• Home
  • About
    • Seokmin.Lee photo

      Seokmin.Lee

      Hello, I am a master's student in the Department of Convergence Security (Samsung Advanced Security) at Korea University.After graduation, I am expected as a security developer or researcher member of Samsung SDS.

    • Learn More
    • LinkedIn
    • Github
  • Posts
    • All Tags
  • Portfolio
  • Hobbies

[paper]flush+flush_a_fast_and_stealthy_cache_attack

16 Dec 2020

Abstract

  • ์ง€๊ธˆ๊นŒ์ง€์˜ cache side channel attack์€ ๋ฉ”๋ชจ๋ฆฌ์˜ ์ ‘๊ทผ์˜ ์œ ๋ฌด๋ฅผ ํ†ตํ•ด ์ •๋ณด๋ฅผ ์œ ์ถœ์‹œ์ผฐ๋‹ค.
  • ๊ทธ๋ ‡๊ธฐ์— cache hit๊ฐ’์ด ๋˜๋Š” Cache miss๊ฐ’์ด ๋น„์ด์ƒ์ ์œผ๋กœ ์˜ฌ๋ผ๊ฐ€๊ฒŒ ๋œ๋‹ค.
  • ์ด๋Š” HPC(Hardware Performance Counter)๋ฅผ ํ†ตํ•ด ํƒ์ง€๊ฐ€ ๊ฐ€๋Šฅํ•˜๋ฉฐ ์ด๋ฅผ ํ†ตํ•ด Flush+Reload,RowHammer,Prime+Probe๋“ฑ์˜ ๊ณต๊ฒฉ์˜ detection์ด ๊ฐ€๋Šฅํ•˜๋‹ค.
  • ๊ทธ๋Ÿฌ๋‚˜ Flush+Flush๋Š” memory access๊ฐ€ ์ด๋ฃจ์›Œ์ง€์ง€ ์•Š๊ณ  clflush execution time์„ ํ†ตํ•ด data๊ฐ€ cached๋˜์—ˆ๋Š”์ง€ ์•ˆ๋˜์—ˆ๋Š”์ง€๋ฅผ ํŒ๋‹จํ•˜๊ธฐ ๋•Œ๋ฌธ์— HPC์˜ ํƒ์ง€๊ฐ€ ๋ถˆ๊ฐ€๋Šฅํ•˜๋‹ค. (Stealthy์˜ ์ด์œ )
  • ๋˜ํ•œ Flush+Flush๋Š” ๋‹ค๋ฅธ cache side channel attack๊ณผ ๋น„๊ตํ•˜์—ฌ ๋น ๋ฅธ ์‹คํ–‰์„ฑ์„ ๊ฐ–๊ณ ์žˆ๋Š”๋ฐ, ๊ทธ ์ด์œ ๋Š” ๋ฉ”๋ชจ๋ฆฌ ์ ‘๊ทผ์ด ์—†๊ณ  clflush ๋ช…๋ น์–ด๋งŒ ์‚ฌ์šฉํ•ด ๊ณต๊ฒฉ์„ ์ง„ํ–‰ํ•˜๊ธฐ ๋•Œ๋ฌธ์ด๋‹ค. (Fast์˜ ์ด์œ )

Introduction

  • Cache attacks include covert and crytographic side channels, but caches have also been exploited in other types of attacks such as bypassing kernel ASLR, detecting cryptographic libraries, or key stroke
  • HPC->OS-level-detection based on cached hit and misses
  • three scenarios
    • a covert channel
    • a side-channel attack on user input
    • a side-channel attack on AES with T-tables
  • Implement a detection machanism that monitors cache references and cache missess of LLC
  • The Flush+Flush attack does not trigger prefetches and thus allows to monitor multiple addresses within a 4KB memory range in contrast to Flush+Reload that fails in these scenarios.

