Real time detection of cache-based side-channel attacks using hardware performance counters

Official URL: http://risc01.sabanciuniv.edu/record=b1640317 (Table of Contents)

Cache-based side-channel attacks are increasingly exposing the weaknesses of many cryptographic libraries and tools by showing that, even though the algorithms might be considered strong, their implementations often lead to unexpected behaviors that can be exploited to obtain sensitive data, usually encryption keys. In this study we analyze three methods to detect cache-based side-channel attacks in real time, preventing or limiting the amount of leaked information. We focus our efforts on detecting three attacks on the well-known OpenSSL library: one that targets AES, one that targets RSA and one that targets ECDSA. The first method is based on monitoring the involved processes and assumes the victim process is known. By collecting and correlating the monitored data we find out whether there exists an attacker and pinpoint it. The second method uses anomaly detection techniques and assumes the benign processes and their behavior are known. By treating the attacker as a potential anomaly we understand whether an attack is in progress and which process is performing it. The last method is based on employing a neural network, a machine learning technique, to profile the attacker and to be able to recognize when a process that behaves suspiciously like the attacker is running. All the three of them can successfully detect an attack in about one fifth of the time required to complete it. We could not experience the presence of false positives in our test environment and the overhead caused by the detection systems is negligible. We also analyze how the detection systems behave with a modified version of one ofthe spy processes. With some optimization we are confident these systems can be used in real world scenarios.