DOI QR코드

DOI QR Code

Real-Time Detection on FLUSH+RELOAD Attack Using Performance Counter Monitor

Performance Counter Monitor를 이용한 FLUSH+RELOAD 공격 실시간 탐지 기법

  • Received : 2018.12.18
  • Accepted : 2019.03.13
  • Published : 2019.06.30

Abstract

FLUSH+RELOAD attack exposes the most serious security threat among cache side channel attacks due to its high resolution and low noise. This attack is exploited by a variety of malicious programs that attempt to leak sensitive information. In order to prevent such information leakage, it is necessary to detect FLUSH+RELOAD attack in real time. In this paper, we propose a novel run-time detection technique for FLUSH+RELOAD attack by utilizing PCM (Performance Counter Monitor) of processors. For this, we conducted four kinds of experiments to observe the variation of each counter value of PCM during the execution of the attack. As a result, we found that it is possible to detect the attack by exploiting three kinds of important factors. Then, we constructed a detection algorithm based on the experimental results. Our algorithm utilizes machine learning techniques including a logistic regression and ANN(Artificial Neural Network) to learn from different execution environments. Evaluation shows that the algorithm successfully detects all kinds of attacks with relatively low false rate.

캐시 부채널 공격 중 하나인 FLUSH+RELOAD 공격은 높은 해상도와 적은 노이즈로 여러 악성 프로그램에서도 활용되는 등 비밀 정보의 유출에 대한 위험성이 높은 공격이다. 따라서 이 공격을 막기 위해 실시간으로 공격을 탐지하는 기술을 개발할 필요가 있다. 본 논문에서는 프로세서의 PCM (Performance Counter Monitor)를 이용한 실시간 FLUSH+RELOAD 공격 탐지 기법을 제안한다. 탐지 방법의 개발을 위해 우선 공격이 발생하는 동안 PCM의 여러 카운터들의 값들의 변화를 4가지 실험을 통해 관찰하였다. 그 결과, 3가지 중요한 요인에 의해 공격 탐지를 할 수 있다는 것을 발견하였다. 이를 바탕으로 머신 러닝의 logistic regression과 ANN(Artificial Neural Network)를 사용해 결과에 대한 각각 학습을 시킨 뒤 실시간으로 공격에 대한 탐지를 할 수 있는 알고리즘을 개발하였다. 이 탐지 알고리즘은 일정한 시간동안 공격을 진행하여 모든 공격을 감지하는데 성공하였고 상대적으로 적은 오탐률을 보여주었다.

Keywords

JBCRIN_2019_v8n6_151_f0001.png 이미지

Fig. 1. IPC, L3 Miss, L2 Miss Count Values when Playing Video (Start: The Beginning of Attack, End: The End of Attack)

JBCRIN_2019_v8n6_151_f0002.png 이미지

Fig. 2. IPC, L3 Miss, L2 Miss Count Values when Playing Music (Start: The Beginning of Attack, End: The End of Attack)

JBCRIN_2019_v8n6_151_f0003.png 이미지

Fig. 3. Pseudo Code for Real-time Detection Program

JBCRIN_2019_v8n6_151_f0004.png 이미지

Fig. 4. IPC, L3 Miss, L2 Miss Count Values when Playing Youtube (Start: The Beginning of Attack, End: The End of Attack)

References

  1. Yarom Yuval and Katrina E. Falkner, "Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel Attack," USENIX Security, 2014.
  2. B. Gulmezoglu, M. Inci, G. Irazoki, T. Eisenbarth, and B. Sunar, "Cross-VM Cache Attacks on AES," IEEE Trans. Multi-Scale Comput. Syst., Vol.2, No.3, pp.211-222, 2016. https://doi.org/10.1109/TMSCS.2016.2550438
  3. Daniel Gruss, Raphael Spreitzer, and Stefan Mangard, "Cache Template Attacks : Automating Attacks on Inclusive Last-Level Cache," USENIX Security Symposium 2015.
  4. Daniel Gruss, Raphael Spreitzer, and Stefan Mangard, "Flush+Flush : A Fast and Stealthy Cache Attack," DIMVA 2016 Detection of Instruction and Malware, and Vulnerability Assessment.
  5. Manuel Weber, Michael Schwarz, Lukas Giner, and Daniel Gruss, "Hello from the Other Side : SSH over Robust Cache Covert Channels in the Cloud." Network and Distributed System Security Symposium 2017 (NDSS'17).
  6. Gorka Irazoqui, Thomas Eisenbarth, and Berk Sunar, "Systematic Reverse Engineering of Cache Slice Selection in Intel Processors," 2015 Euromicro Conference on Digital System Design (DSD).
  7. Fangfei Liu, Yuval Yarom, Qian Ge, Gernot Heiser, and Ruby B Lee, "Last-Level Cache Side-Channel Attacks are Practical," 2015 IEEE Symposium on Security and Privacy.
  8. Intel Performance Counter Monitor [Online] https://docs.it4i.cz/software/debuggers/intel-performance-counter-monitor/-Intel Performance Counter Monitor.
  9. Machine Learning and Deep Learning for Everyone [Online], https://hunkim.github.io/ml/.
  10. What is Artificial Neural Network? [Online], http://blog.lgcns.com/1359.
  11. Y. Yarom, "Mastik: A Micro-Architectural Side-Channel Toolkit," [Online] https://cs.adelaide.edu.au/-yval/Mastik/.
  12. Irazoqui, Gorka, et al. "Wait a minute! A fast, Cross-VM attack on AES," Research in Attacks, Intrusions and Defenses. Springer International Publishing, pp.299-319, 2014.