Background

CPU Caches

  • CPU caches hide the memory access latency to the slow physical memory by buffering frequently used data in a small and fast memory
  • CPU achitectures: n-way-set-associative-caches(->cache sets->cache lines)
  • A line is loaded in a set depending on its address, and each line can occupy any of the n ways.
  • L1,L2,L3( inclusive ) ( L1, L2์— ์žˆ๋Š” ๋ชจ๋“  ๋ฐ์ดํ„ฐ๋“ค์€ L3์— ์žˆ์Œ )( ๊ทธ๋ ‡๊ธฐ์— ๋‹ค๋ฅธ ํ”„๋กœ์„ธ์Šค์˜ L1 cache์— ์žˆ๋Š” ์ค‘์š”ํ•œ data๋ฅผ ๋‹ค๋ฅธ ํ”„๋กœ์„ธ์Šค์—์„œ ๋ณผ ์ˆ˜ ์žˆ์Œ )( ์ถ”์ถœ๋˜๊ฒŒ ๋˜๋ฉด, ์ด๋ฅผ cache attack์ด๋ผ ๋ถ€๋ฆ„ )
  • LLC๋Š” ring bus์˜ ํ˜•ํƒœ๋กœ ์ฝ”์–ด๋“ค์— ์˜ํ•ด์„œ ๋งŽ์ด ๋‚˜๋ˆ„์–ด์ ธ์žˆ์Œ Ringbus
  • Sandy Bridge์—์„œ๋Š” ๊ฐ๊ฐ์˜ ๋ฌผ๋ฆฌ์  ์ฃผ์†Œ๊ฐ’๋“ค์„ ring-bus์˜ ํ˜•ํƒœ๋กœ ๋‚˜๋‰˜์–ด์ง„ LLC์— โ€œComplex-address functionโ€์„ ํ†ตํ•ด mapping์„ ์ง„ํ–‰ํ•œ๋‹ค.
  • Cache replacement policy
    • variants of LRU
    • bimoal insertion policy(CPU can switch between the two strategies)

Shared memory

  • OS & hypervisors instrument shared memory to reduce the ovevall physical memory utilization and the TLB utilization
  • OS๋Š” file์„ mappingํ•˜๋Š” ๊ฒƒ, ํ”„๋กœ์„ธ์Šค๋Š” forkํ•˜๋Š” ๊ฒƒ, ๊ทธ๋ฆฌ๊ณ  process๋ฅผ ๋‘๋ฒˆ ์‹คํ–‰ํ•˜๋Š” ๊ฒƒ ๋ชจ๋‘ ๋น„์Šทํ•˜๊ฒŒ ์ฒ˜๋ฆฌ๋œ๋‹ค. (์™œ๋ƒํ•˜๋ฉด ๋ฉ”๋ชจ๋ฆฌ ์ง€์—ญ์— ๋Œ€ํ•œ ์ค‘๋ณต ์ œ๊ฑฐ ๊ฒฐ๊ณผ์ด๊ธฐ ๋–„๋ฌธ์—)
  • Content-based page deduplication ( OS & hypervisor๋Š” ๋ฌผ๋ฆฌ ๋ฉ”๋ชจ๋ฆฌ์— byte๋‹จ์œ„๋กœ ๋™์ผํ•œ ํŽ˜์ด์ง€๋ฅผ ์Šค์ผ„ํ•˜๊ณ  ๋™์ผํ•œ ํŽ˜์ด์ง€๋“ค์ด ๊ฐ™์€ ๋ฌผ๋ฆฌ ๋ฉ”๋ชจ๋ฆฌ์— mapping๋˜์–ด์žˆ๋‹ค๋ฉด ๋™์ผํ•œ ์‹ค์ œ ํŽ˜์ด์ง€์— ๋‹ค์‹œ ๋งคํ•‘๋˜๊ณ  ๋‹ค๋ฅธ ํŽ˜์ด์ง€๋Š” ์‚ฌ์šฉ ๊ฐ€๋Šฅํ•œ ํŽ˜์ด์ง€๋กœ ํ‘œ์‹œ๋œ๋‹ค ์ด ๊ธฐ์ˆ ์€ TLB์™€ ๋ฌผ๋ฆฌ๋ฉ”๋ชจ๋ฆฌ์˜ ์‚ฌ์šฉ ์„ฑ๋Šฅ์„ ์ €ํ•˜์‹œํ‚จ๋‹ค
  • ๊ด€๋ จ์—†๋Š” ์ •๋ณด๋“ค์˜ ๊ณต์œ ์™€ sandboxed process๋“ค ์‚ฌ์ด, ๊ทธ๋ฆฌ๊ณ  ๋‹ค๋ฅธ ๊ฐ€์ƒ๋จธ์‹ ์—์„œ์˜ ์ง„ํ–‰์ค‘์ธ ํ”„๋กœ์„ธ์Šค๋“ค ์‚ฌ์ด์—์„œ์˜ ๋ฉ”๋ชจ๋ฆฌ ๊ณต์œ ๋Š” ๋ณด์•ˆ์˜ ๊ฑฑ์ •์„ ๋ถˆ๋Ÿฌ์ผ์œผํ‚จ๋‹ค.

