Dessouky, Ghada ; Gruler, Alexander ; Mahmoody, Pouya ; Sadeghi, Ahmad-Reza ; Stapf, Emmanuel (2022)
Chunked-Cache: On-Demand and Scalable Cache Isolation for Security Architectures.
Network and Distributed Systems Security (NDSS) Symposium 2022. San Diego, USA (24.04.2022-28.04.2022)
doi: 10.48550/arXiv.2110.08139
Konferenzveröffentlichung, Bibliographie
Kurzbeschreibung (Abstract)
Shared cache resources in multi-core processors are vulnerable to cache side-channel attacks. Recently proposed defenses such as randomized mapping of addresses to cache lines or well-known cache partitioning have their own caveats: Randomization-based defenses have been shown vulnerable to newer attack algorithms besides relying on weak cryptographic primitives. They do not fundamentally address the root cause for cache side-channel attacks, namely, mutually distrusting codes sharing cache resources. Cache partitioning defenses provide the strict resource partitioning required to effectively block all side-channel threats. However, they usually rely on way-based partitioning which is not fine-grained and cannot scale to support a larger number of protection domains, e.g., in trusted execution environment (TEE) security architectures, besides degrading performance and often resulting in cache underutilization. To overcome the shortcomings of both approaches, we present a novel and flexible set-associative cache partitioning design for TEE architectures, called CHUNKED-CACHE. The core idea of CHUNKED-CACHE is to enable an execution context to “carve” out an exclusive configurable chunk of the cache if the execution requires side-channel resilience. If side-channel resilience is not required, mainstream cache resources can be freely utilized. Hence, our solution CHUNKED-CACHE addresses the securityperformance trade-off practically by enabling efficient selective and on-demand utilization of side-channel-resilient caches, while providing well-grounded future-proof security guarantees. We show that CHUNKED-CACHE provides side-channel-resilient cache utilization for sensitive code execution, with small hardware overhead, while incurring no performance overhead on the OS. We also show that it outperforms conventional way-based cache partitioning by 43%, while scaling significantly better to support a larger number of protection domains.
| Typ des Eintrags: | Konferenzveröffentlichung |
|---|---|
| Erschienen: | 2022 |
| Autor(en): | Dessouky, Ghada ; Gruler, Alexander ; Mahmoody, Pouya ; Sadeghi, Ahmad-Reza ; Stapf, Emmanuel |
| Art des Eintrags: | Bibliographie |
| Titel: | Chunked-Cache: On-Demand and Scalable Cache Isolation for Security Architectures |
| Sprache: | Englisch |
| Publikationsjahr: | 2022 |
| Kollation: | 18 Seiten |
| Veranstaltungstitel: | Network and Distributed Systems Security (NDSS) Symposium 2022 |
| Veranstaltungsort: | San Diego, USA |
| Veranstaltungsdatum: | 24.04.2022-28.04.2022 |
| DOI: | 10.48550/arXiv.2110.08139 |
| URL / URN: | https://arxiv.org/pdf/2110.08139.pdf |
| Zugehörige Links: | |
| Kurzbeschreibung (Abstract): | Shared cache resources in multi-core processors are vulnerable to cache side-channel attacks. Recently proposed defenses such as randomized mapping of addresses to cache lines or well-known cache partitioning have their own caveats: Randomization-based defenses have been shown vulnerable to newer attack algorithms besides relying on weak cryptographic primitives. They do not fundamentally address the root cause for cache side-channel attacks, namely, mutually distrusting codes sharing cache resources. Cache partitioning defenses provide the strict resource partitioning required to effectively block all side-channel threats. However, they usually rely on way-based partitioning which is not fine-grained and cannot scale to support a larger number of protection domains, e.g., in trusted execution environment (TEE) security architectures, besides degrading performance and often resulting in cache underutilization. To overcome the shortcomings of both approaches, we present a novel and flexible set-associative cache partitioning design for TEE architectures, called CHUNKED-CACHE. The core idea of CHUNKED-CACHE is to enable an execution context to “carve” out an exclusive configurable chunk of the cache if the execution requires side-channel resilience. If side-channel resilience is not required, mainstream cache resources can be freely utilized. Hence, our solution CHUNKED-CACHE addresses the securityperformance trade-off practically by enabling efficient selective and on-demand utilization of side-channel-resilient caches, while providing well-grounded future-proof security guarantees. We show that CHUNKED-CACHE provides side-channel-resilient cache utilization for sensitive code execution, with small hardware overhead, while incurring no performance overhead on the OS. We also show that it outperforms conventional way-based cache partitioning by 43%, while scaling significantly better to support a larger number of protection domains. |
| Zusätzliche Informationen: | E-Print Comments: Accepted on 3 Sept 2021 to appear at the Network and Distributed System Security Symposium (NDSS) 2022 |
| Fachbereich(e)/-gebiet(e): | 20 Fachbereich Informatik 20 Fachbereich Informatik > Systemsicherheit DFG-Sonderforschungsbereiche (inkl. Transregio) DFG-Sonderforschungsbereiche (inkl. Transregio) > Sonderforschungsbereiche Profilbereiche Profilbereiche > Cybersicherheit (CYSEC) DFG-Sonderforschungsbereiche (inkl. Transregio) > Sonderforschungsbereiche > SFB 1119: CROSSING – Kryptographiebasierte Sicherheitslösungen als Grundlage für Vertrauen in heutigen und zukünftigen IT-Systemen |
| TU-Projekte: | DFG|SFB1119|S2SFB1119 Sadeghi |
| Hinterlegungsdatum: | 10 Feb 2022 10:18 |
| Letzte Änderung: | 19 Dez 2024 10:58 |
| PPN: | |
| Export: | |
| Suche nach Titel in: | TUfind oder in Google |
 |
Frage zum Eintrag |
Optionen (nur für Redakteure)
 |
Redaktionelle Details anzeigen |
Drucken
Impressum