Mengjia Yan Yasser Shalabi Josep Torrellas University of Illinois at UrbanaChampaign http iacomacsuiucedu MICRO October 2016 Motivation Cachebased covert channel attacks Communicate through cache conflicts ID: 1002401
Download Presentation The PPT/PDF document "ReplayConfusion : Detecting Cache-based..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
1. ReplayConfusion: Detecting Cache-based Covert Channel Attacks Using Record and ReplayMengjia Yan, Yasser Shalabi, Josep TorrellasUniversity of Illinois at Urbana-Champaignhttp://iacoma.cs.uiuc.eduMICRO October 2016
2. MotivationCache-based covert channel attacksCommunicate through cache conflictsSerious security threatUbiquitous attack scenario: cloudBypass security policy; no trace leftExisting solutions unable to detect all attacksContribution: ReplayConfusionHigh-coverage detection mechanismCoreL1LLC CacheCoreL1CoreL1CoreL1Trojan(sender)Spy(receiver)2Mengjia Yan | ReplayConfusion
3. Contribution: ReplayConfusion?recordreplay(differentmapping)cachecacheCachemissesCachemisses3Mengjia Yan | ReplayConfusionObservations:Trojan/Spy rely on specific mapping addressescachesAttack follows a repeating pattern when transmittingEffects:Substantially disrupt cache miss patternRetain the repeating patternChange mapping of addressescachesRe-mapping is different for each process
4. OutlineBackgroundAttack ProtocolsReplayConfusionObservationsDetection FrameworkDetection ExampleSummary4Mengjia Yan | ReplayConfusion
5. Cache-based Covert Channel AttackBasic cache organization:Slice(i.e. Bank), Set, WayCache mapping functionApproach: Prime+ProbeSlice 0Slice 1Set 0Set 1PhysicalAddressCacheMappingFunctionSlice IDSet IDTagTime01010spytrojan primeprobe5Mengjia Yan | ReplayConfusionCan be reverse engineered01010
6. Taxonomy of Attack Protocols0101001010spytrojanRound-robinParallel6Mengjia Yan | ReplayConfusionAttack ProtocolsTimeRound-RobinParallel SpaceSingle GroupMultiple GroupsTimeTimeslice0slice1set0set1slice0slice1set0set1slice0slice1set0set1group 0group 1ReplayConfusion detects all the attacks
7. Observationsslice0slice1set0set1slice0slice1set0set1slice0slice1set0set1Observation 1:Trojan/spy rely on a specific cache mapping functionTime01010011group 0group 1spytrojanObservation 2:Attack follows a repeating pattern when transmitting7Mengjia Yan | ReplayConfusion
8. ReplayConfusion Detection ApproachObservations:Trojan/Spy rely on a specific cache mapping functionAttack follows a repeating pattern when transmittingEffects:Substantially disrupt cache miss patternRetain the repeating patternChange mapping of addressescachesRe-mapping is different for each process8?recordReplay(differentmapping)cachecacheCachemissesCachemissesMengjia Yan | ReplayConfusion
9. Replay Confusion Detection ApproachRecord and ReplayExisting mature techniquee.g. Capo, Cyrus …Design new HW mapping addresses cachesRequirements:Small impact on benign programsBig impact on attacksAnalyze cache miss rate timelinesLook for a repeating pattern in the timeline of the cache miss rate difference9?recordReplaycachecacheCachemissesCachemissesMengjia Yan | ReplayConfusion
10. Designing New Cache Mapping FunctionsGoalSmall impact on benign programsBig impact on attacksSet Index FunctionSwap or flip bits within index fieldPhysAddrSet IndexBlockOffsetTagxorSlice ID10Mengjia Yan | ReplayConfusionSlice Selection FunctionReplace the bits in the function with nearby ones
11. Analyzing Cache Miss Rate TimelinesCompute timeline of the difference in cache miss rates (Recording miss rate timeline) – (Replay miss rate timeline)Use auto-correlation* to detect repeating pattern in the timeline of the cache miss rate differenceLook for a fluctuating pattern in the auto-correlationBenign programsAttacksDiff ValueSmall values mostlyLarge values when transmittingDiff PatternNo patternRepeating pattern*A statistical technique that discovers repeating patterns in a signal.11Mengjia Yan | ReplayConfusion
12. Detection ExampleExperiment #1:Bzip2 (co-run with h264ref)Experiment #2:Spy in attack(co-run with Trojan)Miss Rate Timeline inRecordMiss Rate Timeline inReplayMiss Rate DifferenceTimeline 12Mengjia Yan | ReplayConfusion
13. Detection ExampleExperiment #1:Bzip2 (co-run with h264ref)Experiment #2:Spy in attack(co-run with Trojan)Miss Rate TimelineDifferenceAuto-correlation13Mengjia Yan | ReplayConfusion
14. More in the PaperDetails on the taxonomy of cache-based covert channel attacksMore detection resultsAttacks using different protocolsAttacks with background noiseAttacks with small group sizeMore benign programsDetailed discussion about robustness of ReplayConfusionDiscussion of related works14Mengjia Yan | ReplayConfusion
15. ConclusionCharacteristics of cache-based covert channel attacks:Trojan/spy communication is tuned to mapping of addresses to cachesMiss rate pattern repeats when transmitting bitsReplayConfusionUse RnR to execute the same program on machines with different mappings of addresses to caches in replayCompute the timeline of the miss rate difference between record and replayDetect repeating patterns detect attack15Mengjia Yan | ReplayConfusion
16. ReplayConfusion: Detecting Cache-based Covert Channel Attacks Using Record and ReplayMengjia Yan, Yasser Shalabi, Josep TorrellasUniversity of Illinois at Urbana-Champaignhttp://iacoma.cs.uiuc.eduMICRO October 2016
17. Thank You17Mengjia Yan | ReplayConfusion
18. Backup Slides18Mengjia Yan | ReplayConfusion
19. Evaluation ResultBenign Programsh264refsjenggobmkstream19Mengjia Yan | ReplayConfusion
20. Experiment SetupSystem: Ubuntu 10.4 with 4GB memory4 in-order core, 32KB private L1 cache, 2MB shared L2 cacheL2: 8-way associative, 4 slices, 64B/block20Mengjia Yan | ReplayConfusion
21. Example(a) Cache miss rate timeline(b) Cache miss rate autocorrelogram(c) Cache miss rate difference timeline(d) Cache miss rate difference autocorrelogram21Mengjia Yan | ReplayConfusion
22. Evaluation ResultAttacks using parallel protocols2-group1-group, ¼ cache, set-based1-group, ¼ cache, slice-based1-group, unaware22Mengjia Yan | ReplayConfusion
23. Related WorkDefenseCache PartitionAdd noise to timerDetectionHexpad: high cache access rateChiappetta et al. : correlation between sender and receiverCC-Hunter: detect alternate pattern of conflictsEither not not applicable or too much overhead Not work effectivelyUnable to detect advanced attacksMay have high false positivesOnly effective to attacks using a specific type of protocols23Mengjia Yan | ReplayConfusion
24. Operations of ReplayConfusionSWHWRnR ModuleLogCache ProfileManagerCache Miss Rate TimelineCache ConfigurationManagerMemoryAddressF0FnAddressMappingSliceIDSetIndexFsel②①②③④④⑤TagCache AddressComputation UnitPMU24Mengjia Yan | ReplayConfusion