Keep the PokerFace on! Thwarting cache side channel attacks by memory bus monitoring and cache obfuscation

• Main Authors: Arun Raj, Janakiram Dharanipragada
• Format: Article
• Language: English
• Published: SpringerOpen 2017-12-01
• Series: Journal of Cloud Computing: Advances, Systems and Applications
• Subjects: Cloud security; Side channel attacks; Cache obfuscation
• Online Access: http://link.springer.com/article/10.1186/s13677-017-0101-4

Abstract Cloud instances are vulnerable to cross-core, cross-VM attacks against the shared, inclusive last-level cache. Automated cache template attacks, in particular, are very powerful as the vulnerabilities do not need to be manually identified. Such attacks can be devised using both the Prime+Probe and the Flush+Reload techniques. In this paper, we present PokerFace, a novel method to identify and mitigate such attacks. This approach allows us to identify suspicious cache accesses automatically, without prior knowledge about the system or access to hardware metrics. PokerFace consists of two components, Poker and Face. Poker executes a memory bus benchmark to measure the available bus bandwidth and derive information about cache accesses and possible side channel attacks. Our experiments with cache attacks show a reduction of up to 14% in the memory bandwidth during the attack. When an attack is detected, Poker triggers Face which performs cache obfuscation. We demonstrate the effectiveness of our approach against keypress logging attacks. We also test it against generic Prime+Probe and Flush+Reload attacks and show that it is practically useful against a variety of cache timing attacks. PokerFace incurs modest overheads (< 8%) and moreover, does not require support from the cloud provider or changes to the hypervisor. Unlike previously proposed techniques, it can be implemented by cloud subscribers.