Skip to main content
SpringerLink
Log in
Book cover

International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment

DIMVA 2016: Detection of Intrusions and Malware, and Vulnerability Assessment pp 279–299Cite as

Flush+Flush: A Fast and Stealthy Cache Attack

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9721))

Abstract

Research on cache attacks has shown that CPU caches leak significant information. Proposed detection mechanisms assume that all cache attacks cause more cache hits and cache misses than benign applications and use hardware performance counters for detection.

In this article, we show that this assumption does not hold by developing a novel attack technique: the Flush+Flush attack. The Flush+Flush attack only relies on the execution time of the flush instruction, which depends on whether data is cached or not. Flush+Flush does not make any memory accesses, contrary to any other cache attack. Thus, it causes no cache misses at all and the number of cache hits is reduced to a minimum due to the constant cache flushes. Therefore, Flush+Flush attacks are stealthy, i.e., the spy process cannot be detected based on cache hits and misses, or state-of-the-art detection mechanisms. The Flush+Flush attack runs in a higher frequency and thus is faster than any existing cache attack. With 496 KB/s in a cross-core covert channel it is 6.7 times faster than any previously published cache covert channel.

C. Maurice—Part of the work was done while author was affiliated to Technicolor and Eurecom.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    After public disclosure of the Flush+Flush attack on November 14, 2015, Flush+Flush has also been demonstrated on ARM-based mobile devices [22].

References

  1. Barresi, A., Razavi, K., Payer, M., Gross, T.R.: CAIN: silently breaking ASLR in the cloud. In: WOOT 2015 (2015)

    Google Scholar 

  2. Bernstein, D.J.: Cache-timing attacks on AES. Technical report, Department of Mathematics, Statistics, and Computer Science, University of Illinois at Chicago (2005)

    Google Scholar 

  3. Bhattacharya, S., Mukhopadhyay, D.: Who watches the watchmen?: Utilizing Performance Monitors for Compromising keys of RSA on Intel Platforms. Cryptology ePrint Archive, Report 2015/621 (2015)

    Google Scholar 

  4. Brickell, E., Graunke, G., Neve, M., Seifert, J.P.: Software mitigations to hedge AES against cache-based software side channel vulnerabilities. Cryptology ePrint Archive, Report 2006/052 (2006)

    Google Scholar 

  5. Chiappetta, M., Savas, E., Yilmaz, C.: Real time detection of cache-based side-channel attacks using hardware performance counters. Cryptology ePrint Archive, Report 2015/1034 (2015)

    Google Scholar 

  6. Demme, J., Maycock, M., Schmitz, J., Tang, A., Waksman, A., Sethumadhavan, S., Stolfo, S.: On the feasibility of online malware detection with performance counters. ACM SIGARCH Comput. Archit. News 41(3), 559–570 (2013)

    Article  Google Scholar 

  7. Fogh, A.: Cache side channel attacks (2015). http://dreamsofastone.blogspot.co.at/2015/09/cache-side-channel-attacks.html

  8. Fuchs, A., Lee, R.B.: Disruptive prefetching: impact on side-channel attacks and cache designs. In: Proceedings of the 8th ACM International Systems and Storage Conference (SYSTOR 2015) (2015)

    Google Scholar 

  9. Gruss, D., Maurice, C., Mangard, S.: Rowhammer.js: a remote software-induced fault attack in javascript. In: DIMVA 2016 (2016)

    Google Scholar 

  10. Gruss, D., Spreitzer, R., Mangard, S.: Cache template attacks: automating attacks on inclusive last-level caches. In: USENIX Security Symposium (2015)

    Google Scholar 

  11. Gullasch, D., Bangerter, E., Krenn, S.: Cache games - Bringing access-based cache attacks on AES to practice. In: S&P 2011 (2011)

    Google Scholar 

  12. Gülmezoğlu, B., İnci, M.S., Irazoqui, G., Eisenbarth, T., Sunar, B.: A faster and more realistic Flush+Reload attack on AES. In: Mangard, S., Poschmann, A.Y. (eds.) COSADE 2015. LNCS, vol. 9064, pp. 111–126. Springer, Heidelberg (2015)

    Chapter  Google Scholar 

  13. Herath, N., Fogh, A.: These are Not Your Grand Daddy’s CPU Performance Counters - CPU Hardware Performance Counters for Security. Black Hat 2015 Briefings. https://www.blackhat.com/docs/us-15/materials/us-15-Herath-These-Are-Not-Your-Grand-Daddys-CPU-Performance-Counters-CPU-Hardware-Performance-Counters-For-Security.pdf

  14. Hund, R., Willems, C., Holz, T.: Practical timing side channel attacks against kernel space ASLR. In: 2013 IEEE Symposium on Security and Privacy, pp. 191–205 (2013)

    Google Scholar 

  15. Intel: Intel\(\textregistered \) 64 and IA-32 Architectures Software Developer’s Manual, vol. 3 (3A, 3B & 3C): System Programming Guide 253665 (2014)

    Google Scholar 

  16. Irazoqui, G., Eisenbarth, T., Sunar, B.: S$A: a shared cache attack that works across cores and defies VM sandboxing - and its application to AES. In: S&P 2015 (2015)

    Google Scholar 

  17. Irazoqui, G., Inci, M.S., Eisenbarth, T., Sunar, B.: Know thy neighbor: crypto library detection in cloud. In: Proceedings on Privacy Enhancing Technologies, vol. 1(1), pp. 25–40 (2015)

    Google Scholar 

  18. Irazoqui, G., Inci, M.S., Eisenbarth, T., Sunar, B.: Lucky 13 strikes back. In: AsiaCCS 2015 (2015)

    Google Scholar 

  19. Kim, T., Peinado, M., Mainar-Ruiz, G.: StealthMem: system-level protection against cache-based side channel attacks in the cloud. In: Proceedings of the 21st USENIX Security Symposium (2012)

    Google Scholar 

  20. Kim, Y., Daly, R., Kim, J., Fallin, C., Lee, J.H., Lee, D., Wilkerson, C., Lai, K., Mutlu, O.: Flipping bits in memory without accessing them: an experimental study of DRAM disturbance errors. In: Proceeding of the 41st Annual International Symposium on Computer Architecuture (ISCA 2014) (2014)

    Google Scholar 

  21. Kong, J., Acıiçmez, O., Seifert, J.P., Zhou, H.: Hardware-software integrated approaches to defend against software cache-based side channel attacks. In: Proceedings of the 15th International Symposium on High Performance Computer Architecture (HPCA 2009), pp. 393–404 (2009)

    Google Scholar 

  22. Lipp, M., Gruss, D., Spreitzer, R., Mangard, S.: Armageddon: Last-level cacheattacks on mobile devices. CoRR abs/1511.04897 (2015)

    Google Scholar 

  23. Liu, F., Lee, R.B.: Random fill cache architecture. In: IEEE/ACM International Symposium on Microarchitecture (MICRO 2014), pp. 203–215 (2014)

    Google Scholar 

  24. Liu, F., Yarom, Y., Ge, Q., Heiser, G., Lee, R.B.: Last-level cache side-channel attacks are practical. In: S&P 2015 (2015)

    Google Scholar 

  25. lwn.net: 2.6.26-rc1 short-form changelog, May 2008. https://lwn.net/Articles/280913/

  26. Malone, C., Zahran, M., Karri, R.: Are hardware performance counters a cost effective way for integrity checking of programs. In: Proceedings of the Sixth ACM Workshop on Scalable Trusted Computing (2011)

    Google Scholar 

  27. Maurice, C., Le Scouarnec, N., Neumann, C., Heen, O., Francillon, A.: Reverse engineering intel complex addressing using performance counters. In: RAID (2015)

    Google Scholar 

  28. Maurice, C., Neumann, C., Heen, O., Francillon, A.: C5: cross-cores cache covert channel. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 46–64. Springer, Heidelberg (2015)

    Chapter  Google Scholar 

  29. Oren, Y., Kemerlis, V.P., Sethumadhavan, S., Keromytis, A.D.: The spy in the sandbox: practical cache attacks in JavaScript and their implications. In: CCS 2015 (2015)

    Google Scholar 

  30. Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: the case of AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  31. Payer, M.: HexPADS: a platform to detect “Stealth” attacks. In: Caballero, J., et al. (eds.) ESSoS 2016. LNCS, vol. 9639, pp. 138–154. Springer, Heidelberg (2016). doi:10.1007/978-3-319-30806-7_9

    Chapter  Google Scholar 

  32. Percival, C.: Cache missing for fun and profit. In: Proceedings of BSDCan (2005)

    Google Scholar 

  33. Qureshi, M.K., Jaleel, A., Patt, Y.N., Steely, S.C., Emer, J.: Adaptive insertion policies for high performance caching. ACM SIGARCH Comput. Archit. News 35(2), 381–391 (2007)

    Article  Google Scholar 

  34. Raj, H., Nathuji, R., Singh, A., England, P.: Resource management for isolation enhanced cloud services. In: Proceedings of the 1st ACM Cloud Computing Security Workshop (CCSW 2009), pp. 77–84 (2009)

