A software approach to defeating side channels in last-level caches

We present a software approach to mitigate access-driven side-channel attacks that leverage last-level caches (LLCs) shared across cores to leak information between security domains (e.g., tenants in a cloud). Our approach dynamically manages physical memory pages shared between security domains to disable sharing of LLC lines, thus preventing "Flush-Reload" side channels via LLCs. It also manages cacheability of memory pages to thwart cross-tenant "Prime-Probe" attacks in LLCs. We have implemented our approach as a memory management subsystem called CacheBar within the Linux kernel to intervene on such side channels across container boundaries, as containers are a common method for enforcing tenant isolation in Platform-as-a-Service (PaaS) clouds. Through formal verification, principled analysis, and empirical evaluation, we show that CacheBar achieves strong security with small performance overheads for PaaS workloads

Evaluation of the Doodle Families Literacy Programme Pilot

The Doodle Families Literacy Programme was a pilot programme that was delivered in three DEIS Band 1 primary schools in Limerick during the period of April to June 2015 for First Class children and their parents.Doodle Families was originally designed as an afterschool programme, but the pilot schools delivered it during the school day or bridging the school day and afterschool time. Doodle Families was delivered in two four week blocks, with families participating in one session per week.The pilot programme objectives were:* To pilot Doodle Families as a follow up to Doodle Den;* To train a panel of facilitators from three pilot schools and local services to deliver the programme.* To verify programme content, implementation issues and training needs to support the replication of Doodle Families.The aim of the evaluation of Doodle Families was to assess the implementation of the programme, how it was delivered and how those involved in the delivery felt about the programme, including school staff, parents, children, school principals and external organisations

Time Protection: the Missing OS Abstraction

Timing channels enable data leakage that threatens the security of computer systems, from cloud platforms to smartphones and browsers executing untrusted third-party code. Preventing unauthorised information flow is a core duty of the operating system, however, present OSes are unable to prevent timing channels. We argue that OSes must provide time protection in addition to the established memory protection. We examine the requirements of time protection, present a design and its implementation in the seL4 microkernel, and evaluate its efficacy as well as performance overhead on Arm and x86 processors