research-article

NIGHTs-WATCH: a cache-based side-channel intrusion detector using hardware performance counters

Authors:

Muhammad Khurram Bhatti,

Maham Chaudhry,

Vianney Lapotre,

Guy GogniatAuthors Info & Claims

HASP '18: Proceedings of the 7th International Workshop on Hardware and Architectural Support for Security and Privacy

Article No.: 1, Pages 1 - 8

https://doi.org/10.1145/3214292.3214293

Published: 02 June 2018 Publication History

Abstract

This paper presents a novel run-time detection mechanism, called NIGHTs-WATCH, for access-driven cache-based Side-Channel Attacks (SCAs). It comprises of multiple machine learning models, which use real-time data from hardware performance counters for detection. We perform experiments with two state-of-the-art SCAs (Flush+Reload and Flush+Flush) to demonstrate the detection capability and effectiveness of NIGHTs-WATCH. we provide experimental evaluation using realistic system load conditions and analyze results on detection accuracy, speed, system-wide performance overhead and confusion matrix for used models. Our results show detection accuracy of 99.51%, 99.50% and 99.44% for F+R attack in case of no, average and full load conditions, respectively, with performance overhead of < 2% at the highest detection speed, i.e., within 1% completion of a single RSA encryption round. In case of Flush+Flush, our results show 99.97%, 98.74% and 95.20% detection accuracy for no load, average load and full load conditions, respectively, with performance overhead of < 2% at the highest detection speed, i.e., within 12.5% completion of 400 AES encryption rounds needed to complete the attack. NIGHTs-WATCH shows considerably high detection efficiency under variable system load conditions.

References

[1]

2018. https://www.spec.org/benchmarks.html.

[2]

2018. Performance Application Programming Interface. http://icl.cs.utk.edu/papi/.

[3]

Onur Aciiçmez. 2007. Yet Another MicroArchitectural Attack:: Exploiting I-Cache. In ACM CSAW. 11--18.

Digital Library

[4]

Christopher M. Bishop. 2006. Pattern Recognition and Machine Learning (ISS).

Digital Library

[5]

Marco Chiappetta, Erkay Savas, and Cemal Yilmaz. 2016. Real Time Detection of Cache-based Side-channel Attacks Using Hardware Performance Counters. Appl. Soft Comput. 49, C (Dec. 2016), 1162--1174.

Digital Library

[6]

Marshall Andrew et al. 2010. Security best practices for developing windows azure applications. Microsoft Corp (2010), 1.

[7]

Manaar Alam et al. 2017. Performance Counters to Rescue: A Machine Learning based safeguard against Micro-architectural Side-Channel-Attacks. Crypt. ePrint Arch. https://eprint.iacr.org/2017/564.

[8]

Moritz Lipp et al. 2018. Meltdown. (2018).

[9]

Paul Kocher et al. 2018. Spectre Attacks: Exploiting Speculative Execution. (2018).

[10]

Shahid Anwar et al. 2017. Cross-VM cache-based side channel attacks and proposed prevention mechanisms: A survey. Journal of Network and Computer Applications (2017), 259 -- 279.

[11]

Taesoo Kim et al. {n. d.}. STEALTHMEM: System-level Protection Against Cache-based Side Channel Attacks in the Cloud. In USENIX Security 12. 11--11.

Digital Library

[12]

Qian Ge, Yuval Yarom, David Cock, and Gernot Heiser. 2016. A Survey of Microarchitectural Timing Attacks and Countermeasures on Contemporary Hardware. IACR Crypt. ePrint Arch. (2016), 613.

[13]

M. (. Godfrey and M. Zulkernine. 2014. Preventing Cache-Based Side-Channel Attacks in a Cloud Environment. IEEE Transactions on Cloud Computing 2, 4 (Oct 2014), 395--408.

[14]

Daniel Gruss, Clémentine Maurice, Anders Fogh, Moritz Lipp, and Stefan Mangard. {n. d.}. Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR. In ACM CCS. 12.

Digital Library

[15]

Daniel Gruss, Clémentine Maurice, Klaus Wagner, and Stefan Mangard. 2016. Flush+Flush: A Fast and Stealthy Cache Attack. In DIMVA. 279--299.

Digital Library

[16]

Daniel Gruss, Clémentine Maurice, Klaus Wagner, and Stefan Mangard. 2016. Flush+Flush: A Fast and Stealthy Cache Attack. In DIMVA. 279--299.

Digital Library

[17]

Berk Gülmezoğlu, Mehmet Sinan İnci, Gorka Irazoqui, Thomas Eisenbarth, and Berk Sunar. {n. d.}. A Faster and More Realistic Flush+Reload Attack on AES (COSADE). 16.

[18]

Intel. 2013. Intel 64 and IA-32 Architectures Developer's Manual.

[19]

X. Jin, H. Chen, X. Wang, Z. Wang, X. Wen, Y. Luo, and X. Li. 2009. A Simple Cache Partitioning Approach in a Virtualized Environment. In IEEE ISPA. 519.

[20]

E. W. L. Leng, M. Zwolinski, and B. Halak. {n. d.}. Hardware performance counters for system reliability monitoring. In IEEE IVSW. 76--81.

[21]

Fangfei Liu and Ruby B. Lee. {n. d.}. Random Fill Cache Architecture. In MICRO. 13.

Digital Library

[22]

Fei Liu, Lanfang Ren, and Hongtao Bai. 2014. Mitigating Cross-VM Side Channel Attack on Multiple Tenants Cloud Platform. JCP (2014), 1005--1013.

[23]

Dag Arne Osvik, Adi Shamir, and Eran Tromer. 2006. Cache Attacks and Countermeasures: The Case of AES. CT-RSA (2006), 1--20.

Digital Library

[24]

Himanshu Raj, Ripal Nathuji, Abhishek Singh, and Paul England. 2009. Resource Management for Isolation Enhanced Cloud Services. In CCSW. 77--84.

Digital Library

[25]

Ya Tan, Jizeng Wei, and Wei Guo. 2014. The micro-architectural support countermeasures against the branch prediction analysis attack. In IEEE TrustCom.

Digital Library

[26]

Adrian Tang, Simha Sethumadhavan, and Salvatore J. Stolfo. 2014. Unsupervised Anomaly based Malware Detection using Hardware Features. CoRR (2014).

[27]

Gildo Torres and Chen Liu. 2016. Can Data-Only Exploits Be Detected at Runtime Using Hardware Events?: A Case Study of the Heartbleed Vulnerability. In HASP. Article 2, 7 pages.

Digital Library

[28]

Teruo Tsunoo, Yukiyasuand Saito, Tomoyasu Suzaki, Maki Shigeri, and Hiroshi Miyauchi. 2003. Cryptanalysis of DES Implemented on Computers with Cache. CHES (2003), 62--76.

[29]

X. Wang and R. Karri. 2016. Reusing Hardware Performance Counters to Detect and Identify Kernel Control-Flow Modifying Rootkits. IEEE TCAD 35, 3 (March 2016), 485--498.

Digital Library

[30]

Zhenghong Wang and Ruby B. Lee. 2007. New Cache Designs for Thwarting Software Cache-based Side Channel Attacks. In ISCA. 494--505.

Digital Library

[31]

Yuval Yarom and Katrina Falkner. {n. d.}. FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack. In USENIX Security 14. 719.

Digital Library

[32]

Yuval Yarom, Daniel Genkin, and Nadia Heninger. {n. d.}. CacheBleed: a timing attack on OpenSSL constant-time RSA. Journal of Crypt. Engg. 2017 ({n. d.}).

[33]

Tianwei Zhang, Yinqian Zhang, and Ruby B Lee. {n. d.}. Cloudradar: A real-time side-channel attack detection system in clouds. In RAID 2016.

[34]

Yinqian Zhang and Michael K. Reiter. 2013. DüPpel: Retrofitting Commodity Operating Systems to Mitigate Cache Side Channels in the Cloud. In ACM CCS.

Digital Library

Cited By

Mahbub KNehme APatwary MLacoste MAllio S(2024)FIVADMI: A Framework for In-Vehicle Anomaly Detection by Monitoring and IsolationFuture Internet10.3390/fi1608028816:8(288)Online publication date: 8-Aug-2024
https://doi.org/10.3390/fi16080288
Kim HHahn CKim HShin YHur J(2024)Deep Learning-Based Detection for Multiple Cache Side-Channel AttacksIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.334008819(1672-1686)Online publication date: 2024
https://doi.org/10.1109/TIFS.2023.3340088
Hao SHe JLi WLi TYang GFang WChen W(2024)CSCAD: An adaptive LightGBM algorithm to detect cache side-channel attacksFuture Generation Computer Systems10.1016/j.future.2024.07.018Online publication date: Jul-2024
https://doi.org/10.1016/j.future.2024.07.018
Show More Cited By

Index Terms

NIGHTs-WATCH: a cache-based side-channel intrusion detector using hardware performance counters
1. Computing methodologies
  1. Machine learning
2. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Intrusion detection systems
  2. Security in hardware

Recommendations

ANVIL: Software-Based Protection Against Next-Generation Rowhammer Attacks
ASPLOS '16

Ensuring the integrity and security of the memory system is critical. Recent studies have shown serious security concerns due to "rowhammer" attacks, where repeated accesses to a row of memory cause bit flips in adjacent rows. Recent work by Google's ...
ANVIL: Software-Based Protection Against Next-Generation Rowhammer Attacks
ASPLOS '16: Proceedings of the Twenty-First International Conference on Architectural Support for Programming Languages and Operating Systems

Ensuring the integrity and security of the memory system is critical. Recent studies have shown serious security concerns due to "rowhammer" attacks, where repeated accesses to a row of memory cause bit flips in adjacent rows. Recent work by Google's ...
ANVIL: Software-Based Protection Against Next-Generation Rowhammer Attacks
ASPLOS'16

Ensuring the integrity and security of the memory system is critical. Recent studies have shown serious security concerns due to "rowhammer" attacks, where repeated accesses to a row of memory cause bit flips in adjacent rows. Recent work by Google's ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

HASP '18: Proceedings of the 7th International Workshop on Hardware and Architectural Support for Security and Privacy

June 2018

84 pages

ISBN:9781450365000

DOI:10.1145/3214292

Conference Chairs:
Jakub Szefer
Yale University
,
Weidong Shi
University of Houston
,
Ruby B. Lee
Princeton University

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 June 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

HASP '18

HASP '18: Hardware and Architectural Support for Security and Privacy

June 2, 2018

California, Los Angeles

Acceptance Rates

Overall Acceptance Rate 9 of 13 submissions, 69%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

49
Total Citations
View Citations
797
Total Downloads

Downloads (Last 12 months)60
Downloads (Last 6 weeks)6

Reflects downloads up to 17 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Mahbub KNehme APatwary MLacoste MAllio S(2024)FIVADMI: A Framework for In-Vehicle Anomaly Detection by Monitoring and IsolationFuture Internet10.3390/fi1608028816:8(288)Online publication date: 8-Aug-2024
https://doi.org/10.3390/fi16080288
Kim HHahn CKim HShin YHur J(2024)Deep Learning-Based Detection for Multiple Cache Side-Channel AttacksIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.334008819(1672-1686)Online publication date: 2024
https://doi.org/10.1109/TIFS.2023.3340088
Hao SHe JLi WLi TYang GFang WChen W(2024)CSCAD: An adaptive LightGBM algorithm to detect cache side-channel attacksFuture Generation Computer Systems10.1016/j.future.2024.07.018Online publication date: Jul-2024
https://doi.org/10.1016/j.future.2024.07.018
Eichler CRöckl JJung BSchlenk RMüller THönig T(2024)Profiling with trust: system monitoring from trusted execution environmentsDesign Automation for Embedded Systems10.1007/s10617-024-09283-128:1(23-44)Online publication date: 1-Mar-2024
https://dl.acm.org/doi/10.1007/s10617-024-09283-1
Tong ZZhu ZSha ZLiu YMeng D(2024)Cache Side-Channel Attacks Detection for AES Encryption Based on Machine LearningAdvanced Intelligent Computing Technology and Applications10.1007/978-981-97-5663-6_6(62-74)Online publication date: 1-Aug-2024
https://doi.org/10.1007/978-981-97-5663-6_6
Chen WZhao YZhang YQiang WZou DJin H(2024)ReminISCence: Trusted Monitoring Against Privileged Preemption Side-Channel AttacksComputer Security – ESORICS 202410.1007/978-3-031-70903-6_2(24-44)Online publication date: 5-Sep-2024
https://doi.org/10.1007/978-3-031-70903-6_2
Thoma JStolz FGüneysu T(2024)Cips: The Cache Intrusion Prevention SystemComputer Security – ESORICS 202410.1007/978-3-031-70903-6_1(3-23)Online publication date: 5-Sep-2024
https://doi.org/10.1007/978-3-031-70903-6_1
Weber DThomas FGerlach LZhang RSchwarz M(2024)Reviving Meltdown 3aComputer Security – ESORICS 202310.1007/978-3-031-51479-1_5(80-99)Online publication date: 12-Jan-2024
https://doi.org/10.1007/978-3-031-51479-1_5
Pessoa Pdo Monte ADantas CMaciel P(2023)Methodologies Based on Hardware Performance Counters for Supporting CybersecurityContemporary Challenges for Cyber Security and Data Privacy10.4018/979-8-3693-1528-6.ch007(108-129)Online publication date: 8-Sep-2023
https://doi.org/10.4018/979-8-3693-1528-6.ch007
Kaur JDas S(2023)RSPP: Restricted Static Pseudo-Partitioning for Mitigation of Cross-Core Covert Channel AttacksACM Transactions on Design Automation of Electronic Systems10.1145/363722229:2(1-22)Online publication date: 13-Dec-2023
https://dl.acm.org/doi/10.1145/3637222
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents