New Cache Attack is Fastest in Decade

Streamline

A new way of attacking a computer’s data storage cache is the fastest of its kind and may lead to stronger cybersecurity defenses. Known as Streamline, the new cache attack technique was developed by GT researchers and is more than three times faster than all other covert channel attacks and is the first attack to go faster than 1MB/s after more than a decade of research in this area.

This is the second cache attack paper for School of Computer Science Professor Moin Qureshi’s group, who have been working on secure cache architectures for the past three years.

“It helps to think like an attacker,” said School of Electrical and Computer Engineering Ph.D. student Gururaj Saileshwar, the lead author of the paper and advisee of Qureshi. “It is important to improve our understanding of attacks before a real attacker in the wild does so. In the process, we came up with the Streamline attack that is faster than all existing attacks and has fewer requirements.”

“Better attacks motivate better defenses,” Qureshi said. “Advancing the attack enables us to come up with good defenses for making cache memories secure.”

How Covert Channel Attacks Work

In this type of attack, attackers use a covert channel to communicate and transmit data without detection. Memory caches are susceptible because they are often shared between processors. Such channels have become more popular recently after they were used to transmit data in speculative execution attacks like Spectre and Meltdown.

Memory cache covert channel attacks take advantage of the time difference between access to processor caches and DRAM memory. Senders can influence whether a shared address is in the cache and manipulate the receiver’s access to it. The two fastest attacks have been the Flush+Reload and the Flush+Flush.

In a Flush+Reload, a sender installs an address in a cache and a receiver uses cache flush instructions to evict a shared address. In a Flush+Flush, a sender installs an address in the cache then the receiver measures the latency of the flush to access this address.

A major disadvantage of this type of attack is that it requires access to cache flush instructions, which are disabled in many new CPUs. Also, bit-by-bit synchronization between the sender and receiver that considerably slows the attack. This has limited the bit rate of current attacks to 500-600 KB/s for more than a decade.

How Streamline Works

Instead Streamline relies on asynchronous communication and makes the following improvements:

  1. Streamline communicates over a sequence of shared addresses that enables the sender to keep transmitting successive bits without waiting for the receiver.
  2. The addresses are preserved until the receiver can access them.
  3. When the receiver accesses the address, they get evicted from the cache automatically due to cache-thrashing, the act of accessing a large sequence of addressees by the sender and receiver, without relying on flushing.

The researchers tested Streamline on an Intel Skylake central processing unit and achieved a bit-rate of 1801 kilobytes/second, which is 3.1 times faster than the previous fastest attack. Given that Streamline relies on generic cache properties, it works on all architectures.

Saileshwar and Qureshi wrote the paper, Streamline: A Fast, Flushless Cache Covert-Channel Attack by Enabling Asynchronous Collusion, with University of Illinois—Urbana Champaign Assistant Professor Christopher Fletcher. The researchers will present at the premiere systems conference Architectural Support for Programming Languages and Operating Systems (‚ÄčASPLOS) from April 12-23.

Contact: 

Tess Malone, Communications Officer

tess.malone@cc.gatech.edu