KR102817178B1 - Method and Apparatus for protecting caches from side-channel attacks - Google Patents

Abstract

As a preferred embodiment of the present invention, a device for defending against cache-based side-channel attacks adds a shared DRAM L4 cache and adds bypass bits to L1, L2, and L4 caches to apply an LLC bypass policy to cache blocks that are targets of flush-reload attacks, thereby neutralizing attacks targeting the shared cache.

Description

{Method and Apparatus for protecting caches from side-channel attacks}

The present invention relates to cache-based side-channel attack defense.

Modern processors often have caches that can store copies of data and instructions stored in large memory. A common example of such large memory is dynamic random access memory (DRAM). Here, the term "memory" is used collectively to refer to all existing and future memory implementations. Cache memory (or simply "cache") is a memory that is much smaller and much faster than other memory implementations and can store only a portion of the data that would otherwise be stored in main memory or secondary storage at any given time. Today, caches are often implemented using SRAM, although large caches can be implemented using DRAM. The caches described herein can be implemented using any existing or future memory technology. While the architectural definition of a processor may include providing enhanced reporting capabilities to protect against security attacks, many dependent functions (e.g., microarchitecture) such as cache implementations may not include protections and thus may be vulnerable to attacks.

[1] Liu, Fangfei, et al. “Catalyst: Defeating last-level cache side channel attacks in cloud computing.” 2016 IEEE international symposium on high performance computer architecture (HPCA). IEEE, 2016. [2] Kayaalp, Mehmet, et al. “RIC: relaxed inclusion caches for mitigating LLC side-channel attacks.” 2017 54th ACM/EDAC/IEEE Design Automation Conference (DAC). IEEE, 2017. [3] Liu, Fangfei, and Ruby B. Lee. “Random fill cache architecture.” Proceedings of the 47th Annual IEEE/ACM International Symposium on Microarchitecture. IEEE Computer Society, 2014.

In a preferred embodiment of the present invention, we propose a method for defending against cache-based side-channel attacks in all attacker applications.

In a preferred embodiment of the present invention, a method for defending against cache-based side-channel attacks is proposed by modifying a cache block that may be a target of a cache-based side-channel attack so that it cannot enter a final level cache (LLC).

In a preferred embodiment of the present invention, a method is proposed to defend against cache-based side-channel attacks by modifying the DRAM cache so that all processes experience the time it takes to access the DRAM cache when accessing the cache block by restricting the eviction of cache blocks in the DRAM cache using the clflush command.

In a preferred embodiment of the present invention, a method is proposed to defend against cache-based side-channel attacks regardless of whether data is writable or shared.

As a preferred embodiment of the present invention, a device for defending against a cache-based side-channel attack further includes a shared DRAM cache; wherein the memory hierarchy is implemented to further include a bypass bit, in which case each cache block of the shared DRAM cache includes a bypass bit to indicate whether an attacker application performs a side-channel attack on a victim application; and when the victim application loads at least one cache block from the shared DRAM cache, each of the bypass bits in the at least one cache block is checked; and when the attacker application performs a flush-reload attack and then performs a reload, all of the cache blocks on which the flush-reload attack was performed are loaded into the shared DRAM cache, so that an access time for at least one cache block on which the flush-reload attack was performed by the attacker application is the same regardless of whether the victim application accesses it.

As a preferred embodiment of the present invention, a device for defending against a cache-based side-channel attack is characterized in that, when loading at least one cache block from the shared DRAM cache, if the cache block is confirmed to have a bypass bit value of 1 and a side-channel attack is confirmed, the cache block is loaded into the private cache by bypassing the shared final level cache, and if the cache block is not confirmed to have a bypass bit value of 0 and a side-channel attack is not confirmed, the cache block is loaded into the shared final level cache. In this case, the private cache is an L1 cache or an L2 cache, and the device is characterized in that the bypass bit value is changed from 0 to 1 when loading a cache block confirmed to have a side-channel attack.

