Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Shield Bash: Abusing Defensive Coherence State Retrieval to Break Timing Obfuscation

Kartik Ramkrishnan, Antonia Zhai, Stephen McCamant, Pen Chung Yew

TL;DR

This work reveals a microarchitectural defense assumption violation (MDAV) arising when TORC timing obfuscation and DSRC speculative-coherence protections operate together. The authors introduce the shield bash attack, implemented as a LRBS probe, showing how DSRC’s remote coherence feedback can leak secret state and defeat TORC. They propose two mitigations—delay speculative on remote and miss (DSRM) and Start-With-S MESI (SS-MESI)—and validate them with GEM5 simulations and real-machine covert-channel measurements, reporting overheads generally below 32% (and often under 3% for SS-MESI variants). The findings emphasize the need for holistic design of defenses, as inter-defensive interactions can undermine security, and outline practical directions for mitigating MDAVs in current and future coherence protocols.

Abstract

Microarchitectural attacks are a significant concern, leading to many hardware-based defense proposals. However, different defenses target different classes of attacks, and their impact on each other has not been fully considered. To raise awareness of this problem, we study an interaction between two state-of-the art defenses in this paper, timing obfuscations of remote cache lines (TORC) and delaying speculative changes to remote cache lines (DSRC). TORC mitigates cache-hit based attacks and DSRC mitigates speculative coherence state change attacks. We observe that DSRC enables coherence information to be retrieved into the processor core, where it is out of the reach of timing obfuscations to protect. This creates an unforeseen consequence that redo operations can be triggered within the core to detect the presence or absence of remote cache lines, which constitutes a security vulnerability. We demonstrate that a new covert channel attack is possible using this vulnerability. We propose two ways to mitigate the attack, whose performance varies depending on an application's cache usage. One way is to never send remote exclusive coherence state (E) information to the core even if it is created. The other way is to never create a remote E state, which is responsible for triggering redos. We demonstrate the timing difference caused by this microarchitectural defense assumption violation using GEM5 simulations. Performance evaluation on SPECrate 2017 and PARSEC benchmarks of the two fixes show less than 32\% average overhead across both sets of benchmarks. The repair which prevented the creation of remote E state had less than 2.8% average overhead.

Shield Bash: Abusing Defensive Coherence State Retrieval to Break Timing Obfuscation

TL;DR

This work reveals a microarchitectural defense assumption violation (MDAV) arising when TORC timing obfuscation and DSRC speculative-coherence protections operate together. The authors introduce the shield bash attack, implemented as a LRBS probe, showing how DSRC’s remote coherence feedback can leak secret state and defeat TORC. They propose two mitigations—delay speculative on remote and miss (DSRM) and Start-With-S MESI (SS-MESI)—and validate them with GEM5 simulations and real-machine covert-channel measurements, reporting overheads generally below 32% (and often under 3% for SS-MESI variants). The findings emphasize the need for holistic design of defenses, as inter-defensive interactions can undermine security, and outline practical directions for mitigating MDAVs in current and future coherence protocols.

Abstract

Microarchitectural attacks are a significant concern, leading to many hardware-based defense proposals. However, different defenses target different classes of attacks, and their impact on each other has not been fully considered. To raise awareness of this problem, we study an interaction between two state-of-the art defenses in this paper, timing obfuscations of remote cache lines (TORC) and delaying speculative changes to remote cache lines (DSRC). TORC mitigates cache-hit based attacks and DSRC mitigates speculative coherence state change attacks. We observe that DSRC enables coherence information to be retrieved into the processor core, where it is out of the reach of timing obfuscations to protect. This creates an unforeseen consequence that redo operations can be triggered within the core to detect the presence or absence of remote cache lines, which constitutes a security vulnerability. We demonstrate that a new covert channel attack is possible using this vulnerability. We propose two ways to mitigate the attack, whose performance varies depending on an application's cache usage. One way is to never send remote exclusive coherence state (E) information to the core even if it is created. The other way is to never create a remote E state, which is responsible for triggering redos. We demonstrate the timing difference caused by this microarchitectural defense assumption violation using GEM5 simulations. Performance evaluation on SPECrate 2017 and PARSEC benchmarks of the two fixes show less than 32\% average overhead across both sets of benchmarks. The repair which prevented the creation of remote E state had less than 2.8% average overhead.

Paper Structure

This paper contains 39 sections, 8 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Remote and Local Cache Lines
  4. Remote Presence/Absence Attacks and the TORC Defense
  5. Speculative Coherence State Change Attacks and the DSRC Defense
  6. Need for Both TORC and DSRC
  7. Shield Bashing TORC Using DSRC
  8. Attack Environment
  9. Attack and Mitigations
  10. Baseline TORC Defense
  11. Breaking TORC by Abusing DSRC
  12. DSRM Eliminates the Abuse
  13. Using SS-MESI With TORC
  14. Shield Bash: Implementation and Mitigations
  15. Implementing the Attack Environment
  16. ...and 24 more sections

Figures (8)

  • Figure 1: TORC, DSRC and TORC+DSRC defenses, where an attacker in a remote Core 0 (dashed outline circle) accesses remote cache line data (shaded gray) with E coherence state. TORC mitigates a cache hit attack (green shield with timer) on victim Core 1. DSRC checks for remote E state and disallows speculative changes to it (green round shield). In TORC + DSRC, the attacker unexpectedly gets secret-related coherence feedback (an instance of an MDAV), enabling new shield-bash attacks and breaking timing obfuscation.
  • Figure 2: Timelines for the shield bash attack
  • Figure 3: Cache snapshots on a timeline while an attack probe runs. There are two scenarios, remote cache line absent (secret=0), and cache line present (secret=1), in three configurations. The remote cache line is represented as a green rectangle (data) with an attached sharer vector (two bits shown as squares) with the secret accessor core's bit set (gray) and the probe core's bit unset (white). The first configuration (Baseline) shows how TORC eliminates the probe's ability to detect a cache hit by delaying the timing of the hit at time $t_2$. The second configuration (Breached) shows how the attacker abuses DSRC to induce an extra redo by exploiting the retrieval of remote cache line presence/absence at time $t_2$. The last configuration (Repaired), solves the problem by forcing redos on both remote presence and absence, due to equalization at time $t_2$ (details in §\ref{['sub:doing_attacks']}).
  • Figure 4: A timeline showing how the MDAV caused by sending coherence information to the core is exploited using the LRBS probe (see §\ref{['section:attack']}) on a TORC + DSRC configuration. In case A, the timeline of the probe is shown, when a remote cache line in the E state is present in the LLC (slower due to redo). In case B, the timeline is shown when there is a cache miss (faster).
  • Figure 5: PARSEC simulation results (see §\ref{['section:performance']}).
  • ...and 3 more figures