Flush+Flush: A fast and stealthy cache attack

Daniel Gruss, Clémentine Maurice, Klaus Wagner, Stefan Mangard

Research output: Chapter in Book/Report/Conference proceedingConference contributionResearchpeer-review

Abstract

Research on cache attacks has shown that CPU caches leak significant information. Proposed detection mechanisms assume that all cache attacks cause more cache hits and cache misses than benign applications and use hardware performance counters for detection. In this article, we show that this assumption does not hold by developing a novel attack technique: the Flush+Flush attack. The Flush+Flush attack only relies on the execution time of the flush instruction, which depends on whether data is cached or not. Flush+Flush does not make any memory accesses, contrary to any other cache attack. Thus, it causes no cache misses at all and the number of cache hits is reduced to a minimum due to the constant cache flushes. Therefore, Flush+Flush attacks are stealthy, i.e., the spy process cannot be detected based on cache hits and misses, or state-of-the-art detection mechanisms. The Flush+Flush attack runs in a higher frequency and thus is faster than any existing cache attack. With 496 KB/s in a cross-core covert channel it is 6.7 times faster than any previously published cache covert channel.

Original languageEnglish
Title of host publicationDetection of Intrusions and Malware, and Vulnerability Assessment - 13th International Conference, DIMVA 2016, Proceedings
PublisherSpringer-Verlag Italia
Pages279-299
Number of pages21
Volume9721
ISBN (Print)9783319406664
DOIs
Publication statusPublished - 2016
Event13th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2016 - San Sebastian, Spain
Duration: 7 Jul 20168 Jul 2016

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume9721
ISSN (Print)03029743
ISSN (Electronic)16113349

Conference

Conference13th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2016
CountrySpain
CitySan Sebastian
Period7/07/168/07/16

Fingerprint

Cache
Program processors
Attack
Hardware
Data storage equipment
Hits
Covert Channel
Execution Time

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)

Cite this

Gruss, D., Maurice, C., Wagner, K., & Mangard, S. (2016). Flush+Flush: A fast and stealthy cache attack. In Detection of Intrusions and Malware, and Vulnerability Assessment - 13th International Conference, DIMVA 2016, Proceedings (Vol. 9721, pp. 279-299). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 9721). Springer-Verlag Italia. https://doi.org/10.1007/978-3-319-40667-1_14

Flush+Flush : A fast and stealthy cache attack. / Gruss, Daniel; Maurice, Clémentine; Wagner, Klaus; Mangard, Stefan.

Detection of Intrusions and Malware, and Vulnerability Assessment - 13th International Conference, DIMVA 2016, Proceedings. Vol. 9721 Springer-Verlag Italia, 2016. p. 279-299 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 9721).

Research output: Chapter in Book/Report/Conference proceedingConference contributionResearchpeer-review

Gruss, D, Maurice, C, Wagner, K & Mangard, S 2016, Flush+Flush: A fast and stealthy cache attack. in Detection of Intrusions and Malware, and Vulnerability Assessment - 13th International Conference, DIMVA 2016, Proceedings. vol. 9721, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 9721, Springer-Verlag Italia, pp. 279-299, 13th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2016, San Sebastian, Spain, 7/07/16. https://doi.org/10.1007/978-3-319-40667-1_14
Gruss D, Maurice C, Wagner K, Mangard S. Flush+Flush: A fast and stealthy cache attack. In Detection of Intrusions and Malware, and Vulnerability Assessment - 13th International Conference, DIMVA 2016, Proceedings. Vol. 9721. Springer-Verlag Italia. 2016. p. 279-299. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-319-40667-1_14
Gruss, Daniel ; Maurice, Clémentine ; Wagner, Klaus ; Mangard, Stefan. / Flush+Flush : A fast and stealthy cache attack. Detection of Intrusions and Malware, and Vulnerability Assessment - 13th International Conference, DIMVA 2016, Proceedings. Vol. 9721 Springer-Verlag Italia, 2016. pp. 279-299 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{1f5527a69acd4ace967106104efd03db,
title = "Flush+Flush: A fast and stealthy cache attack",
abstract = "Research on cache attacks has shown that CPU caches leak significant information. Proposed detection mechanisms assume that all cache attacks cause more cache hits and cache misses than benign applications and use hardware performance counters for detection. In this article, we show that this assumption does not hold by developing a novel attack technique: the Flush+Flush attack. The Flush+Flush attack only relies on the execution time of the flush instruction, which depends on whether data is cached or not. Flush+Flush does not make any memory accesses, contrary to any other cache attack. Thus, it causes no cache misses at all and the number of cache hits is reduced to a minimum due to the constant cache flushes. Therefore, Flush+Flush attacks are stealthy, i.e., the spy process cannot be detected based on cache hits and misses, or state-of-the-art detection mechanisms. The Flush+Flush attack runs in a higher frequency and thus is faster than any existing cache attack. With 496 KB/s in a cross-core covert channel it is 6.7 times faster than any previously published cache covert channel.",
author = "Daniel Gruss and Cl{\'e}mentine Maurice and Klaus Wagner and Stefan Mangard",
year = "2016",
doi = "10.1007/978-3-319-40667-1_14",
language = "English",
isbn = "9783319406664",
volume = "9721",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
publisher = "Springer-Verlag Italia",
pages = "279--299",
booktitle = "Detection of Intrusions and Malware, and Vulnerability Assessment - 13th International Conference, DIMVA 2016, Proceedings",
address = "Italy",

}

TY - GEN

T1 - Flush+Flush

T2 - A fast and stealthy cache attack

AU - Gruss, Daniel

AU - Maurice, Clémentine

AU - Wagner, Klaus

AU - Mangard, Stefan

PY - 2016

Y1 - 2016

N2 - Research on cache attacks has shown that CPU caches leak significant information. Proposed detection mechanisms assume that all cache attacks cause more cache hits and cache misses than benign applications and use hardware performance counters for detection. In this article, we show that this assumption does not hold by developing a novel attack technique: the Flush+Flush attack. The Flush+Flush attack only relies on the execution time of the flush instruction, which depends on whether data is cached or not. Flush+Flush does not make any memory accesses, contrary to any other cache attack. Thus, it causes no cache misses at all and the number of cache hits is reduced to a minimum due to the constant cache flushes. Therefore, Flush+Flush attacks are stealthy, i.e., the spy process cannot be detected based on cache hits and misses, or state-of-the-art detection mechanisms. The Flush+Flush attack runs in a higher frequency and thus is faster than any existing cache attack. With 496 KB/s in a cross-core covert channel it is 6.7 times faster than any previously published cache covert channel.

AB - Research on cache attacks has shown that CPU caches leak significant information. Proposed detection mechanisms assume that all cache attacks cause more cache hits and cache misses than benign applications and use hardware performance counters for detection. In this article, we show that this assumption does not hold by developing a novel attack technique: the Flush+Flush attack. The Flush+Flush attack only relies on the execution time of the flush instruction, which depends on whether data is cached or not. Flush+Flush does not make any memory accesses, contrary to any other cache attack. Thus, it causes no cache misses at all and the number of cache hits is reduced to a minimum due to the constant cache flushes. Therefore, Flush+Flush attacks are stealthy, i.e., the spy process cannot be detected based on cache hits and misses, or state-of-the-art detection mechanisms. The Flush+Flush attack runs in a higher frequency and thus is faster than any existing cache attack. With 496 KB/s in a cross-core covert channel it is 6.7 times faster than any previously published cache covert channel.

UR - http://www.scopus.com/inward/record.url?scp=84979233660&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-40667-1_14

DO - 10.1007/978-3-319-40667-1_14

M3 - Conference contribution

SN - 9783319406664

VL - 9721

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 279

EP - 299

BT - Detection of Intrusions and Malware, and Vulnerability Assessment - 13th International Conference, DIMVA 2016, Proceedings

PB - Springer-Verlag Italia

ER -