Cache Attacks and Rowhammer

  • Cache Attack์€ CPU cache์™€ ๋ฌผ๋ฆฌ๋ฉ”๋ชจ๋ฆฌ ์™€์˜ ๋‹ค๋ฅธ ์ง€์—ฐ์‹œ๊ฐ„์˜ ์ฐจ์ด๋กœ ๋ฐœ์ƒํ•˜๋Š” ์‹œ๊ฐ„์ฐจ์ด์— ๋Œ€ํ•œ ๊ณต๊ฒฉ์ด๊ณ  ์ „ํ˜•์ ์œผ๋กœ ๋‘๊ฐ€์ง€๋กœ ๋‚˜๋ˆ ์ง„๋‹ค.
    1. Prime+Probe (๋ฉ”๋ชจ๋ฆฌ ๊ณต์œ ๊ฐ€ ๋˜์–ด์žˆ์ง€ ์•Š๋Š” ๊ฒƒ)
    2. Flush+Reload (๋ฉ”๋ชจ๋ฆฌ ๊ณต์œ ๊ฐ€ ๋˜์–ด์žˆ๋Š” ๊ฒƒ)
  • Prime+Probe
    1. ๊ณต๊ฒฉ์ž๊ฐ€ cache set์„ ์ ๋ นํ•œ๋‹ค.
    2. ํ”ผํ•ด์ž๊ฐ€ cache set ๋œ line์„ ๊ต์ฒด ํ•˜๋Š” ๊ฒƒ์„ ์ธก์ •ํ•œ๋‹ค
      • ํ˜„๋Œ€ ํ”„๋กœ์„ธ์„œ๋“ค์ด complex addressing๊ณผ undocumneted replacement ์ •์ฑ…์„ ์‚ฌ์šฉํ•œ ๋ฌผ๋ฆฌ์ ์œผ๋กœ ์ƒ‰์ธ๋œ llc๋ฅผ ์ด์šฉํ•˜๊ธฐ ๋•Œ๋ฌธ์— Cross-VM side-channel attack๊ณผ covert-channel๋“ค์ด ๋‚˜ํƒ€๋‚˜๊ฒŒ ๋˜์—ˆ๋‹ค.
  • Flush+Reload
    1. ๊ณต๊ฒฉ์ž๊ฐ€ clflush๋กœ ์ผ์ • single cache๋ฅผ flush ์‹œํ‚จ๋‹ค.
    2. ๊ณต๊ฒฉ์ž๋Š” ๊ณ„์† ์ ‘๊ทผํ•œ๋‹ค.
    3. ๋งŒ์•ฝ ํ”ผํ•ด์ž๊ฐ€ single cache์— ์ ‘๊ทผ์„ ํ–ˆ์œผ๋ฉด ๊ณต๊ฒฉ์ž๊ฐ€ ์ ‘๊ทผํ•œ ์‹œ๊ฐ„์ด ์งง๊ณ  (cache hit) ํ”ผํ•ด์ž๊ฐ€ single cache์— ์ ‘๊ทผ์„ ํ•˜์ง€ ์•Š์•˜์œผ๋ฉด (cache miss) ๊ณต๊ฒฉ์ž๊ฐ€ ์ ‘๊ทผํ•œ ์‹œ๊ฐ„์ด ๊ธธ๋‹ค.
  • Rowhammer
    • ์ „ํ˜•์ ์ธ cache attack์€ ์•„๋‹ˆ๋‹ค.
    • ํŠน์ • DRAM row์— ๊ณ„์† ๋ฐ˜๋ณต์ ์œผ๋กœ ์ ‘๊ทผํ•˜๊ฒŒ ๋˜๋ฉด ์ธ์ ‘ํ•œ ๋ฉ”๋ชจ๋ฆฌ์—์„œ random bit flip์ด ์ผ์–ด๋‚˜๋Š” ์ทจ์•ฝ์„ฑ์„ ์‚ฌ์šฉํ•œ๋‹ค.
    • Rowhammer_attack
    • ์ด๋Ÿฌํ•œ ์ ‘๊ทผ๋“ค์€ DRAM์— ๋„๋‹ฌํ•˜๊ธฐ ์œ„ํ•ด์„œ ๋ชจ๋“  cache๋“ค์˜ level์„ ํ†ต๊ณผํ•ด์•ผ๋งŒํ•˜๊ณ  bitflip์„ ์œ ๋ฐœ์‹œํ‚จ๋‹ค.
    • ์ทจ์•ฝ์ ์ด ์ถ”์ถœ๋œ ๊ณต๊ฒฉ๋“ค์€ ์ด๋ฏธ root๊ถŒํ•œ์„ ์–ป๋Š” ๊ฒƒ์„ ์ฆ๋ช…ํ–ˆ๊ณ , sandbox๋ฅผ ํŒŒ๊ดดํ•˜๋Š” ๊ฒƒ์„ ์ฆ๋ช…ํ–ˆ๋‹ค.
    • Rowhammer์€ ์ถฉ๋ถ„ํ•œ ์ˆ˜์˜ cache hit์™€ cache missess๋ฅผ ์ฆ๋ช…ํ–ˆ๊ณ , ์ด๋Š” Cache Side attack๊ณผ ๋‹ฎ์•˜๋‹ค.

The Flush+Flush Attack

  • cache miss๋ฅผ ๋งŒ๋“ค์ง€ ์•Š๊ณ , ๋งค์šฐ ์ ์€ ์–‘์˜ cache hits๋“ค์„ ๋งŒ๋“ ๋‹ค.
  • Flush+Reload์™€ SW,HW์˜ ๊ฐ™์€ ์ŠคํŽ™์—์„œ ๋ฐœ์ƒ์ด ์ง„ํ–‰๋  ์ˆ˜์žˆ๋‹ค.
  • Attack์€ ๋ฌดํ•œ์˜ ๋ฃจํ”„์—์„œ ์‹คํ–‰๋˜๋ฉด์„œ ์‹คํ–‰๋˜๊ณ , ๊ณ„์†์ ์œผ๋กœ ํƒ€๊ฒŸ๋œ ๊ณต์œ  ๋ฉ”๋ชจ๋ฆฌ ๋ผ์ธ์—๊ฒŒ clflush ๋ช…๋ น์–ด๋ฅผ ์‹คํ–‰ํ•œ๋‹ค.
  • ๊ณต๊ฒฉ์ž๋Š” clflush ๋ช…๋ น์–ด์˜ ์‹คํ–‰์‹œ๊ฐ„์„ ์ธก์ •ํ•œ๋‹ค.
  • ์‹คํ–‰์‹œ๊ฐ„์„ ํ†ตํ•ด ์ด ๋ฉ”๋ชจ๋ฆฌ ๋ผ์ธ์ด cached ๋˜์—ˆ๋Š”์ง€ ์•„๋‹Œ์ง€๋ฅผ ํŒŒ์•…ํ•œ๋‹ค.
  • attacker๊ฐ€ ์บ์‹œ๋กœ๋ถ€ํ„ฐ ๋ฉ”๋ชจ๋ฆฌ๋ผ์ธ์„ ๋กœ๋“œํ•˜์ง€ ๋ชปํ–ˆ๋‹ค๋ฉด ๋‹ค๋ฅธ ํ”„๋กœ์„ธ์„œ๊ฐ€ ์ด๊ฒƒ์„ ๋กœ๋“œํ–ˆ๋Š”์ง€ ์•ˆํ–ˆ๋Š”์ง€๋ฅผ ๋“œ๋Ÿฌ๋‚ธ๋‹ค.
  • ๋™์‹œ์— clflush๋Š” ์บ์‹œ์—์„œ ๋‹ค์Œ ๊ณต๊ฒฉ ๋ฃจํ”„๋ผ์šด๋“œ๋ฅผ ์œ„ํ•ด์„œ ๋ฉ”๋ชจ๋ฆฌ ๋ผ์ธ์„ ์ถ”์ถœํ•œ๋‹ค.
  • ์ธก์ •์€ rdtsc ๋ช…๋ น์–ด๋กœ cycle์„ ์ธก์ •ํ•œ๋‹ค.
    aaa
  • ๋‹ค์Œํ‘œ์™€ ๊ฐ™์ด cached๊ฐ€ ๋˜์–ด์žˆ์„๋•Œ์™€ ์•„๋‹๋•Œ ์•ฝ 12cycle์ •๋„ ์ฐจ์ด๊ฐ€ ๋‚จ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค.
  • Flush+Reload๋ณด๋‹ค cycle์ˆ˜๊ฐ€ ์ฐจ์ด๋‚˜๋Š” ๊ฒƒ์ด ์ ์Œ์œผ๋กœ ๋ณธ์งˆ์ ์œผ๋กœ(inherently) Flush+Flush ๊ณต๊ฒฉ์€ ์ •ํ™•๋„๊ฐ€ ์ ์Œ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค.
  • ๊ทธ๋Ÿฌ๋‚˜ ๋ถ€์ฑ„๋„ ๊ณต๊ฒฉ์„ ํ†ตํ•ด ๊ฐ™์€ ์–‘์˜ ์ •๋ณด๋ฅผ ์ถ”์ถœํ•œ๋‹ค๊ณ  ํ–ˆ์„ ๋•Œ ๊ทธ ์†๋„๋Š” ํ™•์—ฐํ•˜๊ฒŒ ๋น ๋ฅธ ๊ฒƒ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค.

