NetCAT: Practical cache attacks from the network

Michael Kurth; Ben Gras; Dennis Andriesse; Cristiano Giuffrida; Herbert Bos; Kaveh Razavi

doi:10.1109/SP40000.2020.00082

NetCAT: Practical cache attacks from the network

Michael Kurth
, Ben Gras
, Dennis Andriesse
, Cristiano Giuffrida
, Herbert Bos
, Kaveh Razavi

Research output: Chapter in Book / Report / Conference proceeding › Conference contribution › Academic › peer-review

276 Downloads (Pure)

Abstract

Increased peripheral performance is causing strain on the memory subsystem of modern processors. For example, available DRAM throughput can no longer sustain the traffic of a modern network card. Scrambling to deliver the promised performance, instead of transferring peripheral data to and from DRAM, modern Intel processors perform I/O operations directly on the Last Level Cache (LLC). While Direct Cache Access (DCA) instead of Direct Memory Access (DMA) is a sensible performance optimization, it is unfortunately implemented without care for security, as the LLC is now shared between the CPU and all the attached devices, including the network card.In this paper, we reverse engineer the behavior of DCA, widely referred to as Data-Direct I/O (DDIO), on recent Intel processors and present its first security analysis. Based on our analysis, we present NetCAT, the first Network-based PRIME+PROBE Cache Attack on the processor's LLC of a remote machine. We show that NetCAT not only enables attacks in cooperative settings where an attacker can build a covert channel between a network client and a sandboxed server process (without network), but more worryingly, in general adversarial settings. In such settings, NetCAT can enable disclosure of network timing-based sensitive information. As an example, we show a keystroke timing attack on a victim SSH connection belonging to another client on the target server. Our results should caution processor vendors against unsupervised sharing of (additional) microarchitectural components with peripherals exposed to malicious input.

Original language	English
Title of host publication	2020 IEEE Symposium on Security and Privacy (SP)
Subtitle of host publication	[Proceedings]
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	20-38
Number of pages	19
ISBN (Electronic)	9781728134970
DOIs	https://doi.org/10.1109/SP40000.2020.00082
Publication status	Published - May 2020
Event	41st IEEE Symposium on Security and Privacy, SP 2020 - San Francisco, United States Duration: 18 May 2020 → 21 May 2020

Publication series

Name	Proceedings - IEEE Symposium on Security and Privacy
Volume	2020-May
ISSN (Print)	1081-6011

Conference

Conference	41st IEEE Symposium on Security and Privacy, SP 2020
Country/Territory	United States
City	San Francisco
Period	18/05/20 → 21/05/20

Funding

We would like to thank our shepherd, Clémentine Maurice, and the anonymous reviewers for their valuable feedback. This work was supported by the European Union’s Horizon 2020 research and innovation programme under grant agreements No. 786669 (ReAct) and No. 825377 (UNICORE), by Intel Corporation through the Side Channel Vulnerability ISRA, and by the Netherlands Organisation for Scientific Research through grants NWO 639.023.309 VICI “Dowsing”, NWO 639.021.753 VENI “PantaRhei”, and NWO 016.Veni.192.262. This paper reflects only the authors’ view. The funding agencies are not responsible for any use that may be made of the information it contains. We would like to thank our shepherd, