment #1: Bzip2 (co-run with h264ref) Experiment #2: Spy in attack (co-run with Trojan) Miss Rate Timeline in Record Replay Miss Rate Difference Timeline X axis: time Y axis: cache miss rate

13 Mengjia Yan | ReplayConfusion
Detection Example Experiment #1: Bzip2 (co-run with h264ref) Experiment #2: Spy in attack (co-run with Trojan) Miss Rate Timeline Difference Auto-correlation Repeat miss rate difference timeline from last slide Apply autocorrelation to the difference timeline Auto correlation computes the similarity of a signal to itself with certain peak -> high value, very similar to itself Low value-> not similar

14 Mengjia Yan | ReplayConfusion
More in the Paper Details on the taxonomy of cache-based covert channel attacks More detection results Attacks using different protocols Attacks with background noise Attacks with small group size More benign programs Detailed discussion about robustness of ReplayConfusion Discussion of related works

15 Mengjia Yan | ReplayConfusion
Conclusion Characteristics of cache-based covert channel attacks: Trojan/spy communication is tuned to mapping of addresses to caches Miss rate pattern repeats when transmitting bits ReplayConfusion Use RnR to execute the same program on machines with different mappings of addresses to caches in replay Compute the timeline of the miss rate difference between record and replay Detect repeating patterns  detect attack

16 ReplayConfusion: Detecting Cache-based Covert Channel Attacks Using Record and Replay
Mengjia Yan, Yasser Shalabi, Josep Torrellas University of Illinois at Urbana-Champaign Say uiuc MICRO October 2016

17 Mengjia Yan | ReplayConfusion
Thank You

18 Mengjia Yan | ReplayConfusion
Backup Slides

19 Evaluation Result Benign Programs
Mengjia Yan | ReplayConfusion Evaluation Result Benign Programs h264ref sjeng gobmk stream

20 Mengjia Yan | ReplayConfusion
Experiment Setup System: Ubuntu 10.4 with 4GB memory 4 in-order core, 32KB private L1 cache, 2MB shared L2 cache L2: 8-way associative, 4 slices, 64B/block

21 Mengjia Yan | ReplayConfusion
Example (a) Cache miss rate timeline (b) Cache miss rate autocorrelogram (c) Cache miss rate difference timeline (d) Cache miss rate difference autocorrelogram

22 Evaluation Result Attacks using parallel protocols
Mengjia Yan | ReplayConfusion Evaluation Result Attacks using parallel protocols 2-group 1-group, ¼ cache, set-based 1-group, ¼ cache, slice-based 1-group, unaware

23 Related Work Defense Detection Cache Partition Add noise to timer
Mengjia Yan | ReplayConfusion Related Work Either not not applicable or too much overhead Defense Cache Partition Add noise to timer Detection Hexpad: high cache access rate Chiappetta et al. : correlation between sender and receiver CC-Hunter: detect alternate pattern of conflicts Not work effectively Unable to detect advanced attacks May have high false positives Only effective to attacks using a specific type of protocols

24 Operations of ReplayConfusion
Mengjia Yan | ReplayConfusion Operations of ReplayConfusion Log Cache Miss Rate Timeline RnR Module Cache Configuration Manager Cache Profile Manager SW PMU HW F0 Fsel Address Mapping Memory Address Fn Slice ID Set Index Tag Cache Address Computation Unit

Download ppt "Mengjia Yan, Yasser Shalabi, Josep Torrellas"

Similar presentations

Slides Prepared from the CI-Tutor Courses at NCSA By S. Masoud Sadjadi School of Computing and Information Sciences Florida.

Slides Prepared from the CI-Tutor Courses at NCSA By S. Masoud Sadjadi School of Computing and Information Sciences Florida.
Lecture 12 Reduce Miss Penalty and Hit Time

Lecture 12 Reduce Miss Penalty and Hit Time
Practical Caches COMP25212 cache 3. Learning Objectives To understand: –Additional Control Bits in Cache Lines –Cache Line Size Tradeoffs –Separate I&D.

