PREFENDER: A Prefetching Defender against Cache Side Channel Attacks as A Pretender

TL;DR

Prefender tackles cache timing side-channel attacks by converting attacks into a prefetching problem: by predicting victim accesses and attacker timing patterns, it prefetches eviction cachelines to obscure the victim's activity. The system comprises three hardware components—Scale Tracker, Access Tracker, and Record Protector—that respectively predict eviction lines from the victim, learn attacker access patterns, and shield predictions from benign noise. Empirical evaluation against Flush+Reload, Evict+Reload, and Prime+Probe shows that Prefender can defeat diverse attacks while maintaining or even improving SPEC CPU performance, with additional robustness from the Record Protector. The work demonstrates a practical, hardware-based defense that leverages targeted prefetching to enhance security without sacrificing efficiency in modern processor cores.

Abstract

Cache side channel attacks are increasingly alarming in modern processors due to the recent emergence of Spectre and Meltdown attacks. A typical attack performs intentional cache access and manipulates cache states to leak secrets by observing the victim's cache access patterns. Different countermeasures have been proposed to defend against both general and transient execution based attacks. Despite their effectiveness, they mostly trade some level of performance for security, or have restricted security scope. In this paper, we seek an approach to enforcing security while maintaining performance. We leverage the insight that attackers need to access cache in order to manipulate and observe cache state changes for information leakage. Specifically, we propose Prefender, a secure prefetcher that learns and predicts attack-related accesses for prefetching the cachelines to simultaneously help security and performance. Our results show that Prefender is effective against several cache side channel attacks while maintaining or even improving performance for SPEC CPU 2006 and 2017 benchmarks.

Figures (12)

• Figure 1: The examples of Flush+Reload, Evict+Reload, and Prime+Probe. The secret can be revealed by the only low (or high) latency eviction cacheline.
• Figure 2: The overall design architecture of our system.
• Figure 3: The example of the defenses against Flush+Reload attacks (The number near an arrow represents the access time, and the number inside each rectangle represents the first time when the corresponding cacheline is accessed).
• Figure 4: The example of the defenses against cross-core Flush+Reload attacks (The number near an arrow represents the access time, and the number inside each rectangle represents the first time when the corresponding cacheline is accessed).
• Figure 5: (a) A pseudo code example for accessing array[secret$\times$0x200], where arr_addr is an immediate number that represents the address of the first element in array. (b) The scales ($sc$) and the fixed values ($fva$) in the access buffer, where each value is set according to the instruction with the same color and the values indicated by the arrows.