Detecting Cache Attacks with Hardware Performance Counters

  • Cache hit๊ณผ Cache miss๊ฐ€ ๊ธ‰๊ฒฉํ•˜๊ฒŒ ๋งŽ์•„์ง€๋Š” ๊ฒƒ์€ HPC(OS level)์—์„œ ํƒ์ง€๋  ์ˆ˜ ์žˆ๋‹ค.
  • ํ•˜์ง€๋งŒ ๊ณต๊ฒฉ์„ ๋ง‰๊ธฐ ์œ„ํ•ด์„œ๋Š” ๊ณต๊ฒฉ์ค‘์ธ ํ”„๋กœ์„ธ์Šค๋ฅผ ํ™•์ธํ•˜๋Š” ์ž‘์—…์ด ํ•„์ˆ˜์ ์ด๋‹ค.
  • ๊ทธ๋ž˜์„œ Flush+Flush ๊ณต๊ฒฉ์€ ์ด ํ™•์ธ๋˜์–ด์ง€๋Š” ๊ณผ์ •์„ ํ•  ์ˆ˜ ์—†๊ฒŒ stealthyํ•˜๋‹ค.
  • HPC๋Š” ํŠน๋ณ„ํ•œ ๋ชฉ์ (ํŠน๋ณ„ํ•œ H/W์˜ ์ƒํƒœ๋ฅผ ๊ด€์ธกํ•  ์ˆ˜ ์žˆ๋Š”)์˜ register์ด๋‹ค.
  • HPC๋Š” LLC์—์„œ์˜ cache references์™€ cache miss๋ฅผ ๊ด€์ธกํ•  ์ˆ˜ ์žˆ๋‹ค.
  • Performance tunning์„ ์œ„ํ•ด ๋งŒ๋“ค์–ด์กŒ์ง€๋งŒ, ํ˜„์žฌ Flush+Reload์™€ Rowhammer๋ฅผ ํƒ์ง€ํ•˜๋Š”๋ฐ ์ ํ•ฉํ•œ register๊ฐ€ ๋˜์—ˆ๋‹ค.
  • ํ•˜์ง€๋งŒ Flush+Flush ๊ณต๊ฒฉ์€ Performance counter๋“ค๋กœ๋Š” ํƒ์ง€๊ฐ€ ์‹คํ˜„๋ถˆ๊ฐ€๋Šฅํ•˜๋‹ค.
  • Linux์˜ perf_event_open systemcall interface๋กœ ์ด์šฉ๋˜๋Š” ๊ฒƒ์„ ๋ถ„์„ํ•  ์ˆ˜ ์žˆ๋‹ค. (์ด ์‹œ์Šคํ…œ ์ฝœ์€ ์‚ฌ์šฉ๊ฐ€๋Šฅํ•œ perfourmance counters๋“ค์˜ subset(์ผ๋ถ€๋ถ„)์„ userspace์—์„œ ์ ‘๊ทผ ๊ฐ€๋Šฅํ•˜๊ฒŒ ์ œ๊ณตํ•ด์ฃผ๊ณ , kernel๋‹จ์—์„œ ์ˆ˜ํ–‰๋œ๋‹ค.)(๊ทธ๋ฆฌ๊ณ  ์ด ๋ ˆ์ง€์Šคํ„ฐ๋“ค์€ ํ˜„์žฌ ๊ณต๊ฒฉ์ค‘์ธ ๊ฒƒ์„ ํƒ์ง€ํ•˜๋Š”๋ฐ ์“ฐ์ธ๋‹ค)
  • 23๊ฐœ์˜ h/w์™€ cache performance events๋ฅผ ๋ถ„์„ํ•˜์˜€๊ณ , ์ถ”๊ฐ€์ ์œผ๋กœ C-box๋ผ๊ณ  ๋ถˆ๋ฆฌ๋Š” uncore performance monitoring unit์„ ๋ถ„์„ํ•˜์˜€๋‹ค. (c-box๋Š” clflush ๋ช…๋ น์–ด์™€ ์ง์ ‘์ ์œผ๋กœ ์—ฐ๊ด€๋˜์–ด, cache hits์™€ miss์— ๋Œ€ํ•œ ๊ฒƒ์„ ํ‘œ์‹œํ•ด์ค€๋‹ค.)
    • UNC_CBO_CACHE_LOOKUP event๋Š” LLC์˜ cache slice๋ฅผ ๋ณด๋Š” ๊ฒƒ์„ ํ—ˆ๋ฝํ•˜๋Š” register์ด๋ฉฐC-Box monitoring unit์€ ํฌ๊ด„์ ์ธ interface๋กœ๋Š” ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ์„ ๋ฟ๋งŒ์•„๋‹ˆ๋ผ ํŠน๋ณ„ํ•œ ๋ ˆ์ง€์Šคํ„ฐ๋กœ์จ๋„ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๋‹ค.
