WIXLIB

CaSA, a comprehensive and quantitative security analysisframework of side-channel communication via randomlymapped caches.A thorough security evaluation and new observations tounderstand the limitations and benefits of randomly mappedcaches.II. BACKGROUNDA. Cache-based Side Channel Attacksit harder for a receiver to know which subchannels willbe modulated by a transmitter, and which subchannels arepreconditioned or monitored by the receiver. It aims to mitigatecache attacks by significantly increasing the difficulty of thereceiver’s calibration step.There are various flavors of randomly mapped cache designs [9]–[12], each with different performance and securitycharacteristics. To better understand their differences, wedistinguish these designs based on three characteristics of themapping function, namely whether:In a cache-based side channel attack, the transmitter and thereceiver use the cache as the communication channel, and each 1) It uses public or secret hash functions;cache line as a subchannel. Various such attacks exist [1], [8], 2) It is static or can be dynamically changed over time;[14]–[25], and follow the procedure described in Fig. 1.3) It uses a single or multiple hash functions at a point inIn each attack, the receiver first performs a calibration steptime.by finding a group of addresses called receiver addresses.Table I categorizes each design by mapping strategy.The receiver uses the receiver addresses to monitor a set ofStaticDynamicsubchannels, usually a cache set. Next, the receiver performs the SingleSet-associativecacheCEASER[9]signaling step, which consists of two substeps: precondition andHash GroupIntel sliced LLC [26]NewCache [12]detection. The receiver preconditions a group of subchannelsMultipleScatterCache [11]Skewed-CEASER [10]into a known state in order to optimize its chances of monitoringHash Groupsstate changes in these subchannels. The precondition generally TABLE I: Classification of cache mapping strategies. Usesinvolves accessing the receiver addresses to fill a cache set. It public hash functions.waits for the transmitter to modulate some of the monitoredsubchannels by accessing some cache lines. It then detects the 1) Public vs. Secret hash functions. Traditional set-associativemodulation of those subchannels by either measuring the time caches use a public hash function, which simply extractsof re-accessing the receiver addresses (Prime Probe [1], [8]), bits from the physical address and uses them as the setor measuring the time of accessing the transmitter addresses index. The other caches in Table I use secret hash functions.(Evict Reload [15]), or measuring the execution time of the For example, the last-level caches in Intel processors aretransmitter (Evict Time). Finally, it performs the decode step organized into multiple slices. The mapping function includesan undocumented slice hash function to decide which slice anbased on the measurement result.address should map to. NewCache [12] uses a table-based hashtimefunction. CEASER [9] and ScatterCache [11] use encryptionbased hash functions.set0 abax evictaxinsertEven though using a secret mapping function could beset1bthought to make calibration more difficult, it alone cannotbthwart cache attacks. It has been demonstrated that theret1: Primet2: Waitt3: Probeexist efficient algorithms for attackers to reverse engineer theFig. 2: An example of Prime Probe attacks. Line a and b are hash function [27], [28] or even to directly construct effectivereceiver addresses; line x is the transmitter address.receiver sets [7], [10] without needing to know anything aboutFig. 2 visualizes an example of using Prime Probe as the the mapping function.signaling strategy on a two-way cache, which contains three 2) Static v.s. Dynamic hash functions. To further secure thesteps: Prime, Wait, and Probe. The receiver preconditions two cache, researchers proposed to periodically change the hashsubchannels in set0 by accessing lines a and b (Prime). It then function instead of using a static hash function. A cache withwaits for the transmitter to modulate a subchannel in set0 by a dynamic mapping function uses one hash function in eachaccessing line x, which evicts line b from that subchannel epoch, and switches to a different hash function at the end of(Wait). At a later time, the receiver checks the state of the an epoch.The length of an epoch has a significant impact on thesubchannels in set0 by re-accessing lines a and b, and measuringthe access latency (Probe). Based on the long access latency, performance and security of the