Packet Chasing: Spying on Network Packets over a Cache Side-Channel

TL;DR

Packet Chasing introduces a novel cache side-channel attack that enables network packet monitoring without network access, revealing packet sequences and sizes, and proposes software and cache partitioning mitigations.

Contribution

This work presents a new cache side-channel attack method, Packet Chasing, capable of monitoring network packets and sequences without requiring network privileges.

Findings

Can identify cache locations of network buffers

Enables monitoring of packet frequency and sizes

Supports covert channels and web page access pattern attacks

Abstract

This paper presents Packet Chasing, an attack on the network that does not require access to the network, and works regardless of the privilege level of the process receiving the packets. A spy process can easily probe and discover the exact cache location of each buffer used by the network driver. Even more useful, it can discover the exact sequence in which those buffers are used to receive packets. This then enables packet frequency and packet sizes to be monitored through cache side channels. This allows both covert channels between a sender and a remote spy with no access to the network, as well as direct attacks that can identify, among other things, the web page access patterns of a victim on the network. In addition to identifying the potential attack, this work proposes a software-based short-term mitigation as well as a light-weight, adaptive, cache partitioning mitigation that blocks the interference of I/O and CPU requests in the last-level cache.