Cache attacks are a new type of side channel attack which pose a great threat to current security protection. This paper presents a method to effectively detect and locate Cache side channel attacks based on performance analyses of Cache side channel attack loop positioning. The analyses are divided into attack detection and attack loop positioning. In the attack detection phase, the hardware performance counter is used to detect whether a binary program is a Cache side channel attack program. The attack loop positioning phase then locates the attack loop, samples the performance events, and then identifies the internal structure of the binary program loop and function with the findings combined with sampling data to locate the attack loop. Finally, several typical Cache side channel attacks and benign programs are analyzed to show that this method can accurately distinguish between attack programs and benign programs. Comparison of the positioning results with the attack source code shows that the method can accurately locate the attack loop.
[1] KOCHER P, HORN J, FOGH A, et al. Spectre attacks:Exploiting speculative execution[C]//2019 IEEE Symposium on Security and Privacy (SP). San Francisco, USA:IEEE, 2019:1-19.
[2] LIPP M, SCHWARZ M, GRUSS D, et al. Meltdown[J]. arXiv preprint arXiv, 2018:1801.01207.
[3] ISLAM S, MOGHIMI A, BRUHNS I, et al. SPOILER:Speculative load hazards boost rowhammer and cache attacks[J]. arXiv preprint arXiv, 2019:1903.00446.
[4] SEABORN M, DULLIEN T. Exploiting the DRAM rowhammer bug to gain kernel privileges[Z]. Google Project Zero, 2015.
[5] TSUNOO Y, SAITO T, SUZAKI T, et al. Cryptanalysis of DES implemented on computers with cache[C]//International Workshop on Cryptographic Hardware and Embedded Systems. Berlin, Germany:Springer, 2003:62-76.
[6] YAROM Y, FALKNER K. FLUSH+ RELOAD:A high resolution, low noise, L3 cache side-channel sttack[C]//23rd USENIX Security Symposium. San Diego, USA:USENIX, 2014:22-25.
[7] OSVIK D A, SHAMIR A, TROMER E. Cache attacks and countermeasures:The case of AES[C]//Cryptographers' Track at the RSA Conference. Berlin, Germany:Springer, 2006:1-20.
[8] GRUSS D, MAURICE C, WAGNER K, et al. Flush+Flush:A fast and stealthy cache attack[C]//International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Cham, Germany:Springer, 2016:279-299.
[9] LI Z, ZOU D Q, XU S H, et al. VulPecker:An automated vulnerability detection system based on code similarity analysis[C]//Proceedings of the 32nd Annual Conference on Computer Security Applications. Los Angeles, USA:ACM, 2016:201-213.
[10] JOVANOVIC N, KRUEGEL C, KIRDA E. Pixy:A static analysis tool for detecting web application vulnerabilities[C]//2006 IEEE Symposium on Security and Privacy (S&P'06). Berkeley, USA:IEEE, 2006:263-263.
[11] NEWSOME J, SONG D X. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software[C]//NDSS Symposium 2005, San Diego, USA:NDSS. 2005:3-4.
[12] CASTRO M, COSTA M, HARRIS T. Securing software by enforcing data-flow integrity[C]//Proceedings of the 7th Symposium on Operating Systems Design and Implementation. Berkeley, USA:USENIX Association, 2006:147-160.
[13] CHEN Y, KHANDAKER M, WANG Z. Pinpointing vulnerabilities[C]//Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security. New York, USA:ACM, 2017:334-345.
[14] XU G Q, YAN D C, ROUNTEV A. Static detection of loop-invariant data structures[C]//European Conference on Object-Oriented Programming. Berlin, Germany:Springer, 2012:738-763.
[15] MOSELEY T, GRUNWALD D, CONNORS D A, et al. Loopprof:Dynamic techniques for loop detection and profiling[C/OL].[2019-05-20]. https://www.researchgate.net/profile/Daniel_Connors/publication/249981892_LoopProf_Dynamic_Techniques_for_Loop_Detection_and_Profiling/links/547eb6da0cf2d2200ede9d06.pdf.
