SpyCatcher: lightweight online approaches for detecting cache-based side channel attacks

Official URL: http://risc01.sabanciuniv.edu/record=b1606647 (Table of Contents)

With the increasing complexity of cryptographic algorithms, attackers are looking for side channels to compromise private data. While attackers are tracking side channels, they leave traces behind them unintentionally. In this work, we concentrated on Flush+Reload type of attacks which is aimed to retrieve private data by using intentional contentions on shared resource. Our shared resource is 11 Data Cache of CPU. The trace of attackers on shared resource is a great asset for extraction of utilization pattern which is strong indicator for presence of attacker in the system. For this reason we collected data and extract utilization characteristics of the resource by using hard­ ware performance counters. In this work, by taking the advantage of machine learning approaches, we make a decision on running applications, whether attacker application is one of them or not. Smarter attackers may flush cache partially in order to minimize footprint on shared resource. Workload level is another significant factor that alters the utilization profile of shared resource. For this reason, we experimented our approaches under 4 different levels of partial cache flush and 7 different workload level which mimics e-commerce server load. Our approach is able to detect the presence of attacker with higher than 85% accuracy and lower than 0.5% average execution time overhead.