As a preferred embodiment of the present invention, a device for defending against a cache-based side-channel attack includes a private cache; and a SRAM-based shared last-level cache (LLC); and implements a memory hierarchy to further include a shared DRAM cache; wherein the private cache and the shared DRAM cache include a bypass bit and determine whether an attacker application performs a side-channel attack on a victim application using the bypass bit value, and when the attacker application performs a flush-reload attack and then performs a reload, at least one of the cache blocks on which the flush-reload attack was performed are all loaded into the shared DRAM cache, so that an access time for at least one cache block on which the flush-reload attack was performed by the attacker application is the same regardless of whether the attacker application accesses it, making it impossible to determine an access pattern and an execution pattern of the victim application. In this case, the attacker application performs the flush-reload attack using the clflush command, and when the clflush command is executed, the cache blocks in the private cache and the shared final level cache can be evicted, but the cache blocks in the shared DRAM cache are not evicted, and only information on whether clflush has been performed is displayed using the bypass bit.

In another preferred embodiment of the present invention, a method for defending against a cache-based side-channel attack is characterized by comprising: a step of using a memory hierarchy including a private cache, an SRAM-based shared final-level cache, and a shared DRAM cache; a step of indicating whether an attacker application has performed a flush-reload attack on a victim application by using a bypass bit included in a cache block of the shared DRAM cache; a step of checking each of the bypass bits in the at least one cache block when the victim application loads at least one cache block from the shared DRAM cache; and a step of loading a cache block on which a flush-reload attack has been performed by bypassing the SRAM-based shared final-level cache as a result of checking the bypass bit into a private cache of the victim application core, and loading a cache block on which a flush-reload attack is not detected into the SRAM-based shared final-level cache.

As a preferred embodiment of the present invention, the attacker application can execute the flush attack using the clflush command, in which case, blocks in the private cache of the attacker application, the SRAM-based shared final level cache, are evicted, but blocks in the shared DRAM cache are not evicted, and information on whether the flush-reload attack is executed is provided using a bypass bit in a cache block in the shared DRAM cache.

As a preferred embodiment of the present invention, when the value of a bypass bit in a cache block in a shared DRAM cache is "1", it indicates that a flush-reload attack has been executed, and in this case, the private cache is characterized in that the value of the bypass bit in the private cache is also displayed as "1" while loading a cache block in the shared DRAM cache having the value of the bypass bit as "1".

As a preferred embodiment of the present invention, the attacker application is characterized in that when performing a flush-reload attack and then performing a reload, at least one cache block on which the flush-reload attack was performed is loaded into the shared DRAM cache, so that an access time for at least one cache block on which the flush-reload attack was performed by the attacker application is the same regardless of whether the victim application accesses it, making it impossible to determine an access pattern and an execution pattern of the victim application.

In a preferred embodiment of the present invention, there is an effect of defending against all victim applications that may be subject to cache-based side-channel attacks through modification of only hardware, without modification of separate software.

In a preferred embodiment of the present invention, there is an effect of defending against cache-based side-channel attacks by modifying cache blocks that may be targets of cache-based side-channel attacks so that they cannot enter the final level cache (LLC).

In a preferred embodiment of the present invention, by restricting the eviction of cache blocks within the DRAM cache by the clflush command, it is possible to defend against cache-based side-channel attacks by modifying the method so that all processes experience the time required to access the DRAM cache when accessing the corresponding cache block.

In a preferred embodiment of the present invention, there is an effect of being able to defend against cache-based side-channel attacks regardless of whether data is writable or shared.

FIGS. 1 to 3 illustrate a method for neutralizing a flash reload attack in a device defending against a cache-based side-channel attack, as a preferred embodiment of the present invention.
FIG. 4 is a flowchart illustrating a method for defending against a cache-based side-channel attack, as a preferred embodiment of the present invention.

The present invention can have various modifications and various embodiments, and specific embodiments are illustrated in the drawings and described in detail through the detailed description. However, this is not intended to limit the present invention to specific embodiments, and it should be understood that the present invention includes all modifications, equivalents, and substitutes included in the spirit and technical scope of the present invention.

The memory system of a computer system may include a large, slow cache close to the main memory and a small, fast cache close to the processor. The organization of these caches can be generally referred to as a cache hierarchy, a memory hierarchy, or a memory system. Each level of the cache hierarchy can be referred to as a cache level.

When designing a cache system, it can be important to avoid vulnerabilities to security attacks such as side-channel attacks. A type of side-channel attack, the flush+reload attack, is an attack in which the attacker learns the victim's command execution pattern and obtains the victim's secret encryption key without authorization.