design. To be secure, the epochthe receiver knows that line b missed in the cache and the state should be short enough so that the receiver cannot both calibrateof a subchannel in set0 has been modified (modulated) by the and detect signals within one epoch. However, upon epochswitching, every line in the cache has to be remapped, andtransmitter.using small epochs thus incurs serious performance overhead.B. Randomly Mapped Cache DesignsNewCache [12] uses extremely small epochs—changing theThe mapping function in a cache decides how memory hash function every time a cache conflict occurs. CEASER [9]addresses are mapped to cache sets. Randomly mapped caches and Skewed-CEASER [10] change the hash function when theintroduce randomness into the mapping functions to make number of cache accesses reaches a threshold. The threshold is

configured to be smaller than the number of accesses required Scope. Our analysis focuses on investigating the fundamentalby the state-of-the-art eviction set construction algorithm [7]. problems in the randomization schemes used by randomlySkewed-CEASER [10] claims years of security when setting mapped caches. Prior work [30] has shown that the mappingthe threshold as 100 L, where L is the total number of lines function used in CEASER [9] and Skewed-CEASER [10] onlyin the cache.consists of linear functions and has a key invariant vulnerability,3) Single vs. Multiple hash functions. Researchers have pro- that is, changing the key used in the mapping function cannotposed more advanced secure cache designs, namely multi-hash change the collisions between addresses. This vulnerabilitycaches such as ScatterCache [11] and Skewed-CEASER [10], can be fixed using non-linear hash functions. Note that, ourwhich use multiple hash functions at any point in time. These analysis is independent of which hash function is used anddesigns contrast with single-hash caches, which only ever use studies new vulnerabilities that have not been explored in priorwork [30]. Indeed, we focus on analyzing the fundamentala single hash function.problem that is intrinsic to randomly mapped caches.addrBesides, we consider the analysis of the following two types fg-1f0f1of attacks orthogonal to the analysis of randomly mappedcaches: flush-based attacks [14], [18] and occupancy-basedattacks [31]. The reason is that randomly mapped caches arenot designed to and thus are unable to mitigate these attacks. Hence,we do not analyze such attacks in this paper.hashhashgroup 0hashgroup 1group g-1Fig. 3: A cache with multiple hash groups.IV. M OTIVATIONCorrectly reasoning about the security of randomly mappedAs shown in Fig. 3, a multi-hash cache is organized ascachesis challenging. Prior security analyses have mademultiple hash groups. Each hash group is organized as a normalincorrectsecurity claims by narrowly considering two communiset-associative cache, and uses a distinct hash function. To docationstrategiesby the attacker. We claim that a comprehensivea lookup in the cache, all the hash-groups are looked up, withsecurityanalysisshould provide an end-to-end quantitativeat most one of them being a cache hit. On a cache miss, theanalysisofabroadrange of communication strategies.cache first picks one of the hash groups using a uniformlyrandom policy and then uses the corresponding hash functionA. Limitations of Prior Workto generate the set index for that hash-group.Prior security analyses [10], [11], [13] only targeted specificAs a result, the mapping function becomes non-deterministic.An address can end up in different hash groups, i.e., modulating calibration strategies that require a huge amount of resourcesdifferent subchannels, even within one epoch. It significantly and are unlikely to be completed within one epoch. We use theincreases the attacker’s difficulty in obtaining a receiver set to following simple example in Fig. 4 to illustrate the limitationsmonitor all the subchannels that will be used by the transmitter. of their analyses. Fig. 4 compares the results of three differentScatterCache [11] uses a single-way per hash group design. calibration strategies on a cache with 2 hash groups and 1Skewed-CEASER [10] makes the number of ways per hash way in each group. Each figure shows hash group 0 on top,hash group 1 at the bottom, and how the transmitter andgroup a configurable parameter.receiver addresses are mapped to corresponding subchannels.Thesubchannels that can be used by the transmitter addressIII. T HREAT M ODEL AND S COPEare marked in grey.We follow the standard threat model of cross-core cachereceiver addresstransmitter addressbased side channel attacks. We assume the attacker and thehashhashhashvictim are co-located on the same processor chip, but residegroup 0group 0group 0set 0on different cores. A transmitter embedded in the victim and aset 1receiver controlled by the attacker communicate via channelsset 2in a shared last-level cache. Even though we focus on theset 3last-level cache, our analysis and our tool, CaSA, can be easilyhashhashhashgroup 1group 1group 1extended to other levels of the cache hierarchy.The attacker can reside in a user-level process or in amalicious operating system in a secure enclave context, such asSGX [29]. Like previous work [20], we assume the receiver canuse a single thread or multiple threads to control multiple cores(a)(b)(c)on the chip. The transmitter may be latent in the code of thevictim and execute as part of the victim’s normal processing, or Fig. 4: An illustrative example of different calibration strategies:the attacker can leverage speculative execution [3] to provoke (a) hard-conflict receiver addresses; (b) many soft-conflictreceiver addresses; (c) one soft-conflict receiver address.the execution of the transmitter.

The security analysis in Skewed-CEASER [10] only con- by accumulating 16 samples, the receiver can know if thesidered using “hard-conflict” receiver addresses for signaling. transmitter was accessed or not with 99% confidence, based onA “hard-conflict” receiver address maps to the same cache whether it detects modulations in at least one of the signalingset as the transmitter address in every hash group, shown in samples or it detects no modulations across all samples.Fig. 4(a). Their analysis only consider such addresses becauseAlternatively, the receiver could spend more resources ononce the attacker has enough hard-conflict addresses (2 in this calibration to obtain two receiver addresses instead of one. Inexample), she can perform the rest of the communication (e.g., this situation, she would only need to accumulate 7 samplesPrime Probe) in the same way as on a conventional cache. to decode the secret with the same level of confidence. TheRandomly mapped caches are designed to make it extremely examples above clearly demonstrate the existence of a trade-offdifficult to obtain hard-conflict addresses. In fact, for a given in distributing resources between calibration and signaling.transmitter address, when there are 8 or 16 hash groups, theremay not exist enough hard-conflict addresses given the limited B. The Need for Comprehensive and Quantitative Analysissize of the address space in the state-of-the-art systems [11].In addition to the trade-off between calibration and signalEven though a receiver set with hard-conflict addresses istransfer, we find it is necessary to perform a comprehensiveguaranteed to be functional, i.e., guarantee to monitor all theand quantitative analysis of randomly mapped caches, sincesubchannels that will be used by the transmitter, it is not thethere exist multiple other factors that can affect the security ofonly way to communicate on randomly mapped caches.these designs. We provide the intuitions of how these factorsThe security analysis in ScatterCache [11] considered usingcan affect communication on randomly mapped caches below.a large number of “soft-conflict” receiver addresses. A “softFirst, we need to consider the effects of having multipleconflict” receiver address maps to the same set as the transmittertransmitter addresses. Intuitively, having more transmitteraddress in at least one hash group, as shown in Fig. 4(b). Softaddresses can make communication easier, because the numconflict addresses are much easier to find than hard-conflictber of subchannels associated with the transmitter increasesaddresses but can only be used to monitor the transmitter withand the communication can work as long as the receiversome probability. The assumption behind their analysis is thatcan successfully monitor at least one modulation from thethe attacker needs to get a large receiver set (e.g., 256 addressestransmitter. Note that, in practice, multi-address transmitterson an 8MB LLC) in order to monitor the transmitter with 99%do occur in many security-sensitive applications. For example,probability. Crafting such a large receiver set is expensivethe square-and-multiply exponentiation algorithm used in RSAand unlikely to be completed within one epoch. Consequently,encryption [32] acts as a multi-address transmitter: both thestrong security claims were made under such assumptions.square and multiply functions are composed of instructionsThere