Two researchers have discovered a new timing channel attack technique that remains effective even if multiple processes are running on a system. Calle
Two researchers have discovered a new timing channel attack technique that remains effective even if multiple processes are running on a system.
Called DABANGG (the Hindi word for fearless), the newly proposed technique improves the effectiveness of flush-based attacks such as Flush+Reload and Flush+Flush, researchers Anish Saxena and Biswabandan Panda from the Indian Institute of Technology Kanpur claim in a research paper.
According to them, the majority of flush-based attacks are accurate in controlled environments, where only the attacker and victim processes run on the system by sharing OS pages. When additional processes are running on multi-core systems, however, the attacks lose efficiency due to noise.
The dynamic nature of core frequency (depending on system load), and the relative placement of victim and attacker threads in the processor (based on logical and physical cores) are the two root causes affecting the accuracy of flush-based attacks, as they affect the cache latency calibration step of the attack.
The two researchers propose a series of refinements that would make “flush attacks resilient to frequency changes and thread placement in the processor, and therefore system noise.”
These refinements apply to pre-attack and attack steps, and ensure latency change awareness. When tested against standard Flush+Reload and Flush+Flush attacks across multiple scenarios (side-channel based keylogging, AES secret key extraction, covert channel, and Spectre), the new technique yields improvements in both F1 score and accuracy, the researchers claim.
These attacks involve flushing a cache line address using clflush, waiting for the flushed address to be accessed, and reloading or flushing the flushed cache line address to measure latency. The issue with these attacks is the precise identification of the difference in execution latency of clflush and reload instructions. Also of high importance in the effectiveness of the attack is the sleep step.
“On average, across eight possible combinations of compute, memory, and I/O noise, a single-character based key-logging attack using LLC as a side-channel show that Flush+Reload and Flush+Flush provide F1 scores of 42.8% and 8.1%, respectively. In a covert channel attack, Flush+Reload and Flush+Flush attacks suffer from maximum error rates of 45% and 53%, respectively,” the researchers say.
The newly proposed technique improves latency calibration and attacker’s waiting (sleeping) strategy, thus ensuring that the cache access latency threshold remains consistent and resilient to system noise.
Proposed DABANGG refinements include the use of calibration tools to “capture the stepped frequency distribution of the processor while distinguishing a cache hit from a miss;” the use of victim-specific parameters to identify the victim’s memory access pattern; and the use of compute-intensive functions for “a better grip over waiting period.”
By employing these refinements, the researchers argue, the attacker becomes frequency-aware and victim-aware. By making the attacker aware of the victim’s behavior, the effectiveness of the attack can be increased, the researchers say.
DABANGG is a timing channel attack that is resilient to system noise and can improve the effectiveness of attacks such as Spectre (which uses a cache covert channel). The attack works with both Intel and AMD processors and can be used even against non-Linux systems.
Essentially, DABANGG attacks are flush-based attacks, meaning that all of the mitigation techniques that apply to Flush+Reload and Flush+Flush attacks are applicable to DABANGG refined attacks.
“The improved, noise resilient DABANGG-enabled attacks pose a significant challenge to the micro-architectural security community. DABANGG-enabled attacks have all of the perks of flush based attacks while being significantly more accurate and precise, making the flush based attacks more practical,” the researchers conclude.