An example of a technique to defend against such flush-reload attacks is Liu, Fangfei, et al. "Catalyst: Defeating last-level cache side channel attacks in cloud computing." 2016 IEEE international symposium on high performance computer architecture (HPCA). IEEE, 2016. This method uses CAT, a feature of Intel CPUs, to physically isolate data that needs to be safely protected through cache partitioning, thereby neutralizing flush-reload attacks. However, this method has a disadvantage in that it is only supported by some processors that support CAT.

Another technique, Kayaalp, Mehmet, et al. "RIC: relaxed inclusion caches for mitigating LLC side-channel attacks." 2017 54th ACM/EDAC/IEEE Design Automation Conference (DAC). IEEE, 2017, uses a method that changes the cache policy so that read-only data is not stored in LLC, so that when an attacker application accesses cache blocks, which are the main targets of flush-reload attacks, it always experiences a long memory access time regardless of whether the attacker application accesses them. This method has a disadvantage in that it limits the data to read-only data.

In one embodiment of the present invention, we aim to defend against all victim applications that may be the target of a cache-based side-channel attack without modifying separate software or hardware, without having to designate a virtual machine or process. In addition, we propose a method for defending against a cache-based side-channel attack by modifying a cache block that may be the target of a cache-based side-channel attack so that it does not enter the final level cache (LLC).

FIGS. 1 to 3 illustrate a method for neutralizing a flash reload attack in a device defending against a cache-based side-channel attack, as a preferred embodiment of the present invention.

The clflush command used in a preferred embodiment of the present invention refers to a command that evicts blocks in the L1 to L3 caches, but does not evict blocks in the shared L4 cache, and leaves information on whether clflush has been performed or not using a bypass bit. When the bypass bit is "1", it indicates that clflush has been performed, and when the bypass bit is "0", it indicates that clflush has not been performed.

As a preferred embodiment of the present invention, a device for defending against a cache-based side-channel attack includes at least one private cache (130), an SRAM-based shared cache (140), and a memory hierarchy implemented to further include a shared DRAM cache (150). In addition, each cache block of the shared DRAM cache (150) includes a bypass bit (151a) to indicate whether an attacker application has performed a side-channel attack on a victim application. When the bypass bit is "1", it indicates that a side-channel attack has occurred, and when the bypass bit is "0", it indicates that there has been no side-channel attack.

As a preferred embodiment of the present invention, the private cache (130) can be implemented as an L1 cache or an L2 cache, the SRAM-based shared cache (140) can be implemented as an L3 cache, and the shared DRAM cache (150) can be implemented as an L4 cache.

As a preferred embodiment of the present invention, the victim application checks each of the bypass bits in at least one cache block when loading at least one cache block from the shared DRAM cache. Then, if the bypass bit is "1", the corresponding cache block is loaded into the private cache (130) by bypassing the final level cache (140) and changes the bypass bits (131b, 131c) of the private cache from "0" to "1". The victim application can be implemented to load the corresponding cache block into the final level cache (140) if the bypass bit is "0".

Referring to FIGS. 1 to 3, a method for defending a cache-based side-channel attack by a device (100) defending against a flush reload attack as a preferred embodiment of the present invention is described. As a preferred embodiment of the present invention, FIG. 1 shows a process of performing an eviction through a "clush" command in an attacker application, FIG. 2 shows a process of waiting after a "clflush" command, and FIG. 3 shows a process of performing a reload in an attacker application.

Referring to FIG. 1, it is assumed that the attacker application (110) is in “Core 0” (111) and the victim application (120) is in “Core 1” (121), and that the attacker application (110) performs a flush-reload attack on cache blocks A and B.

The attacker application (110) attempts to evict cache blocks A and B using the "clflush" command (S110). In this case, in the shared DRAM cache (150) in which cache blocks A and B are stored, the bypass bit in cache blocks A and B (151a) is set from "0" to "1".

Referring to FIG. 2, when the victim application (120) loads a cache block in the shared DRAM cache (150) (S130), it checks the bypass bit (151b) in each cache block. If the bypass bit (151b) is "1" as a result of the check, the final level cache bypass policy is applied to the cache block A that is the target of clflush (S140) to neutralize the flush reload attack. Then, the cache block A is loaded into the private cache of the victim core (121), and the bypass bit included in the cache block A of the private cache is set to "1" (S131c). If the bypass bit of the cache block A in the shared DRAM cache (150) is "0", the cache block A is loaded into the final level cache.

FIG. 3 shows a process of accessing cache blocks A and B in the shared DRAM cache (150) again for reloading after waiting for a certain period of time following the “clflush” command in the attacker application. Since cache blocks A and B do not exist in the final level cache (140), the attacker application (110) must access the shared DRAM cache (150). If the final level cache (140) is implemented as an L3 cache and the shared DRAM cache (150) is implemented as an L4 cache, the attacker application (110) requires additional access time.

In addition, since the cache blocks A and B on which the flush attack was performed are both loaded into the shared DRAM cache (150) when the attacker application (110) performs a reload after performing a flush attack, the access time for the cache blocks A and B on which the flush attack was performed by the attacker application (110) becomes the same regardless of whether the victim application (120) accesses them. Therefore, the attacker application (110) cannot determine the access pattern and execution pattern of the victim application (120), and thus the flush reload attack fails.

FIG. 4 is a flowchart illustrating a method for defending against a cache-based side-channel attack, as a preferred embodiment of the present invention.

As a preferred embodiment of the present invention, a method for defending against a cache-based side-channel attack uses a device that utilizes a memory hierarchy including a hardware-based private cache, an SRAM-based shared cache, and a shared DRAM cache (S410).

When an attacker application attempts to evict at least one cache block in a shared DRAM cache, the shared DRAM cache sets the internal bypass bit value of at least one clflushed cache block to "1" without evicting the cache blocks (S420). Thereafter, while the attacker application is idle, when the victim application loads at least one cache block from the shared DRAM cache, the bypass bit in each cache block is checked (S430). When the bypass bit value is "1", the victim application determines that the cache block is a clflushed cache block and loads the cache block into the private cache of the victim application core, bypassing the final level cache. Other cache blocks for which no flush attack is detected are loaded into the final level cache (S440).

The key features of the present disclosure, including the exemplary embodiments discussed and presented in the drawings, may be implemented in a variety of architectures. In one embodiment, the cache may be controlled, accessed, or stored by one or more software components, such as threads or processes, running on one or more processors. In one embodiment, a software library, such as a set of instructions stored in a memory, may be stored in the memory and accessed by threads and/or applications of the process and/or operating system. In one embodiment, a set of instructions stored on a non-transitory computer-readable medium may be executed by the processor. In one embodiment, the cache may be controlled, accessed, or stored by one or more hardware devices. In one embodiment, such hardware devices may include processing circuitry, such as, but not limited to, one or more processors, each having one or more processor cores. Such a processor may be at least one of a central processing unit (CPU), a graphics processing unit (GPU), a core of a multi-core CPU or a multi-core GPU, an arithmetic logic unit (ALU), a digital signal processor, a microcontroller, a system-on-chip (SoC), a field programmable gate array (FPGA), a programmable logic array (PLA), an application specific integrated circuit (ASIC), a modular logic device, a packaged logic chip, and/or any other device capable of responding to and executing instructions in a defined manner. In one embodiment, the cache may be stored, accessed, or stored by a combination of the same type or different types of configurations. For example, the configuration may be a plurality of processors, processing cores of a single processor, processing cores of a multiprocessor computer, two or more processors operating in series (e.g., a CPU and a GPU, a CPU utilizing an ASIC), and/or software executed by the processor. Example embodiments may include a configuration of a single device, such as a computer, that includes one or more CPUs that store, access, and manage a cache. An embodiment may include components of multiple devices, such as two or more devices that include CPUs that communicate to access and/or manage a cache. An embodiment may include a server computing device, a server computer, a connection of server computers, a server farm, a cloud computer, a content platform, a mobile computing device, a smart phone, a tablet, or a set-top box. An embodiment may include components that communicate directly (e.g., two or more cores of a multi-core processor) and/or components that communicate indirectly (e.g., via a bus, via a wired or wireless channel or network, via an intermediate component such as a microcontroller or an arbiter). An embodiment may feature multiple instances of a cache manager, each of which is executed by the device or component, which instances may be executed concurrently, sequentially, and/or in an interleaved manner. One embodiment may feature distribution of instances of a cache manager across two or more devices or components.

A preferred embodiment of the present invention may include components that include a cache and computer-readable instructions stored in a memory. Non-limiting examples of memory may include, but are not limited to, a rewritable non-volatile memory device (e.g., a flash memory device, an erasable programmable read-only memory device, or a masked read-only memory device), a volatile memory device (e.g., a static random access memory device (SRAM), a dynamic random access memory device (DRAM)), a magnetic storage medium (e.g., an analog or digital magnetic tape, a hard disk drive), and an optical storage medium (e.g., a CD, a DVD, or a Blu-ray disc). Examples of memory having a rewritable non-volatile memory device embedded therein include, but are not limited to, a memory card, a medium having a read only memory (ROM) embedded therein. One embodiment may include random access memory (RAM), ROM, a persistent mass storage device (e.g., a disk drive), and/or any other similar data storage mechanism capable of storing and recording data. The memory may be configured to store computer programs, program codes, instructions, or a combination thereof for implementing one or more operating systems and/or the exemplary embodiments described herein. The memory may include a universal serial bus (USB) flash drive, a memory stick, a Blu-ray/DVD/CD-ROM drive, a memory card, and/or other similar computer-readable storage media. In one embodiment, the cache, the computer programs, program codes, instructions, and/or a combination thereof may be loaded from remote data storage devices via a network interface into one or more local memories and/or one or more local processors. In one embodiment, the cache, the computer programs, program codes, instructions, and/or a combination thereof may be loaded from another local memory and/or another local processor or other component.

While the present invention has been described above with respect to a specific exemplary computer architecture, caching may exist in many other settings, both internal and external to a computer system, and the embodiments described herein are equally applicable to such other situations. An example of such a use case is a virtual memory system that caches data from a slower mass storage device, such as a disk or flash memory, to a faster and smaller mass storage device, such as one implemented using DRAM. Other examples of caching in a computer system include, but are not limited to, disk caching, web caching, and name caching. The organization and caching mechanisms of such caches may differ from the organization and caching mechanisms of the caches discussed above, such as differences in the sizes of sets, implementations of sets and associativity, etc. Regardless of the implementation of the caching mechanism itself, it is equally applicable to implementing various caching schemes.

While the disclosed embodiments describe systems and methods related to, for example, various cache hierarchies, the embodiments of the present disclosure are not limited to the description, and the described embodiments may include alternatives, modifications, and equivalents included within the spirit and scope of the present invention. Although features and elements of the present embodiments are described in particular combinations in the embodiments, each feature or element may be used alone or in various combinations with or without other features and elements of the embodiments disclosed herein. The methods or flowcharts provided in the present application may be implemented as a computer program, software, or firmware tangibly embodied in a computer-readable storage medium for execution by a general purpose computer or processor.

Although the present invention has been described with reference to the embodiments shown in the drawings, these are merely exemplary, and those skilled in the art will understand that various modifications and equivalent other embodiments are possible therefrom. Accordingly, the true technical protection scope of the present invention should be determined by the technical idea of the appended claims.

Claims (15)