exists a key problem with these analyses: theyresiding in multiple cache lines.overlooked a broad range of communication strategies thatSecond, we need to consider the effects of noise. Intuitively,are available to the attacker. In addition to the prior analysisthepresence of noise can make communication more difficult,where the receiver spends a huge amount of resources onbecausethe receiver often cannot distinguish the modulationscalibration to achieve a high monitoring probability, othergeneratedby the transmitter or by the noise. CaSA quantitaeffective communication strategies are also possible, such as,tivelymeasuresthe impacts of noise and we discovered a newusing a small amount of resources on calibration to obtainfindingthatnoisecan have a positive impact on communication.a receiver set with low monitoring probability, and relyingFinally,forcachesthat periodically change the mappingon repeating the signaling step to decode secrets with a highfunctions,weinvestigatethe feasibility of performing thesuccess rate. A comprehensive analysis should explore thecommunicationacrossepochs.Prior work assumed that commutrade-off in distributing resources between calibration andnicationmustcompletewithinone epoch and no is paper, we challenge thisFig. 4(c) shows an example of using 1 receiver addressassumption.Itistruethat,areceiverset constructed in anthat soft-conflicts with the transmitter on a single subchannel.epochcanonlybeusedforthesignalingsteps in the sameSuch a receiver set is fairly cheap to construct. In ts fromexample, the receiver has a probability of 0.5 to monitor tand misssubchannel and the transmitter also has a probability of 0.5 lsaremodulate that subchannel. As a result, when the inthereceiveraddress is accessed, the probability of the receiver observinga modulation is 0.5 0.5 0.25. When the transmitter is not sets. Intuitively, if the same secret bit is transmitted, the samplesaccessed, this probability is 0. Even though the probability obtained from different epochs can be combined to increaseto observe a modulation is low, the receiver can repeat the decoding accuracy.CaSA is designed to quantitatively analyze the impacts ofsignal transfer step to accumulate samples. Those samples aretheabove factors on the security of randomly mapped caches.then used to infer if the transmitter was accessed (observingSpecifically,CaSA can answer the following questions.some modulation) or not (observing no modulation). Thislast phase is the decoding step and increasing the number of Given a cache configuration, such as the one in Fig. 4, andsamples will increase the decode success rate. In our example,the number of transmitter addresses, how should a receiver

distribute resources between calibration and signal transferto exfiltrate the maximum amount of information?Considering background noise, how much more difficult isit for an attacker to mount a successful attack?Among different cache configurations (e.g., 1-way per hashgroup and 2-way per hash group), which one is moredifficult to attack, measured by the number of attacker’scache accesses to leak one secret bit?V. C A SA OVERVIEWThe goal of CaSA is to measure the security of different configurations of randomly mapped caches. We striveto comprehensively evaluate how various communicationparameters quantitatively affect the amount of informationleakage on a given cache configuration. To enable quantitativeanalysis, we innovatively leverage concepts from the fieldof telecommunications (Section I) and formulate the signalsin cache-based side channels into a statistical representation.In this section, we first describe the full security analysisspace, and then describe the statistical representation of signals,followed by the security metric used in CaSA.A. The Security Analysis SpaceThe paper strives to comprehensively evaluate the choicesavailable with respect to the three components used in cachebased side channel communication, i.e., transmitter, receiverand channel (i.e., cache), as well as parameters related to noise.Transmitter. An important parameter related to the transmitteris the number of transmitter addresses. We expect programdevelopers to set that sole transmitter parameter based ontheir knowledge of the applications or using program analysistools [33]–[35].Receiver. The receiver can c

Fig. 1: Communication paradigm. The communication paradigm, shown in Fig. 1, consists of three steps: calibration, signaling and decode. First, the receiver often needs to perform a calibration step. Calibration is like a tuning process in a radio-based system,