New Noise-Resilient Attack On Intel and AMD CPUs Makes Flush-based Attacks Effective
(Dabangg Attack)
Modern Intel and AMD processors are susceptible to a new form of side-channel attack that makes flush-based cache attacks resilient to system noise, newly published research shared with The Hacker News has revealed.
The findings are from a paper "DABANGG: Time for Fearless Flush based Cache Attacks" published by a pair of researchers, Biswabandan Panda and Anish Saxena, from the Indian Institute of Technology (IIT) Kanpur earlier this week.
Dubbed "Dabangg" (meaning fearless), the approach builds upon the Flush+Reload and Flush+Flush attacks, which have been exploited previously by other researchers to leak data from Intel CPUs.
However, the new variant aims to improve the accuracy of these attacks even in a noisy multi-core system. It also works seamlessly against non-Linux Operating Systems, like macOS.
"Like any other cache attacks, flush based cache attacks rely on the calibration of cache latency," Biswabandan Panda, assistant professor at IIT Kanpur, told The Hacker News. "State-of-the-art cache timing attacks are not effective in the real world as most of them work in a highly controlled environment."
"With DABANGG, we make a case for cache attacks that can succeed in the real world that's resilient to system noise and work perfectly even in a highly noisy environment," he added.
Flush+Reload and Flush+Flush attacks work by flushing out the memory line (using the "clflush" instruction), then waiting for the victim process to access the memory line, and subsequently reloading (or flushing) the memory line, measuring the time needed to load it.
DABANGG is a lot like Flush+Reload and Flush+Flush attacks in that it's a flush-based attack, which depends on the execution timing difference between cached and non-cached memory accesses. But unlike the latter two, DABANGG makes the thresholds used to differentiate a cache hit from a miss dynamic.
Power management techniques like dynamic voltage and frequency scaling (DVFS) in modern processors allow for frequency changes based on overall CPU utilization, with cores running compute-intensive processes operating at a higher frequency than those that do not.
This core-wise frequency difference results in a variable execution latency for instructions, and renders the thresholds chosen to distinguish a cache hit from a miss useless, the researchers stated.
"We make these thresholds dynamic as a function of processor frequency (that gets throttled up and down based on the DVFS controllers) which in turn make the flush based attacks resilient to system noise," Prof. Panda said.
DABANGG refines the shortcomings by capturing the processor's frequency distribution in the pre-attack stage and using a compute-heavy code to stabilize the frequency, before proceeding with a Flush+Reload or Flush+Flush attack to calculate latency and check for a cache hit.
The consequence of these side-channel attacks is a reliable way to eavesdrop on user input, extract AES private key, exfiltrate data via a covert channel between a malicious process and its victim, and carry out Spectre-like speculative execution to access cached information.
Given that DABANGG is also a flush-based attack, it can be mitigated using the same techniques corresponding to Flush+Reload and Flush+Flush, namely, modifying the clflush instruction and monitoring cache misses as well as making hardware changes to prevent such attacks.
"Flush-based attacks must be aware of processor frequency for better accuracy," Prof. Panda said. "Generally speaking, if an attack cannot effectively target a victim's access unless all the conditions are controlled, that attack doesn't pose a real-world risk. We believe this is just the beginning in terms of pushing the cache attacks into the real world, and it will trigger better and more robust cache attacks in the future."
Researchers will release the source code for proof-of-concept on Github after 15th June 2020.