Practical Caches COMP25212 cache 3. Learning Objectives To understand: –Additional Control Bits in Cache Lines –Cache Line Size Tradeoffs –Separate I&D.
Low-Cost Data Deduplication for Virtual Machine Backup in Cloud Storage Wei Zhang, Tao Yang, Gautham Narayanasamy University of California at Santa Barbara.

Low-Cost Data Deduplication for Virtual Machine Backup in Cloud Storage Wei Zhang, Tao Yang, Gautham Narayanasamy University of California at Santa Barbara.
112-12-2001CS752 Decoupled Architecture for Data Prefetching Jichuan Chang Kai Xu.

CS752 Decoupled Architecture for Data Prefetching Jichuan Chang Kai Xu.
1 Reversible Sketches for Efficient and Accurate Change Detection over Network Data Streams Robert Schweller Ashish Gupta Elliot Parsons Yan Chen Computer.

1 Reversible Sketches for Efficient and Accurate Change Detection over Network Data Streams Robert Schweller Ashish Gupta Elliot Parsons Yan Chen Computer.
Defining Anomalous Behavior for Phase Change Memory

Defining Anomalous Behavior for Phase Change Memory
Speculative Software Management of Datapath-width for Energy Optimization G. Pokam, O. Rochecouste, A. Seznec, and F. Bodin IRISA, Campus de Beaulieu 35042.

Speculative Software Management of Datapath-width for Energy Optimization G. Pokam, O. Rochecouste, A. Seznec, and F. Bodin IRISA, Campus de Beaulieu
DASX : Hardware Accelerator for Software Data Structures Snehasish Kumar, Naveen Vedula, Arrvindh Shriraman (Simon Fraser University), Vijayalakshmi Srinivasan.

DASX : Hardware Accelerator for Software Data Structures Snehasish Kumar, Naveen Vedula, Arrvindh Shriraman (Simon Fraser University), Vijayalakshmi Srinivasan.
Exploiting Cache-Timing in AES: Attacks and Countermeasures Ivo Pooters March 17, 2008 Seminar Information Security Technology.

Exploiting Cache-Timing in AES: Attacks and Countermeasures Ivo Pooters March 17, 2008 Seminar Information Security Technology.
1 Chapter Seven. 2 Users want large and fast memories! SRAM access times are 2 - 25ns at cost of $100 to $250 per Mbyte. DRAM access times are 60-120ns.

1 Chapter Seven. 2 Users want large and fast memories! SRAM access times are ns at cost of $100 to $250 per Mbyte. DRAM access times are ns.
COMP25212 - SYSTEM ARCHITECTURE PRACTICAL CACHES Sergio Davies Feb/Mar 2014COMP25212 – Lecture 3.

COMP SYSTEM ARCHITECTURE PRACTICAL CACHES Sergio Davies Feb/Mar 2014COMP25212 – Lecture 3.
Architectural Features of Transactional Memory Designs for an Operating System Chris Rossbach, Hany Ramadan, Don Porter Advanced Computer Architecture.

Architectural Features of Transactional Memory Designs for an Operating System Chris Rossbach, Hany Ramadan, Don Porter Advanced Computer Architecture.
Published: USENIX HotBots, 2007 Presented: Wei-Cheng Xiao 2016/10/11.

Published: USENIX HotBots, 2007 Presented: Wei-Cheng Xiao 2016/10/11.
A High-Resolution Side-Channel Attack on Last-Level Cache Mehmet Kayaalp, IBM Research Nael Abu-Ghazaleh, University of California Riverside Dmitry Ponomarev,

A High-Resolution Side-Channel Attack on Last-Level Cache Mehmet Kayaalp, IBM Research Nael Abu-Ghazaleh, University of California Riverside Dmitry Ponomarev,
Covert Channels Through Branch Predictors: a Feasibility Study

Covert Channels Through Branch Predictors: a Feasibility Study
CSCI206 - Computer Organization & Programming

CSCI206 - Computer Organization & Programming
Translation Lookaside Buffer

Translation Lookaside Buffer
Improving Multi-Core Performance Using Mixed-Cell Cache Architecture

Improving Multi-Core Performance Using Mixed-Cell Cache Architecture
Hardware-rooted Trust for Secure Key Management & Transient Trust

Hardware-rooted Trust for Secure Key Management & Transient Trust

Similar presentations

Ads by Google