Modern Intel and AMD processors are vulnerable to a new kind of side-channel attack which makes flush-based cache attacks resilient to system noise.
Two researchers from the Indian Institute of Technology (IIT) Kanpur, Biswabandan Panda and Anish Saxena reported their findings in a paper named “DABANGG: Time for Fearless Flush based Cache Attacks.”
The approach was built upon the Flush+Reload and Flush+Flush attacks, and it has been exploited previously by other researchers to leak data from Intel CPUs.
The new variant which works even on non-Linux Operating Systems, like macOS, improves the accuracy of these attacks even in a noisy multi-core system.
According to Biswabandan Panda, assistant professor at IIT Kanpur, the flush based cache attacks depend on the calibration of cache latency, similar to other cache attacks. State-of-the-art cache timing attacks are not effective in the real world as most of them work in a highly controlled environment.
He added that with DABANGG (meaning fearless), a case for cache attacks can be created which can succeed in the real world that is resilient to system noise and work perfectly even in a highly noisy environment.
Flush+Reload and Flush+Flush attacks work by flushing out the memory line (using the “clflush” instruction), then waiting for the victim process to access the memory line, and subsequently reloading (or flushing) the memory line, measuring the time needed to load it.
DABANGG is a flush-based attack, that depends on the execution timing difference between cached and non-cached memory accesses. But unlike the Flush+Reload and Flush+Flush, DABANGG makes the thresholds used to differentiate a cache hit from a miss dynamic.
Power management techniques like dynamic voltage and frequency scaling (DVFS) in modern processors allow for frequency changes based on overall CPU utilization, with cores running compute-intensive processes operating at a higher frequency than those that do not.
This core-wise frequency difference results in a variable execution latency for instructions, and renders the thresholds chosen to distinguish a cache hit from a miss useless.
The researcher stated that they make these thresholds dynamic as a function of processor frequency (that gets throttled up and down based on the DVFS controllers) which in turn make the flush based attacks resilient to system noise.
DABANGG refines the shortcomings by capturing the processor’s frequency distribution in the pre-attack stage and using a compute-heavy code to stabilize the frequency, before proceeding with a Flush+Reload or Flush+Flush attack to calculate latency and check for a cache hit.
The consequence of these side-channel attacks is a reliable way to eavesdrop on user input, extract AES private key, exfiltrate data via a covert channel between a malicious process and its victim, and carry out Spectre-like speculative execution to access cached information.
Since DABANGG is also a flush-based attack, it can be mitigated using the same techniques corresponding to Flush+Reload and Flush+Flush, namely, modifying the clflush instruction and monitoring cache misses as well as making hardware changes to prevent such attacks.
Flush-based attacks must be aware of processor frequency for better accuracy. If an attack can’t target a victim’s access unless all the conditions are controlled, that attack can’t be considered as a risk.
According to the researcher, these are believed to trigger better and more robust cache attacks in the future.
The source code for proof-of-concept will be released by the researchers on Github after 15th June 2020.