    • ITLB performance counters๋ฅผ ์‚ฌ์šฉํ–ˆ๋‹ค. ์™œ๋ƒํ•˜๋ฉด Flush+Reload์™€ Rowhammer ๊ณต๊ฒฉ๋“ค์€ ๋ชจ๋‘ ๋งŽ์€ ์ˆ˜์˜ LLC CACHE MISS๋ฅผ ์ผ์œผํ‚ค๊ณ  ์ž‘์€ ๋ถ€๋ถ„์˜ ์ฝ”๋“œ์—์„œ๋งŒ ์‹คํ–‰๋˜๊ธฐ ๋•Œ๋ฌธ์ด๋‹ค. ์ž‘์€ ์ฝ”๋“œ๋ฅผ ์‹คํ–‰ํ•˜๋Š” ๊ฒƒ์€ ITLB์— ์ ์€ ์••๋ฐ•์„ ์•ผ๊ธฐํ•˜๊ธฐ ๋•Œ๋ฌธ์ด๋‹ค.
  • 24๊ฐœ ์ค‘์—์„œ 4๊ฐœ์ •๋„๋งŒ ์˜คํƒ ์—†์ด ๊ณต๊ฒฉ๋“ค์„ ์ฐพ์•„๋‚ผ ์ˆ˜ ์žˆ์—ˆ๋‹ค.
    1. CACHE_MISSES
    2. CACHE_REFERENCES
    3. L1D_RM
    4. LL_RA
  • CACHE_MISSES์™€ CACHE_REFENCE๋กœ๋งŒ์œผ๋กœ๋„ ์ถฉ๋ถ„ํ•˜๋ฉฐ performace counter์™€ ๊ด€๋ จ๋œ C๊ฐ’์ด km๋˜๋Š” kr๋ณด๋‹ค ๋” ํฌ๋‹ค๋ฉด ๊ณต๊ฒฉ์ด ๋˜์—ˆ๋‹ค๊ณ  ์ •์˜ํ•˜์˜€๋‹ค.
    • km , kr์˜ threshold๋Š” malware์˜ maximum distance์™€ minimum value๋ฅผ ํ†ตํ•ด ๋งŒ๋“ค์—ˆ๊ณ , ๊ธฐ๋ณธ application์˜ maximum distance๊ฐ’์„ ํ™•์ธํ•ด์„œ ๊ตฌํ•˜์˜€๋‹ค.
    • km(cache miss, cache reference)
  • Flush+Reload, Prime+Probe, Rowhammer์€ ์ •์ƒ์ ์œผ๋กœ ํƒ์ง€๊ฐ€ ๋˜์—ˆ์ง€๋งŒ, Flush+Flush๋Š” cache miss์™€ cache reference๋ฅผ ์ผ์œผํ‚ค์ง€ ์•Š์Œ์œผ๋กœ ํƒ์ง€๋˜์ง€ ์•Š๋Š”๋‹ค.

Covert Channel Comparison

Side-Channel Attack on User Input

Side-Channel Attack on AES with T-Tables

AES ๊ณต๋ถ€

Discussion

Using clflush to Detect Cores and Cache Slices

Countermeasures

Related work

Detecting and Preventing Cache Attacks

Ussage of Hardware Performance Counters in Security

Cache Covert Channels

Side-Channel Attack on User Inputs

Conclusion


๐ŸŒŸpaper-reviewsecurity-attackcsca Share Tweet +1