SpyDetector: an approach for detecting side-channel attacks at runtime

Külah, Yusuf and Dinçer, Berkay and Yılmaz, Cemal and Savaş, Erkay (2019) SpyDetector: an approach for detecting side-channel attacks at runtime. International Journal of Information Security, 18 (4). pp. 393-422. ISSN 1615-5262 (Print) 1615-5270 (Online)

This is the latest version of this item.

Full text not available from this repository. (Request a copy)


In this work, we first present a low-cost, anomaly-based semi-supervised approach, which is instrumental in detecting the presence of ongoing side-channel attacks at runtime. We are, in particular, concerned with attacks that are carried out by creating intentional contentions in shared resources with cryptographic applications using a spy process. At a very high level, the approach quantifies contentions in shared resources, associates these contentions with processes, such as with a victim process, and issues a warning at runtime whenever the contentions reach a suspicious level. We then adapt this approach to detect the presence of four different types of cache-based side-channel attacks, namely prime-and-probe attacks on advanced encryption standard (AES), flush-and-reload attacks on AES and elliptic curve digital signature algorithm with Montgomery ladder algorithm, and Flush+Flush attacks on AES. To this end, we vary the shared resources monitored, the level of granularity at which the contentions in these resources are quantified, and the way the suspicious levels of contentions are detected. We evaluate the proposed approach also in cross-virtual machine setups (when applicable). The results of our experiments support our basic hypothesis that spy processes, which leverage information leaked by cryptographic applications through some shared resources, ironically leak information by themselves through the same or related channels, which can be analyzed to detect the presence of ongoing attacks at runtime.
Item Type: Article
Uncontrolled Keywords: Cache-based side-channel attacks; Prime-and-probe attacks; Flush-and-reload attacks; ECDSA attacks; Runtime detection; Hardware performance counters
Subjects: Q Science > QA Mathematics > QA075 Electronic computers. Computer science
Divisions: Faculty of Engineering and Natural Sciences > Academic programs > Computer Science & Eng.
Faculty of Engineering and Natural Sciences
Depositing User: Erkay Savaş
Date Deposited: 28 Aug 2019 11:34
Last Modified: 15 Jun 2023 16:14
URI: https://research.sabanciuniv.edu/id/eprint/38076

Available Versions of this Item

Actions (login required)

View Item
View Item