[16] SATO Y, SUZUKI K I, NAKAMURA T. Run-time detection mechanism of nested call-loop structure to monitor the actual execution of codes[C]//2009 Software Technologies for Future Dependable Distributed Systems. Tokyo, Japan:IEEE, 2009:184-188.
[17] SATO Y, INOGUCHI Y, NAKAMURA T. On-the-fly detection of precise loop nests across procedures on a dynamic binary translation system[C]//Proceedings of the 8th ACM International Conference on Computing Frontiers. Ischia, Italy:ACM, 2011:25-26.
[18] SATO Y, INOGUCHI Y, NAKAMURA T. Whole program data dependence profiling to unveil parallel regions in the dynamic execution[C]//2012 IEEE International Symposium on Workload Characterization (IISWC). La Jolla, USA:IEEE, 2012:69-80.
[19] SATO Y, INOGUCHI Y, NAKAMURA T. Identifying program loop nesting structures during execution of machine code[J]. IEICE Transactions on Information and Systems, 2014, 97(9):2371-2385.
[20] AMMONS G, BALL T, LARUS J R. Exploiting hardware performance counters with flow and context sensitive profiling[J]. ACM SIGPLAN Notices, 1997, 32(5):85-96.
[21] ZHANG Y Q, JUELS A, OPREA A, et al. HomeAlone:Co-residency detection in the cloud via side-channel analysis[C]//2011 IEEE Symposium on Security and Privacy. Berkeley, USA:IEEE, 2011:313-328.
[22] PAYER M. HexPADS:A platform to detect "stealth" attacks[C]//International Symposium on Engineering Secure Software and Systems. Cham, Germany:Springer, 2016:138-154.
[23] CHIAPPETTA M, SAVAS E, YILMAZ C. Real time detection of cache-based side-channel attacks using hardware performance counters[J]. Applied Soft Computing, 2016, 49:1162-1174.
[24] BAZM M M, SAUTEREAU T, LACOSTE M, et al. Cache-based side-channel attacks detection through intel cache monitoring technology and hardware performance counters[C]//2018 Third International Conference on Fog and Mobile Edge Computing (FMEC). Barcelona, Spain:IEEE, 2018:7-12.
[25] MUSHTAQ M, AKRAM A, BHATTI M K, et al. Run-time detection of prime+ probe side-channel attack on AES encryption algorithm[C]//2018 Global Information Infrastructure and Networking Symposium (GIIS). Thessaloniki, Greece:IEEE, 2018:1-5.
[26] DE MELO A C. Performance counters on Linux[C]//Presentation at the Linux Plumbers Conference. Lisbon, Portugal, 2009.
[27] WEAVER V M. Linux perf_event features and overhead[C]//The 2nd International Workshop on Performance Analysis of Workload Optimized Systems. Austin, USA:FastPath, 2013:13.
[28] ERANIAN S. Perfmon2:A flexible performance monitoring interface for Linux[C]//Proceedings of the 2006 Ottawa Linux Symposium. Ottawa, Canada Hewlett-Packard Development Company, 2006:269-288.
[29] DE MELO A C. The new linux'perf'tools[C]//Slides from Linux Kongress. Nuremberg, Germany, 2010.
[30] LUK C K, COHN R, MUTH R, et al. Pin:Building customized program analysis tools with dynamic instrumentation[J]. ACM SIGPLAN Notices, 2005, 40(6):190-200.
[31] INTEL. Pin 3.6 User Guide[R/OL].[2019-5-20]. https://software.intel.com/sites/landingpage/pintool/docs/97554/Pin/html/.
[32] SPRADLING C D. SPEC CPU2006 benchmark tools[J]. ACM SIGARCH Computer Architecture News, 2007, 35(1):130-134.KOCHER P, HORN J, FOGH A, et al. Spectre attacks:Exploiting speculative execution[C]//2019 IEEE Symposium on Security and Privacy (SP). IEEE, 2019:1-19.