As a device to defend against cache-based side-channel attacks,
private cache;
SRAM-based shared cache; and
Shared DRAM cache;
Including,
The above private cache is implemented as an L1 cache or an L2 cache, the above SRAM-based shared cache is implemented as an L3 cache, and the above shared DRAM cache is implemented as an L4 cache, thereby implementing the memory hierarchy of the device.
Each cache block of the above shared DRAM cache includes a bypass bit,
The above bypass bit indicates whether the attacker application is performing a side-channel attack on the victim application.
The above device,
When loading at least one cache block from the shared DRAM cache, if the bypass bit value corresponding to the cache block is 1, the cache block for which a side-channel attack has been confirmed is loaded into the private cache by bypassing the SRAM-based shared cache,
A device for defending against a cache-based side-channel attack, characterized in that when loading at least one cache block, if the bypass bit value corresponding to the cache block is 0, the cache block for which a side-channel attack has not been confirmed is loaded into the SRAM-based shared cache. delete In paragraph 1,
Each cache block of the above private cache includes a bypass bit,
A device for defending against a cache-based side-channel attack, characterized in that when loading at least one cache block, if the bypass bit value of the shared DRAM cache corresponding to the at least one cache block is 1, the bit value of the bypass bit of the private cache changes from 0 to 1. As a device to defend against cache-based side-channel attacks,
private cache;
SRAM-based shared cache; and
Shared DRAM cache;
Including,
The above private cache is implemented as an L1 cache or an L2 cache, the above SRAM-based shared cache is implemented as an L3 cache, and the above shared DRAM cache is implemented as an L4 cache, thereby implementing the memory hierarchy of the device.
Each cache block of the above private cache and the above shared DRAM cache includes a bypass bit,
The above device,
Using the bit value of the above bypass bit, it is determined whether the attacker application is performing a side-channel attack on the victim application.
A device for defending against a cache-based side-channel attack, characterized in that when the attacker application performs a reload after performing a flush attack, at least one cache block on which the flush attack was performed is loaded into the shared DRAM cache, so that an access time for at least one cache block on which the flush attack was performed by the attacker application is the same regardless of whether the victim application accesses it, so that the access pattern and execution pattern of the victim application cannot be determined. In paragraph 4,
A device for defending against a cache-based side-channel attack, characterized in that the victim application loads each cache block into the private cache of the victim application or the SRAM-based shared cache according to the bypass bit value of each of at least one cache block of the shared DRAM cache. In paragraph 5,
A device for defending against a cache-based side-channel attack, characterized in that the bypass bit value of each of at least one cache block of the shared DRAM cache is displayed as 1 if the attacker application performs the flush attack on the victim application, and 0 otherwise. In paragraph 5,
A device for defending against a cache-based side-channel attack, characterized in that a cache block in which the bypass bit value is indicated as 1 is loaded into the private cache of the attacker application by bypassing the SRAM-based shared cache, and the bit value of the bypass bit of the private cache is changed from 0 to 1. In paragraph 5,
A device for defending against a cache-based side-channel attack, characterized in that a cache block in which the bypass bit value is marked as 0 is loaded into the SRAM-based shared cache of the attacker application. In paragraph 4,
The above attacker application performs the flush attack using the clflush command,
A device for defending against a cache-based side-channel attack, characterized in that when the clflush command is executed, cache blocks of the private cache and the SRAM-based shared cache are flushed, but cache blocks in the shared DRAM cache are not flushed, and whether the clflush command has been executed is indicated through a bypass bit of the shared DRAM cache. A method of operating a device including at least one processor, a private cache, a SRAM-based shared cache and a shared DRAM cache,
A step of indicating whether an attacker application performs a flush attack on a victim application by using a bypass bit included in a cache block of the above shared DRAM cache;
When loading at least one cache block from the shared DRAM cache in the attacker application, a step of checking each of the bypass bits in the at least one cache block; and
A step of loading a cache block on which a flush attack has been performed into the private cache of the victim application by bypassing the SRAM-based shared cache as a result of verifying the above bypass bit, and loading a cache block on which a flush attack has not been detected into the SRAM-based shared cache;
Including,
A method for defending against a cache-based side-channel attack, characterized in that the memory hierarchy of the device is implemented by implementing the private cache as an L1 cache or an L2 cache, the SRAM-based shared cache as an L3 cache, and the shared DRAM cache as an L4 cache. In Article 10,
The above attacker application performs the flush attack using the clflush command,
The cache blocks of the private cache and the SRAM-based shared cache of the above-mentioned victim application are flushed, but the cache blocks of the shared DRAM cache are not flushed.
A method characterized in that whether the clflush command has been performed is indicated through a bypass bit of the shared DRAM cache. In Article 10,
If the bypass bit value of the cache block of the above shared DRAM cache is 1, it indicates that a flush attack has been performed.
A method characterized in that when loading at least one cache block from the shared DRAM cache, if the bypass bit value of the shared DRAM cache corresponding to the at least one cache block is 1, the bit value of the bypass bit of the private cache is changed from 0 to 1. In Article 11,
The above device,
A method characterized in that, when the attacker application performs a flush attack and then performs a reload, at least one cache block on which the flush attack was performed is loaded into the shared DRAM cache, so that the access time for at least one cache block on which the flush attack was performed by the attacker application is the same regardless of whether the victim application accesses it, so that the access pattern and execution pattern of the victim application cannot be determined. delete A computer-readable storage medium characterized by recording a program for executing a method for defending against a cache-based side-channel attack as claimed in any one of claims 10 to 13.

Images