PiPoMonitor: Mitigating Cross-core Cache Attacks Using the Auto-Cuckoo Filter

TL;DR

PiPoMonitor employs an innovative Auto-Cuckoo filter to efficiently detect and mitigate cross-core cache attacks with minimal overhead and resistance to reverse engineering, enhancing cache security.

Contribution

This paper introduces the Auto-Cuckoo filter, a space-efficient and attack-resistant data structure, and applies it in PiPoMonitor to effectively defend against cross-core cache side channel attacks.

Findings

Auto-Cuckoo filter reduces storage overhead significantly.

PiPoMonitor effectively mitigates cross-core cache attacks.

Overhead is only 0.37%, much lower than prior methods.

Abstract

Cache side channel attacks obtain victim cache line access footprint to infer security-critical information. Among them, cross-core attacks exploiting the shared last level cache are more threatening as their simplicity to set up and high capacity. Stateful approaches of detection-based mitigation observe precise cache behaviors and protect specific cache lines that are suspected of being attacked. However, their recording structures incur large storage overhead and are vulnerable to reverse engineering attacks. Exploring the intrinsic non-determinate layout of a traditional Cuckoo filter, this paper proposes a space efficient Auto-Cuckoo filter to record access footprints, which succeed to decrease storage overhead and resist reverse engineering attacks at the same time. With Auto-Cuckoo filter, we propose PiPoMonitor to detect \textit{Ping-Pong patterns} and prefetch specific cache line to interfere with adversaries' cache probes. Security analysis shows the PiPoMonitor can effectively mitigate cross-core attacks and the Auto-Cuckoo filter is immune to reverse engineering attacks. Evaluation results indicate PiPoMonitor has negligible impact on performance and the storage overhead is only 0.37$\%$, an order of magnitude lower than previous stateful approaches.