The attacker runs a program on the system that is performing the cryptographic operation of interest
Basic idea: observe computation’s effects on the system, and learn information from that
Recent attacks are asynchronous, in that they do not require the attacker to achieve precisely timed observations of the victim
Cache Set
Cache Line
4-way set associative cache
Physical Address
PRIME
PRIME PRIME-PROBE Interval
PRIME-PROBE Interval
400 600 500 400 400 500
PRIME PROBE
Hardware
Operating System
Attacker
Process
Victim
Process
Hardware
Virtual Machine Monitor
Victim VM
Victim
Process
OS
Attacker VM
PRIME-PROBE Interval PRIME PROBE
PRIME-PROBE Interval PRIME PROBE
Foe VM
Friendly VMs
Xen Hypervisor
Friendly VMs
Xen Hypervisor
PRIME PRIME-PROBE Interval PROBE
Pseudo-physical Pages
Physical Pages
0x5000 0x3000
2 1 3 5 4
2 1 3 5 4
0x5000 0x3000 Page Table Entries
Physical Address 0x2000 0x1000 0x3000 0x4000 0x5000
Pseudo-physical Pages
Physical Pages
Reserved pages
0x01 0x02 0x03 0x04 0x05 0x06
Avoided pages
Data copy
L2 Cache
PRIME PROBE PRIME-PROBE Interval
core core
0
0.01
0.02
0.03
0.04
0.05
0.06
0.07
1500 2000 2500 3000 3500
Em
pir
ical
pro
bab
ilit
y
PROBE results with NO foe present (CPU cycles)
core
L2 L2
core
0
0.01
0.02
0.03
0.04
0.05
0.06
0.07
1500 2000 2500 3000 3500
Em
pir
ical
pro
bab
ilit
y
PROBE results with NO foe present (CPU cycles)
Class B
Class A
Foe more
PROBE results
here
Foe less PROBE
results here
Different friend I/O
level
. . .
Cache region Select Monitoring VM
Xen Hypervisor
Xen Hypervisor
PRIME PRIME-PROBE Interval PROBE
Xen Hypervisor
Select next Monitoring VM Does the PROBE result fall into
class A or class B? I am the next
Monitoring VM
True detection rate (with 1% false positive) Foe VM running cloud applications
Simulated with PARSEC benchmarks: 84% - 100% Foe VM running PRIME-PROBE protocol
Less frequent, smaller cache region: 15%
More frequent, larger cache region: 85%
Performance overhead Address remapping: 150ms for remapping a 2GB memory (1/16 mapped to monitored cache region)
Less than 5% overhead during detection period