ZeroShield: Transparently Mitigating Code Page Sharing Attacks With Zero-Cost Stand-By
Pages 7389 - 7403
Abstract
Numerous cache side-channel attack techniques enable attackers to execute a cross-VM cache side-channel attack through the sharing of code pages with the targeted victim. Nonetheless, most prior defense solutions fall short of efficiency and ease of deployment, thus restricting their practicality for real-world implementation. This paper introduces ZeroShield, an adaptive and transparent approach implemented at the hypervisor layer, designed to counteract the code page sharing attack, a subset of cache side-channel attacks, occurring within a single virtual machine (VM) or spanning across multiple VMs. By thoroughly scrutinizing the “by-products” resulting from a code page sharing attack, we meticulously track the attacker’s access to security-sensitive code pages. This is achieved through harnessing hardware virtualization features, such as the Intel extended page table, in conjunction with the CR3 register. Utilizing this information, ZeroShield continuously monitors security-sensitive code pages, adeptly navigating complex OS and hypervisor behaviors. The architecture of ZeroShield exhibits an attack-aware design, enabling it to deploy protection measures on demand. Consequently, the system theoretically experiences negligible overhead in the absence of attackers. Empirical evidence confirms the effectiveness of ZeroShield in thwarting code page sharing attacks. It achieves this without imposing any performance penalties in the absence of attackers, and with a minimal overhead of less than 3.8% when attackers are active. Significantly, ZeroShield boasts a cost-free standby state and necessitates no adjustments to upper applications, guest OS, or hardware configurations. This attribute positions ZeroShield as an optimal default solution in real-world cloud environments to effectively counter code page sharing attacks.
References
[1]
K. Divya and S. Jeyalatha, “Key technologies in cloud computing,” in Proc. Int. Conf. Cloud Comput. Technol., Appl. Manage. (ICCCTAM), Dec. 2012, pp. 196–199.
[2]
T. Ristenpart, E. Tromer, H. Shacham, and S. Savage, “Hey, you, get off of my cloud: Exploring information leakage in third-party compute clouds,” in Proc. 16th ACM Conf. Comput. Commun. Secur., Nov. 2009, pp. 199–212.
[3]
S. Fan, W. Wang, and Q. Cheng, “Attacking OpenSSL implementation of ECDSA with a few signatures,” in Proc. ACM SIGSAC Conf. Comput. Commun. Secur., Oct. 2016, pp. 1505–1515.
[4]
J. V. D. Pol, N. P. Smart, and Y. Yarom, “Just a little bit more,” in Proc. Cryptographers' Track RSA Conf., 2015, pp. 3–21.
[5]
N. Benger, J. V. D. Pol, N. P. Smart, and Y. Yarom, “‘Ooh aah… just a little bit’: A small amount of side channel can go a long way,” in Proc. Int. Workshop Cryptograph. Hardw. Embedded Syst., 2014, pp. 75–92.
[6]
Y. Yarom and K. Falkner, “FLUSH+RELOAD: A high resolution, low noise, L3 cache side-channel attack,” in Proc. USENIX Secur. Symp., K. Fu and J. Jung, Eds., Aug. 2014, pp. 719–732.
[7]
S. Briongos, P. Malagón, J. M. Moya, and T. Eisenbarth, “RELOAD+REFRESH: Abusing cache replacement policies to perform stealthy cache attacks,” in Proc. USENIX Secur. Symp., 2020, pp. 1967–1984.
[8]
D. Gruss, R. Spreitzer, and S. Mangard, “Cache template attacks: Automating attacks on inclusive last-level caches,” in Proc. 24th USENIX Secur. Symp., 2015, pp. 897–912.
[9]
M. Lipp, D. Gruss, R. Spreitzer, C. Maurice, and S. Mangard, “ARMageddon: Cache attacks on mobile devices,” in Proc. 25th USENIX Secur. Symp., Aug. 2016, pp. 549–564.
[10]
Y. Zhang, A. Juels, M. K. Reiter, and T. Ristenpart, “Cross-tenant side-channel attacks in PaaS clouds,” in Proc. ACM SIGSAC Conf. Comput. Commun. Secur., Nov. 2014, pp. 990–1003.
[11]
M. Vanhoef and E. Ronen, “Dragonblood: Analyzing the dragonfly handshake of WPA3 and EAP-pwd,” in Proc. IEEE Symp. Secur. Privacy (SP), May 2020, pp. 517–533.
[12]
D. De Almeida Braga, P.-A. Fouque, and M. Sabt, “Dragonblood is still leaking: Practical cache-based side-channel in the wild,” in Proc. Annu. Comput. Secur. Appl. Conf., Dec. 2020, pp. 291–303.
[13]
D. Gruss, C. Maurice, K. Wagner, and S. Mangard, “Flush+flush: A fast and stealthy cache attack,” in Proc. 13th Int. Conf. Detection Intrusions Malware, Vulnerability Assessment, 2016, pp. 279–299.
