DAWG: A Defense Against Cache Timing Attacks in Speculative Execution Processors
Open Access
- 1 October 2018
- conference paper
- conference paper
- Published by Institute of Electrical and Electronics Engineers (IEEE)
- Vol. 2018, 974-987
- https://doi.org/10.1109/micro.2018.00083
Abstract
Software side channel attacks have become a serious concern with the recent rash of attacks on speculative processor architectures. Most attacks that have been demonstrated exploit the cache tag state as their exfiltration channel. While many existing defense mechanisms that can be implemented solely in software have been proposed, these mechanisms appear to patch specific attacks, and can be circumvented. In this paper, we propose minimal modifications to hardware to defend against a broad class of attacks, including those based on speculation, with the goal of eliminating the entire attack surface associated with the cache state covert channel. We propose DAWG, Dynamically Allocated Way Guard, a generic mechanism for secure way partitioning of set associative structures including memory caches. DAWG endows a set associative structure with a notion of protection domains to provide strong isolation. When applied to a cache, unlike existing quality of service mechanisms such as Intel's Cache Allocation Technology (CAT), DAWG fully isolates hits, misses, and metadata updates across protection domains. We describe how DAWG can be implemented on a processor with minimal modifications to modern operating systems. We describe a non-interference property that is orthogonal to speculative execution and therefore argue that existing attacks such as Spectre Variant 1 and 2 will not work on a system equipped with DAWG. Finally, we evaluate the performance impact of DAWG on the cache subsystem.Keywords
This publication has 27 references indexed in Scilit:
- Profiling a warehouse-scale computerPublished by Association for Computing Machinery (ACM) ,2015
- Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating SystemsPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2015
- Suppressing the Oblivious RAM timing channel while making information leakage and program efficiency trade-offsPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2014
- Wait a Minute! A fast, Cross-VM Attack on AESPublished by Springer Science and Business Media LLC ,2014
- Non-monopolizable cachesACM Transactions on Architecture and Code Optimization, 2012
- Cache-Collision Timing Attacks Against AESLecture Notes in Computer Science, 2006
- Remote timing attacks are practicalComputer Networks, 2005
- R-MAT: A Recursive Model for Graph MiningPublished by Society for Industrial & Applied Mathematics (SIAM) ,2004
- Page placement algorithms for large real-indexed cachesACM Transactions on Computer Systems, 1992
- A low-overhead coherence solution for multiprocessors with private cache memoriesACM SIGARCH Computer Architecture News, 1984