Analysis of Secure Caches Using a Three-Step Model for Timing-Based Attacks

Deng, Sier; Xiong, Wenjie; Szefer, Jakub

doi:10.1007/s41635-019-00075-9

Cited by 26 publications

(33 citation statements)

References 39 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Their model is established based on two observations: all existing cache timing attacks focusing on the data are within three memory operations, and timing attacks can be analyzed by checking the behavior of one cache block (since all blocks are updated in the same manner by the cache logic). Following these observations, the work in [11] presented a three-step model focusing on one cache block for evaluating all possible timing-based attacks. Further, a soundness analysis of the three-step model was performed to show that three steps are sufficient to model all the timing-based attacks in caches.…”

Section: Previous Three-step Model For Timing-based Attacks In Cachesmentioning

confidence: 99%

“…And most recently, timing-based channels are used as part of Spectre and Meltdown variants, e.g., [26,31,40,29]. [11].…”

Section: Timing-based Attacks On Processor Cachesmentioning

confidence: 99%

“…Each of the steps can be performed by the attacker (A) or the victim (V). The goal of [11] is to find which three-step combinations can represent timing attacks from which the attacker learns information about the unknown address accessed by the victim. The authors list 17 possible states for a cache line, shown in Table 1.…”

Section: Previous Three-step Model For Timing-based Attacks In Cachesmentioning

confidence: 99%

“…With their analysis, [11] showed that 29 out of 72 vulnerabilities map to existing cache attacks. The other 43 types are new without corresponding attacks in literature at that time.…”

Section: Previous Three-step Model For Timing-based Attacks In Cachesmentioning

confidence: 99%

“…We expand the model in [11] by considering more realistic cases for a processor's memory-related operation.…”

Section: Improved Modeling Of Real Processorsmentioning

confidence: 99%

See 4 more Smart Citations

A Benchmark Suite for Evaluating Caches' Vulnerability to Timing Attacks

Deng

Xiong

Szefer

2020

Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Syste

Self Cite

View full text Add to dashboard Cite

Timing-based side or covert channels in processor caches continue to present a threat to computer systems, and they are the key to many of the recent Spectre and Meltdown attacks. Based on improvements to an existing three-step model for cache timing-based attacks, this work presents 88 Strong types of theoretical timing-based vulnerabilities in processor caches. To understand and evaluate all possible types of vulnerabilities in processor caches, this work further presents and implements a new benchmark suite which can be used to test to which types of cache timing-based attacks a given processor or cache design is vulnerable. In total, there are 1094 automatically-generated test programs which cover the 88 theoretical vulnerabilities. The benchmark suite generates the Cache Timing Vulnerability Score which can be used to evaluate how vulnerable a specific cache implementation is to different attacks. A smaller Cache Timing Vulnerability Score means the design is more secure, and the scores among different machines can be easily compared. Evaluation is conducted on commodity Intel and AMD processors and shows the differences in processor implementations can result in different types of attacks that they are vulnerable to. Beyond testing commodity processors, the benchmarks and the Cache Timing Vulnerability Score can be used to help designers of new secure processor caches evaluate their design's susceptibility to cache timing-based attacks.

show abstract

Section: Previous Three-step Model For Timing-based Attacks In Cachesmentioning

confidence: 99%

“…And most recently, timing-based channels are used as part of Spectre and Meltdown variants, e.g., [26,31,40,29]. [11].…”

Section: Timing-based Attacks On Processor Cachesmentioning

confidence: 99%

Section: Previous Three-step Model For Timing-based Attacks In Cachesmentioning

confidence: 99%

“…With their analysis, [11] showed that 29 out of 72 vulnerabilities map to existing cache attacks. The other 43 types are new without corresponding attacks in literature at that time.…”

Section: Previous Three-step Model For Timing-based Attacks In Cachesmentioning

confidence: 99%

“…We expand the model in [11] by considering more realistic cases for a processor's memory-related operation.…”

Section: Improved Modeling Of Real Processorsmentioning

confidence: 99%

See 3 more Smart Citations

A Benchmark Suite for Evaluating Caches' Vulnerability to Timing Attacks

Deng

Xiong

Szefer

2020

Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Syste

Self Cite

View full text Add to dashboard Cite

show abstract

A Formal Methodology for Verifying Side-Channel Vulnerabilities in Cache Architectures

Jiang

Zhang

Sanán

et al. 2022

Formal Methods and Software Engineering

View full text Add to dashboard Cite

Security-aware CPU caches have been designed to mitigate side-channel attacks and prevent information leakage. How to validate the effectiveness of these designs remains an unsolved problem. Prior works assess the security of architectures empirically without a formal guarantee, making the evaluation results less convincing. In this paper, we propose a comprehensive methodology based on formal methods for security verification of cache architectures. Specifically, we design an entropy-based noninterference reasoning framework with two unwinding conditions to assess the information leakage of the cache designs. The reasoning framework quantifies the dependency relationships by the mutual information between the distributions of input and output of side channels. Given a cache design, we formalize its behavior specification along with the cache layouts into an abstract state machine, to instantiate the parameterized reasoning framework that discloses any potential vulnerabilities. We use our methodology to assess eight state-of-the-art cache architectures to demonstrate reliability as well as flexibility.

show abstract