[14]
G. Irazoqui, T. Eisenbarth, and B. Sunar, “Cross processor cache attacks,” in Proc. 11th ACM Asia Conf. Comput. Commun. Secur., May 2016, pp. 353–364.
[15]
Y. Guo, X. Xin, Y. Zhang, and J. Yang, “Leaky way: A conflict-based cache covert channel bypassing set associativity,” in Proc. 55th IEEE/ACM Int. Symp. Microarchitecture (MICRO), Oct. 2022, pp. 646–661.
[16]
Y. Guo, A. Zigerelli, Y. Zhang, and J. Yang, “Adversarial prefetch: New cross-core cache side channel attacks,” in Proc. IEEE Symp. Secur. Privacy (SP), May 2022, pp. 1458–1473.
[17]
H. Kim, H. Yoon, Y. Shin, and J. Hur, “Cache side-channel attack on mail user agent,” in Proc. Int. Conf. Inf. Netw. (ICOIN), Jan. 2020, pp. 236–238.
[18]
A. Shahverdi, M. Shirinov, and D. Dachman-Soled, “Database reconstruction from noisy volumes: A cache side-channel attack on SQLite,” in Proc. 30th USENIX Secur. Symp., 2021, pp. 1019–1035.
[19]
M. Yan, C. W. Fletcher, and J. Torrellas, “Cache telepathy: Leveraging shared resource attacks to learn DNN architectures,” in Proc. 29th USENIX Secur. Symp., 2020, pp. 2003–2020.
[20]
F. Liu, H. Wu, K. Mai, and R. B. Lee, “Newcache: Secure cache architecture thwarting cache side-channel attacks,” IEEE Micro, vol. 36, no. 5, pp. 8–16, Sep. 2016.
[21]
G. Saileshwar and M. Qureshi, “MIRAGE: Mitigating conflict-based cache attacks with a practical fully-associative design,” in Proc. 30th USENIX Secur. Symp., Aug. 2021, pp. 1379–1396.
[22]
Y. Zhang and M. K. Reiter, “Düppel: Retrofitting commodity operating systems to mitigate cache side channels in the cloud,” in Proc. ACM SIGSAC Conf. Comput. Commun. Secur., 2013, pp. 827–838.
[23]
R. Brotzman, D. Zhang, M. Kandemir, and G. Tan, “Ghost thread: Effective user-space cache side channel protection,” in Proc. 11th ACM Conf. Data Appl. Secur. Privacy, Apr. 2021, pp. 233–244.
[24]
D. Gruss, J. Lettner, F. Schuster, O. Ohrimenko, I. Haller, and M. Costa, “Strong and efficient cache side-channel protection using hardware transactional memory,” in Proc. USENIX Secur. Symp., 2017, pp. 217–233.
[25]
B. C. Vattikonda, S. Das, and H. Shacham, “Eliminating fine grained timers in xen,” in Proc. 3rd ACM Workshop Cloud Comput. Secur. Workshop, C. Cachin and T. Ristenpart, Eds., Oct. 2011, pp. 41–46.
[26]
W. Liu, D. Gao, and M. K. Reiter, “On-demand time blurring to support side-channel defense,” in Proc. Eur. Symp. Res. Comput. Secur., 2017, pp. 210–228.
[27]
Z. Mi, H. Chen, Y. Zhang, S. Peng, X. Wang, and M. K. Reiter, “CPU elasticity to mitigate cross-VM runtime monitoring,” IEEE Trans. Dependable Secure Comput., vol. 17, no. 5, pp. 1094–1108, Sep. 2020.
[28]
S. Crane, A. Homescu, S. Brunthaler, P. Larsen, and M. Franz, “Thwarting cache side-channel attacks through dynamic software diversity,” in Proc. Annu. Netw. Distrib. Syst. Secur. Symp., 2015, pp. 8–11.
[29]
Y. Guo, A. Zigerelli, Y. Zhang, and J. Yang, “IVcache: Defending cache side channel attacks via invisible accesses,” in Proc. Great Lakes Symp. VLSI, Jun. 2021, pp. 403–408.
[30]
L. Domnitser, A. Jaleel, J. Loew, N. Abu-Ghazaleh, and D. Ponomarev, “Non-monopolizable caches: Low-complexity mitigation of cache side channel attacks,” ACM Trans. Archit. Code Optim., vol. 8, no. 4, pp. 1–21, Jan. 2012.
[31]
F. Liu et al., “CATalyst: Defeating last-level cache side channel attacks in cloud computing,” in Proc. IEEE Int. Symp. High Perform. Comput. Archit. (HPCA), Mar. 2016, pp. 406–418.
[32]
Z. Zhou, M. K. Reiter, and Y. Zhang, “A software approach to defeating side channels in last-level caches,” in Proc. ACM SIGSAC Conf. Comput. Commun. Secur., 2016, pp. 871–882.
[33]
T. Kim, M. Peinado, and G. Mainar-Ruiz, “STEALTHMEM: System-level protection against cache-based side channel attacks in the cloud,” in Proc. 21st USENIX Secur. Symp., 2012, pp. 189–204.
