dynamically finding minimal eviction sets can be quicker
play

Dynamically Finding Minimal Eviction Sets Can Be Quicker Than You - PowerPoint PPT Presentation

Oct 27, 2023 •24 likes •274 views

Dynamically Finding Minimal Eviction Sets Can Be Quicker Than You Think for Side-Channel Attacks against the LLC Wei Song State Key Laboratory of Information Security Institute of Information Engineering, CAS, Beijing, China Peng Liu The

  1. Dynamically Finding Minimal Eviction Sets Can Be Quicker Than You Think for Side-Channel Attacks against the LLC Wei Song State Key Laboratory of Information Security Institute of Information Engineering, CAS, Beijing, China Peng Liu The Pennsylvania State University, University Park, USA 2019-09-25

  2. Overview • The development of cache-side channel attacks and defenses. 2019-09-25 RAID-2019 2

  3. Our Motivations • Dynamically randomized LLC – [Qureshi2018] CEASER: Mitigating conflict based cache attacks via encrypted-address and remapping. (Micro’18) – Randomized LLC → Dynamically finding eviction sets → Uncontrollable set conflicts – Dynamic remapping → Limit attacks in short period • Optimized eviction set search algorithm – [Vila2019] Theory and practice of finding eviction sets. (S&P’19) Fast enough? – Prune eviction sets in groups → Reduce time from 𝑷(𝒐 𝟑 ) to 𝑷(𝒙 𝟑 𝒐) • Our questions: – In theory, how fast can an adversary find a minimal eviction set? – In practice, how fast can a minimal eviction set be found on modern processors? 2019-09-25 RAID-2019 3

  4. Preliminary: Caches and Virtual Memory • set associative cache • MMU, TLB • VIPT, PIPT 2019-09-25 RAID-2019 4

  5. Prime+Probe • Victim accesses 𝑤 . • Attacker primes the set with an eviction set {𝑏 0 , 𝑏 1 , 𝑏 2 , 𝑏 3 } , force the eviction of 𝑤 . • Victim re-accesses 𝑤 incurs a long delay. {𝒃 𝟏 , 𝒃 𝟐 , 𝒃 𝟑 , 𝒃 𝟒 } and 𝒘 are mapped to the same set (congruent) Usually eviction sets are computed rather than found. 2019-09-25 RAID-2019 5

  6. Randomized LLC (CEASER) • Use a block chipper to pick a random set • Break the mapping from address to cache set 2019-09-25 RAID-2019 6

  7. Finding an Minimal Eviction Set • A minimal eviction set – An eviction set with the smallest number ( 𝒙 ) of congruent cache blocks . – Congruent cache blocks: cache blocks mapped to the same cache set. • Assumption – Current Intel processors: VPN to PPN mapping is unknown, PPN considered random. – CEASER: cache set is considered random. • Solution – Find a big eviction set (candidate set) with a large number ( 𝑜 ) of random cache blocks. • When 𝑜 is large enough, we can evict any cache block in the shared LLC [Hund2013]. – Prune the large set into a minimal one . 2019-09-25 RAID-2019 7

  8. Prune an Eviction Set (the optimized way) • Original method [Liu2015 at S&P, Oren2015 at CCS] – Remove one cache block per iteration 𝑃(𝑜 2 ) • Optimized method (group pruning) [Vila 2019 at S&P] – Assume we have an initial eviction set with 𝑜 blocks for a 4-way cache. Is this a good – By dividing them into 𝑥 + 1 groups, time complexity is reduced to 𝑷 𝒙 𝟑 𝒐 . estimation? 2019-09-25 RAID-2019 8

  9. The actual latency is much smaller! • The actual latency is much smaller – Early termination effect: terminate the iteration whenever the first removable group is found. • Divide by 2𝑥 – Use 2𝑥 rather than 𝑥 + 1 reduce the theoretical bound to 𝟓𝐱 − 𝟑 𝒐 → 𝑷(𝒙𝒐) – Much closer to the actual latency – Actual test using 2𝑥 is slightly worse than 𝑥 + 1 due to the reduced early termination effect. • Even 4𝑥 − 2 𝑜 is not good enough! 2019-09-25 RAID-2019 9

  10. The long tail distribution of latency • The actual latency distribution is a long tail. – For a defense, what actually matter is the location of the left boundary (1 st percentile, 1% of attacks). – For a 1024-set 16-way randomized cache, 1 st percentile ≈ 25𝑜, 𝑜 = 11500 0.2% of 𝑜 2 , around 18 ⋅ 𝑡 ⋅ 𝑥 ! This is much faster than we ever thought! 2019-09-25 RAID-2019 10

  11. What about Actual Processors? • Applying the dynamic search on three Intel processors. i7-3770 Xeon-4110 i7-8700 Architecture IvyBridge Sky Lake Coffee Lake Cores 4 8 6 Threads 8 16 12 LLC Size 8 MB 11 MB 12 MB Cache Way 16 11 16 Memory 4 GB 32 GB 32 GB OS Ubuntu 16.04 Ubuntu 16.04 Ubuntu 18.04 2019-09-25 RAID-2019 11

  12. Improve the Pruning Algorithm Test 𝐷 with repeat parameter (𝑐, 𝑒) • Random split 1/(w+1) • Simpler loop control • Better tolerance to noise 𝐷 2019-09-25 RAID-2019 12

  13. The Optimal Candidate Set Size? • How many random cache blocks are enough to get a large eviction set? 512-set 32-way 1024-set 16-way cache 1024-set 16-way ~16K → 50% probability of eviction Magic 60% 2048-set 8-way 4096-set 4-way 2019-09-25 RAID-2019 13

  14. The Optimal Candidate Set Size? • How many random cache blocks are enough? Slightly less than s*w. Alg 2: Group prune [Vila2019] Alg 3: Random split [this paper] Split ratio: w+1 is better than 2w What is the best split ratio? Less than 50% chance in finding a candidate set but much shorter time in pruning. 2019-09-25 RAID-2019 14

  15. What is the Best Split Rate? • Is w+1 the best split rate? No. 1024-set 16-way The best split rate ~14 Slightly less than w+1. 2019-09-25 RAID-2019 15

  16. What is the Best Traverse Function? • Start from Ivy bridge (2012), anti-threshing replacement is utilized. • Traverse strategy [Gruss2016] 𝑡𝑢𝑠𝑏𝑢𝑓𝑕𝑧 𝑛 = 3, 𝑜 = 2, 𝜀 = 1 𝑚𝑗𝑡𝑢 𝑛, 𝑜 = 𝑡𝑢𝑠𝑏𝑢𝑓𝑕𝑧(𝑛, 𝑜, 1) • Round traverse [Liu2015] 𝑠𝑝𝑣𝑜𝑒(𝑜 = 2) • Random traverse [this paper] 𝑠𝑏𝑜𝑒𝑝𝑛(4) They key: disguise its scan-like pattern. 2019-09-25 RAID-2019 16

  17. What is the Best Traverse Function? Time to success = time of one trial success rate i7-3770: round(4) and random(16) i7-8700: round(4) Xeon-4110: failed! 2019-09-25 RAID-2019 17

  18. Improve the Success Rate: Multithread Traverse Single thread multithread L1/L2 works like a filter Enforce multi-access by multicore 2019-09-25 RAID-2019 18

  19. Now We Succeed on Xeon-4110 i7-3770: round(4) Xeon-4110: round(1) i7-8700: round(1) 2019-09-25 RAID-2019 19

  20. Summary of Techniques 2019-09-25 RAID-2019 20

  21. Results: When VA to PA mapping is unknown • Finding eviction sets at the page granularity Single Thread Single Thread Multithread Multithread Normal Page Huge Page Normal Page Huge Page i7-3770 0.150 s 0.091 s 0.085 s 0.060 s Xeon-4110 Failed Failed 0.170 s 0.134 s I7-8700 0.202 s 0.123 s 0.095 s 0.061 s • Compare with optimized [Vila2019] Normal Page Huge Page Latency Reduction Latency Reduction i7-3770 0.477 s -82.1% 0.219 s -72.6% i7-8700 0.244 s -61.1% 0.186 s -67.2% Improve success rate from ~60% to ~90%. 2019-09-25 RAID-2019 21

  22. Results: Contribution of Individual Techniques 2019-09-25 RAID-2019 22

  23. Results: When LLC is Randomized • Finding eviction sets at the cache block granularity. – We Succeed both on i7-3770 and Xeon-4110 but failed on i7-8700. – Although it is slow, it is a demonstration that we can find eviction sets on a (statically) randomized LLC. 2019-09-25 RAID-2019 23

