A software approach to defeating side channels in last-level caches

TL;DR

This paper introduces CacheBar, a Linux kernel memory management system that dynamically manages shared memory pages and cacheability to prevent last-level cache side-channel attacks in cloud environments, ensuring security with minimal performance impact.

Contribution

It presents a novel software-based method, CacheBar, for mitigating LLC side-channel attacks by dynamically managing memory sharing and cacheability in Linux, specifically targeting containerized cloud workloads.

Findings

CacheBar effectively prevents LLC side-channel attacks.

The approach incurs low performance overheads.

Formal verification confirms security guarantees.

Abstract

We present a software approach to mitigate access-driven side-channel attacks that leverage last-level caches (LLCs) shared across cores to leak information between security domains (e.g., tenants in a cloud). Our approach dynamically manages physical memory pages shared between security domains to disable sharing of LLC lines, thus preventing "Flush-Reload" side channels via LLCs. It also manages cacheability of memory pages to thwart cross-tenant "Prime-Probe" attacks in LLCs. We have implemented our approach as a memory management subsystem called CacheBar within the Linux kernel to intervene on such side channels across container boundaries, as containers are a common method for enforcing tenant isolation in Platform-as-a-Service (PaaS) clouds. Through formal verification, principled analysis, and empirical evaluation, we show that CacheBar achieves strong security with small performance overheads for PaaS workloads.