[34]
J. Shi, X. Song, H. Chen, and B. Zang, “Limiting cache-based side-channel in multi-tenant cloud using dynamic page coloring,” in Proc. IEEE/IFIP Int. Conf. Depend. Syst. Netw. Workshops, Oct. 2011, pp. 194–199.
[35]
J. Li, C. Liu, X. Wang, and C. Liu, “SCIF-ARF: Container anomaly prediction for container cloud platforms,” in Proc. IEEE 24th Int. Conf. High Perform. Comput. Commun., 8th Int. Conf. Data Sci. Syst., 20th Int. Conf. Smart City, 8th Int. Conf. Dependability Sensor, Cloud Big Data Syst. Appl. (HPCC/DSS/SmartCity/DependSys), Dec. 2022, pp. 295–302.
[36]
Intel®ledR 64 and IA-32 Architectures Software Developer’s Manual, Intel, USA, 2018.
[37]
F. Jiang, Q. Cai, J. Lin, B. Luo, L. Guan, and Z. Ma, “TF-BIV: Transparent and fine-grained binary integrity verification in the cloud,” in Proc. 35th Annu. Comput. Secur. Appl. Conf., Dec. 2019, pp. 57–69.
[38]
L.-K. Yan, M. Jayachandra, M. Zhang, and H. Yin, “V2E: Combining hardware virtualization and softwareemulation for transparent and extensible malware analysis,” in Proc. 8th ACM SIGPLAN/SIGOPS Conf. Virtual Execution Environments, 2012, pp. 227–238.
[39]
A. Arcangeli, I. Eidus, and C. Wright, “Increasing memory density by using KSM,” in Proc. Linux Symp., 2009, pp. 19–28.
[40]
Y. Yarom, “Mastik: A micro-architectural side-channel toolkit,” Univ. Adelaide, Australia, Tech. Rep., 2016. [Online]. Available: https://cs.adelaide.edu.au/~yval/Mastik/Mastik.pdf
[41]
K. Koyama and Y. Tsuruoka, “Speeding up elliptic cryptosystems by using a signed binary window method,” in Proc. Annu. Int. Cryptol. Conf., 1992, pp. 345–357.
[42]
A. Miyaji, T. Ono, and H. Cohen, “Efficient elliptic curve exponentiation,” in Proc. Int. Conf. Inf. Commun. Secur., 1997, pp. 282–290.
[43]
J. A. Solinas, “Efficient arithmetic on Koblitz curves,” in Proc. Towards Quarter-Century Public Key Cryptogr., 2000, pp. 125–179.
[44]
J. L. Henning, “SPEC CPU2006 benchmark descriptions,” ACM SIGARCH Comput. Archit. News, vol. 34, no. 4, pp. 1–17, Sep. 2006.
[45]
F. Mosquera, K. Kavi, G. Mehta, and L. K. John, “Guard cache: Creating false cache hits and misses to mitigate side-channel attacks,” in Proc. Silicon Valley Cybersecurity Conf. (SVCC), May 2023, pp. 1–8.
[46]
M. Oliverio, K. Razavi, H. Bos, and C. Giuffrida, “Secure page fusion with VUsion,” in Proc. 26th Symp. Operating Syst. Princ., 2017, pp. 531–545.
[47]
AMD64 Architecture Programmer’s Manual Volumes 1–5, AMD, Santa Clara, CA, USA, 2020.
[48]
H. Shacham, “The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86),” in Proc. 14th ACM Conf. Comput. Commun. Secur., Oct. 2007, pp. 552–561.
[49]
P. Chen, X. Xing, B. Mao, L. Xie, X. Shen, and X. Yin, “Automatic construction of jump-oriented programming shellcode (on the x86),” in Proc. 6th ACM Symp. Inf., Comput. Commun. Secur., Mar. 2011, pp. 20–29.
[50]
D. Gruss et al., “Page cache attacks,” in Proc. ACM SIGSAC Conf. Comput. Commun. Security, 2019, pp. 167–180.
Index Terms
- ZeroShield: Transparently Mitigating Code Page Sharing Attacks With Zero-Cost Stand-By
Index terms have been assigned to the content through auto-classification.
Recommendations
Mitigating denial of service attacks: a tutorial
This tutorial describes what Denial of Service (DOS) attacks are. how they can be carried out in IP networks, and how one can defend against them. Distributed DoS (DDoS) attacks are included here as a subset of DoS attacks. A DoS attack has two phases: ...
Marlin: Mitigating Code Reuse Attacks Using Code Randomization
Code-reuse attacks, such as return-oriented programming (ROP), are a class of buffer overflow attacks that repurpose existing executable code towards malicious purposes. These attacks bypass defenses against code injection attacks by chaining together ...
Comments
Information & Contributors
Information
Published In
1556-6021 © 2024 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See https://www.ieee.org/publications/rights/index.html for more information.
Publisher
IEEE Press
Publication History
Published: 01 January 2024
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 18 Feb 2025