  24. Conclusion and Future Works • Contributions: – Reduce the bound from 𝑃(𝑥 2 𝑜) to 𝑃(𝑥𝑜) . – CEASER has overestimated the latency (confirmed by [Qureshi2019 at ISCA]). – New techniques to reduce the latency to ~0.1 second. – Multithread traversing (Xeon-4110, non-inclusive LLC [Yan2019 at SP]). – First time to find eviction set without fixing page offset. • Future works: – Non-inclusive LLC (AMD snooping protocol) [Yan2019 at S&P] – Skewed random LLC [Werner2019 at Security, Qureshi2019 at ISCA] • Opensource – The ideal cache model: https://github.com/comparch-security/cache-model – Tests on Intel processors: https://github.com/comparch-security/smart-cache-evict 2019-09-25 RAID-2019 24

  25. Thank you! Any Questions? 2019-09-25 RAID-2019 25

Recommend

Theory and Practice of Finding Eviction Sets Pepe Vila Boris Kpf Jos F. Morales IMDEA

Theory and Practice of Finding Eviction Sets Pepe Vila Boris Kpf Jos F. Morales IMDEA

Theory and Practice of Finding Eviction Sets Pepe Vila Boris Kpf Jos F. Morales IMDEA Software Institute Microsoft Research IMDEA Software Institute vwzq.net @cgvwzq github.com/cgvwzq Eviction Sets CACHE Find addresses that collide

1.07k views • 74 slides
A polynomial-time algorith for finding minimal conflicting sets St ephane Vialette

A polynomial-time algorith for finding minimal conflicting sets St ephane Vialette

A polynomial-time algorith for finding minimal conflicting sets St ephane Vialette vialette@univ-mlv.fr LIGM Universit e Paris-Est Marne-la-Vall ee November 8-10, 2010 S. Vialette (LIGM) MCSR 11, 8-10, 10 1 / 1 Consecutive 1 s

474 views • 18 slides
Interpretable sets in o-minimal structures Will Johnson March 27, 2015 Will Johnson

Interpretable sets in o-minimal structures Will Johnson March 27, 2015 Will Johnson

Interpretable sets in o-minimal structures Will Johnson March 27, 2015 Will Johnson Interpretable sets in o-minimal structures March 27, 2015 1 / 13 Interpretable groups in o-minimal theories Theorem (Ramakrishnan, Peterzil, Eleftheriou)

937 views • 44 slides
EVICTION EVICTION MORATORIUM MORATORIUM This crisis is not over No New Yorker should lose the

EVICTION EVICTION MORATORIUM MORATORIUM This crisis is not over No New Yorker should lose the

EVICTION EVICTION MORATORIUM MORATORIUM This crisis is not over No New Yorker should lose the roof over their head NEED: State to extend FULL eviction moratorium through August 20 by executive order NEED: State approval to allow tenants who

405 views • 11 slides
Minimal multiple blocking sets Anurag Bishnoi (with S. Mattheus and J. Schillewaert) Free

Minimal multiple blocking sets Anurag Bishnoi (with S. Mattheus and J. Schillewaert) Free

Minimal multiple blocking sets Anurag Bishnoi (with S. Mattheus and J. Schillewaert) Free University of Berlin https://anuragbishnoi.wordpress.com/ Finite Geometries, Irsee September 2017 Blocking Sets A subset B of points in a projective

623 views • 33 slides
Point sets of minimal energy Peter Grabner Institut fr Analysis und Computational Number Theory

Point sets of minimal energy Peter Grabner Institut fr Analysis und Computational Number Theory

Point sets of minimal energy Peter Grabner Institut fr Analysis und Computational Number Theory Graz University of Technology October 16, 2013 Peter Grabner Point sets of minimal energy Self-organisation by local interaction

783 views • 62 slides
LANDLORD TENANT LAW ANTI-EVICTION ACT Who is protected by the Anti-Eviction Act? Entitled to due

LANDLORD TENANT LAW ANTI-EVICTION ACT Who is protected by the Anti-Eviction Act? Entitled to due

LANDLORD TENANT LAW ANTI-EVICTION ACT Who is protected by the Anti-Eviction Act? Entitled to due process Good cause Non-payment of rent Disorderly conduct, e.g. harassing other tenants Damage to or destruction of property, e.g.

