31 research outputs found
Real time detection of cache-based side-channel attacks using hardware performance counters
Cache-based side-channel attacks are increasingly exposing the weaknesses of many cryptographic libraries and tools by showing that, even though the algorithms might be considered strong, their implementations often lead to unexpected behaviors that can be exploited to obtain sensitive data, usually encryption keys. In this study we analyze three methods to detect cache-based side-channel attacks in real time, preventing or limiting the amount of leaked information. We focus our efforts on detecting three attacks on the well-known OpenSSL library: one that targets AES, one that targets RSA and one that targets ECDSA. The first method is based on monitoring the involved processes and assumes the victim process is known. By collecting and correlating the monitored data we find out whether there exists an attacker and pinpoint it. The second method uses anomaly detection techniques and assumes the benign processes and their behavior are known. By treating the attacker as a potential anomaly we understand whether an attack is in progress and which process is performing it. The last method is based on employing a neural network, a machine learning technique, to profile the attacker and to be able to recognize when a process that behaves suspiciously like the attacker is running. All the three of them can successfully detect an attack in about one fifth of the time required to complete it. We could not experience the presence of false positives in our test environment and the overhead caused by the detection systems is negligible. We also analyze how the detection systems behave with a modified version of one ofthe spy processes. With some optimization we are confident these systems can be used in real world scenarios
Detecting time-fragmented cache attacks against AES using Performance Monitoring Counters
Cache timing attacks use shared caches in multi-core processors as side
channels to extract information from victim processes. These attacks are
particularly dangerous in cloud infrastructures, in which the deployed
countermeasures cause collateral effects in terms of performance loss and
increase in energy consumption. We propose to monitor the victim process using
an independent monitoring (detector) process, that continuously measures
selected Performance Monitoring Counters (PMC) to detect the presence of an
attack. Ad-hoc countermeasures can be applied only when such a risky situation
arises. In our case, the victim process is the AES encryption algorithm and the
attack is performed by means of random encryption requests. We demonstrate that
PMCs are a feasible tool to detect the attack and that sampling PMCs at high
frequencies is worse than sampling at lower frequencies in terms of detection
capabilities, particularly when the attack is fragmented in time to try to be
hidden from detection
Detecting time-fragmented cache attacks against AES using Performance Monitoring Counters
Cache timing attacks use shared caches in multi-core processors as side channels to extract information from victim processes.
These attacks are particularly dangerous in cloud infrastructures, in which the deployed countermeasures cause collateral e ects in terms of performance loss and increase in energy consumption. We propose to monitor the victim process using an independent monitoring (detector) process, that continuously measures selected Performance Monitoring Counters (PMC) to detect the presence of an attack. Ad-hoc counter- measures can be applied only when such a risky situation arises. In our case, the victim process is the Advanced Encryption Standard (AES) encryption algorithm and the attack is performed by means of random encryption requests. We demonstrate that PMCs are a feasible tool to detect the attack and that sampling PMCs at high frequencies is worse than sampling at lower frequencies in terms of detection capabilities, particularly when the attack is fragmented in time to try to be hidden from detection.Instituto de Investigaci贸n en Inform谩tic
Detecting time-fragmented cache attacks against AES using Performance Monitoring Counters
Cache timing attacks use shared caches in multi-core processors as side channels to extract information from victim processes.
These attacks are particularly dangerous in cloud infrastructures, in which the deployed countermeasures cause collateral e ects in terms of performance loss and increase in energy consumption. We propose to monitor the victim process using an independent monitoring (detector) process, that continuously measures selected Performance Monitoring Counters (PMC) to detect the presence of an attack. Ad-hoc counter- measures can be applied only when such a risky situation arises. In our case, the victim process is the Advanced Encryption Standard (AES) encryption algorithm and the attack is performed by means of random encryption requests. We demonstrate that PMCs are a feasible tool to detect the attack and that sampling PMCs at high frequencies is worse than sampling at lower frequencies in terms of detection capabilities, particularly when the attack is fragmented in time to try to be hidden from detection.Instituto de Investigaci贸n en Inform谩tic
Detecting time-fragmented cache attacks against AES using Performance Monitoring Counters
Cache timing attacks use shared caches in multi-core processors as side channels to extract information from victim processes.
These attacks are particularly dangerous in cloud infrastructures, in which the deployed countermeasures cause collateral e ects in terms of performance loss and increase in energy consumption. We propose to monitor the victim process using an independent monitoring (detector) process, that continuously measures selected Performance Monitoring Counters (PMC) to detect the presence of an attack. Ad-hoc counter- measures can be applied only when such a risky situation arises. In our case, the victim process is the Advanced Encryption Standard (AES) encryption algorithm and the attack is performed by means of random encryption requests. We demonstrate that PMCs are a feasible tool to detect the attack and that sampling PMCs at high frequencies is worse than sampling at lower frequencies in terms of detection capabilities, particularly when the attack is fragmented in time to try to be hidden from detection.Instituto de Investigaci贸n en Inform谩tic
Reviving Meltdown 3a
Since the initial discovery of Meltdown and Spectre in 2017, different
variants of these attacks have been discovered. One often overlooked variant is
Meltdown 3a, also known as Meltdown-CPL-REG. Even though Meltdown-CPL-REG was
initially discovered in 2018, the available information regarding the
vulnerability is still sparse. In this paper, we analyze Meltdown-CPL-REG on 19
different CPUs from different vendors using an automated tool. We observe that
the impact is more diverse than documented and differs from CPU to CPU.
Surprisingly, while the newest Intel CPUs do not seem affected by
Meltdown-CPL-REG, the newest available AMD CPUs (Zen3+) are still affected by
the vulnerability. Furthermore, given our attack primitive CounterLeak, we show
that besides up-to-date patches, Meltdown-CPL-REG can still be exploited as we
reenable performance-counter-based attacks on cryptographic algorithms, break
KASLR, and mount Spectre attacks. Although Meltdown-CPL-REG is not as powerful
as other transient-execution attacks, its attack surface should not be
underestimated.Comment: published at ESORICS 202