NetCAT: Practical cache attacks from the network

Michael Kurth, Ben Gras, Dennis Andriesse, Cristiano Giuffrida, Herbert Bos, Kaveh Razavi

Research output: Chapter in Book / Report / Conference proceedingConference contributionAcademicpeer-review

Abstract

Increased peripheral performance is causing strain on the memory subsystem of modern processors. For example, available DRAM throughput can no longer sustain the traffic of a modern network card. Scrambling to deliver the promised performance, instead of transferring peripheral data to and from DRAM, modern Intel processors perform I/O operations directly on the Last Level Cache (LLC). While Direct Cache Access (DCA) instead of Direct Memory Access (DMA) is a sensible performance optimization, it is unfortunately implemented without care for security, as the LLC is now shared between the CPU and all the attached devices, including the network card.In this paper, we reverse engineer the behavior of DCA, widely referred to as Data-Direct I/O (DDIO), on recent Intel processors and present its first security analysis. Based on our analysis, we present NetCAT, the first Network-based PRIME+PROBE Cache Attack on the processor's LLC of a remote machine. We show that NetCAT not only enables attacks in cooperative settings where an attacker can build a covert channel between a network client and a sandboxed server process (without network), but more worryingly, in general adversarial settings. In such settings, NetCAT can enable disclosure of network timing-based sensitive information. As an example, we show a keystroke timing attack on a victim SSH connection belonging to another client on the target server. Our results should caution processor vendors against unsupervised sharing of (additional) microarchitectural components with peripherals exposed to malicious input.

Original languageEnglish
Title of host publication2020 IEEE Symposium on Security and Privacy (SP)
Subtitle of host publicationProceedings
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages20-38
Number of pages19
ISBN (Electronic)9781728134970
DOIs
Publication statusPublished - May 2020
Event41st IEEE Symposium on Security and Privacy, SP 2020 - San Francisco, United States
Duration: 18 May 202021 May 2020

Publication series

NameProceedings - IEEE Symposium on Security and Privacy
Volume2020-May
ISSN (Print)1081-6011

Conference

Conference41st IEEE Symposium on Security and Privacy, SP 2020
CountryUnited States
CitySan Francisco
Period18/05/2021/05/20

Fingerprint

Dive into the research topics of 'NetCAT: Practical cache attacks from the network'. Together they form a unique fingerprint.

Cite this