377 views • 19 slides
Minimal simple sets: A new concept for topology-preserving transformations Nicolas Passat 1 ,

Minimal simple sets: A new concept for topology-preserving transformations Nicolas Passat 1 ,

Motivation Background notions Results, WIP Conclusion Minimal simple sets: A new concept for topology-preserving transformations Nicolas Passat 1 , Michel Couprie 2 , Lo c Mazo 1 , Gilles Bertrand 2 1 LSIIT, UMR 7005 CNRS/ULP - Strasbourg 2

428 views • 28 slides
Minimal Retentive Sets in Tournaments From Anywhere to TEQ Felix Brandt Markus Brill

Minimal Retentive Sets in Tournaments From Anywhere to TEQ Felix Brandt Markus Brill

Minimal Retentive Sets in Tournaments From Anywhere to TEQ Felix Brandt Markus Brill Felix Fischer Paul Harrenstein Ludwig-Maximilians-Universitt Mnchen Estoril, April 12, 2010 1 / 17 The Trouble with Tournaments Tournaments

1.1k views • 75 slides
Constructing (0 , 1)-matrices with large minimal defining sets Nicholas Cavenagh, Reshma

Constructing (0 , 1)-matrices with large minimal defining sets Nicholas Cavenagh, Reshma

Constructing (0 , 1)-matrices with large minimal defining sets Nicholas Cavenagh, Reshma Ramadurai University of Waikato Let R = ( r 1 , r 2 , . . . , r m ) and S = ( s 1 , s 2 , . . . , s n ) be vectors of non-negative integers such that m i

407 views • 14 slides
THE COVID-19 EVICTION DEFENSE PROJECT NATI TIONAL ONAL EVICTION CTION RISK SK NUMBER

THE COVID-19 EVICTION DEFENSE PROJECT NATI TIONAL ONAL EVICTION CTION RISK SK NUMBER

THE COVID-19 EVICTION DEFENSE PROJECT NATI TIONAL ONAL EVICTION CTION RISK SK NUMBER UMBERS S 5/29/2020 2020 THE COVID-19 EVICTION DEFENSE PROJECT RESPONDS TO THIS UNPRECEDENTED CRISIS BY: Pairing lawyers with tenants

373 views • 5 slides
An introduction to minimal sets and the classification of singularities Xiangyu Liang University

An introduction to minimal sets and the classification of singularities Xiangyu Liang University

An introduction to minimal sets and the classification of singularities Xiangyu Liang University of Warwick December 2012 Xiangyu Liang Back ground Back groundPlateaus problem Aim : try to understand regularity and existence of

446 views • 10 slides
The Union of Minimal Hitting Sets: Parameterized Combinatorial Bounds and Counting Peter

The Union of Minimal Hitting Sets: Parameterized Combinatorial Bounds and Counting Peter

The Union of Minimal Hitting Sets: Parameterized Combinatorial Bounds and Counting Peter Damaschke Chalmers, Gteborg Inferring Causes from Effects V: set of n causes. E: set of effects. O R, subset of VxE: cause-effect relation. V O:

417 views • 22 slides
Finding Minimal Unsatisfiable Cores of Declarative Specifications Emina Torlak, Felix Chang and

Finding Minimal Unsatisfiable Cores of Declarative Specifications Emina Torlak, Felix Chang and

Finding Minimal Unsatisfiable Cores of Declarative Specifications Emina Torlak, Felix Chang and Daniel Jackson Formal Methods 08 Turku, Finland May 30, 2008 Testing alone is not enough to establish correctness testing: a few cases

933 views • 66 slides
Uncountable Cantors Theorem shows how to keep finding Sets bigger infinities. Albert R

Uncountable Cantors Theorem shows how to keep finding Sets bigger infinities. Albert R

Mathematics for Computer Science Infinite Sizes MIT 6.042J/18.062J Are all sets the same size? NO! Uncountable Cantors Theorem shows how to keep finding Sets bigger infinities. Albert R Meyer, March 4, 2015 Albert R Meyer, March

486 views • 7 slides
Californias Statewide Eviction Control Overview New Eviction and Rent Control Law AB-1482

Californias Statewide Eviction Control Overview New Eviction and Rent Control Law AB-1482

Californias Statewide Eviction Control Overview New Eviction and Rent Control Law AB-1482 (Adds new Code Sections: Civil Code 1946.2, 1947.12 and 1947.13) 1946.2 Restricts Certain Owners of Residential Property as to How They Can

369 views • 26 slides
Shape of minimal sets in aperiodic flows Krystyna Kuperberg, Auburn University, USA May 21-25,

Shape of minimal sets in aperiodic flows Krystyna Kuperberg, Auburn University, USA May 21-25,

Shape of minimal sets in aperiodic flows Krystyna Kuperberg, Auburn University, USA May 21-25, 2018 Nipissing University 15th Annual Workshop on Topology and Dynamical Systems Sponsored by the Fields Institute (Nipissing University) 2018 1

495 views • 31 slides
MA/CSSE 473 Day 36 Student Questions More on Minimal Spanning Trees Kruskal Prim Kruskal and

MA/CSSE 473 Day 36 Student Questions More on Minimal Spanning Trees Kruskal Prim Kruskal and

MA/CSSE 473 Day 36 Student Questions More on Minimal Spanning Trees Kruskal Prim Kruskal and Prim ALGORITHMS FOR FINDING A MINIMAL SPANNING TREE 1 Kruskals algorithm To find a MST (minimal Spanning Tree): Start with a graph T

467 views • 13 slides
On some sets with minimal L 2 discrepancy Dmitriy Bilyk University of South Carolina, Columbia,

On some sets with minimal L 2 discrepancy Dmitriy Bilyk University of South Carolina, Columbia,

On some sets with minimal L 2 discrepancy Dmitriy Bilyk University of South Carolina, Columbia, SC MCQMC 2010 Warszawa, Polska August 20, 2010 Dmitriy Bilyk Geometric Discrepancy and Harmonic Analysis Discrepancy function Consider P N [0

1.19k views • 96 slides
CHILDRENS HEALTHY WEIGHT COIIN How to Dynamically Tell the Story of Your Work on a Poster A

CHILDRENS HEALTHY WEIGHT COIIN How to Dynamically Tell the Story of Your Work on a Poster A

CHILDRENS HEALTHY WEIGHT COIIN How to Dynamically Tell the Story of Your Work on a Poster A S S O C I A T I O N O F S T A T E P U B L I C H E A L T H N U T R I T I O N I S T S PART 1 Finding Your Comfort Zone Demystifying the basics

360 views • 33 slides
Eviction Defense Collaborative PREVENT HOMELESSNESS PRESERVE AFFORDABLE HOUSING PROTECT SAN

Eviction Defense Collaborative PREVENT HOMELESSNESS PRESERVE AFFORDABLE HOUSING PROTECT SAN

Eviction Defense Collaborative PREVENT HOMELESSNESS PRESERVE AFFORDABLE HOUSING PROTECT SAN FRANCISCOS DIVERSITY Eviction Defense Collaborative The Eviction Defense Collaborative is the principal organization in San Francisco helping

486 views • 12 slides
How to Assign Numerical 2- and 3-Element Sets Values to Partially Ordered Case of 2 Minimal . .

How to Assign Numerical 2- and 3-Element Sets Values to Partially Ordered Case of 2 Minimal . .

Need to Assign . . . How to Assign? Robustness as a . . . What Is Known: Case . . . How to Assign Numerical 2- and 3-Element Sets Values to Partially Ordered Case of 2 Minimal . . . Case of a Single . . . Levels of Confidence: 4 Elements,

446 views • 17 slides
Enumeration of Circuits and Minimal Forbidden Sets Frederik Stork ILOG GmbH, Germany Marc Uetz

Enumeration of Circuits and Minimal Forbidden Sets Frederik Stork ILOG GmbH, Germany Marc Uetz

Enumeration of Circuits and Minimal Forbidden Sets Frederik Stork ILOG GmbH, Germany Marc Uetz Universiteit Maastricht, Netherlands Independence Systems Given ground set V , | V | = n , then I 2 V is independence system if W U I

568 views • 20 slides
Subcommittee Interim Presentation September 11, 2019 Charge The Eviction Reduction Subcommittee

Subcommittee Interim Presentation September 11, 2019 Charge The Eviction Reduction Subcommittee

Arlington County Tenant-Landlord Commissions Eviction Reduction Subcommittee Interim Presentation September 11, 2019 Charge The Eviction Reduction Subcommittee will hold meetings and take steps to reduce the number of preventable

294 views • 7 slides

More recommend