    Google Scholar 

  35. Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: CCS 2009 (2009)

    Google Scholar 

  36. Seaborn, M., Dullien, T.: Exploiting the DRAM rowhammer bug to gain kernel privileges. In: Black Hat (2015)

    Google Scholar 

  37. Spreitzer, R., Plos, T.: Cache-access pattern attack on disaligned AES T-tables. In: Prouff, E. (ed.) COSADE 2013. LNCS, vol. 7864, pp. 200–214. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  38. Tannous, A., Trostle, J.T., Hassan, M., McLaughlin, S.E., Jaeger, T.: New side channels targeted at passwords. In: ACSAC, pp. 45–54 (2008)

    Google Scholar 

  39. Tromer, E., Osvik, D.A., Shamir, A.: Efficient cache attacks on AES, and countermeasures. J. Cryptology 23(1), 37–71 (2010)

    Article  MathSciNet  MATH  Google Scholar 

  40. Uhsadel, L., Georges, A., Verbauwhede, I.: Exploiting hardware performance counters. In: 5th Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC 2008) (2008)

    Google Scholar 

  41. Wang, Z., Lee, R.B.: New cache designs for thwarting software cache-based side channel attacks. ACM SIGARCH Comput. Archit. News 35(2), 494 (2007)

    Article  Google Scholar 

  42. Wang, Z., Lee, R.B.: A novel cache architecture with enhanced performance and security. In: IEEE/ACM International Symposium on Microarchitecture (MICRO 2008), pp. 83–93 (2008)

    Google Scholar 

  43. Willems, C., Hund, R., Fobian, A., Felsch, D., Holz, T., Vasudevan, A.: Down to the bare metal: using processor features for binary analysis. In: ACSAC 2012 (2012)

    Google Scholar 

  44. Xia, Y., Liu, Y., Chen, H., Zang, B.: CFIMon: detecting violation of control flow integrity using performance counters. In: DSN 2012 (2012)

    Google Scholar 

  45. Yarom, Y., Falkner, K.: Flush+Reload: a high resolution, low noise, L3 cache side-channel attack. In: USENIX Security Symposium (2014)

    Google Scholar 

  46. Zhang, K., Wang, X.: Peeping tom in the neighborhood: keystroke eavesdropping on multi-user systems. In: USENIX Security Symposium (2009)

    Google Scholar 

  47. Zhang, Y., Juels, A., Oprea, A., Reiter, M.K.: HomeAlone: co-residency detection in the cloud via side-channel analysis. In: S&P 2011 (2011)

    Google Scholar 

  48. Zhang, Y., Juels, A., Reiter, M.K., Ristenpart, T.: Cross-tenant side-channel attacks in PaaS clouds. In: CCS 2014 (2014)

    Google Scholar 

  49. Zhang, Y., Reiter, M.: Düppel: retrofitting commodity operating systems to mitigate cache side channels in the cloud. In: CCS 2013 (2013)

    Google Scholar 

Download references

Acknowledgments

We would like to thank Mathias Payer, Anders Fogh, and our anonymous reviewers for their valuable comments and suggestions.

Supported by the EU Horizon 2020 programme under GA No. 644052 (HECTOR), the EU FP7 programme under GA No. 610436 (MATTHEW), the Austrian Research Promotion Agency (FFG) and Styrian Business Promotion Agency (SFG) under GA No. 836628 (SeCoS), and Cryptacus COST Action IC1403.

Author information

Authors and Affiliations

  1. Graz University of Technology, Graz, Austria

    Daniel Gruss, Clémentine Maurice, Klaus Wagner & Stefan Mangard

Authors
  1. Daniel Gruss
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Clémentine Maurice
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Klaus Wagner
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Stefan Mangard
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Daniel Gruss .

Editor information

Editors and Affiliations

  1. IMDEA Software Institute, Pozuelo de Alarcón, Madrid, Spain

    Juan Caballero

  2. Mondragon University, Arrasate, Guipúzcoa, Spain

    Urko Zurutuza

  3. Universidad de Zaragoza, Zaragoza, Spain

    Ricardo J. Rodríguez

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Gruss, D., Maurice, C., Wagner, K., Mangard, S. (2016). Flush+Flush: A Fast and Stealthy Cache Attack. In: Caballero, J., Zurutuza, U., Rodríguez, R. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2016. Lecture Notes in Computer Science(), vol 9721. Springer, Cham. https://doi.org/10.1007/978-3-319-40667-1_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-40667-1_14

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-40666-4

  • Online ISBN: 978-3-319-40667-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation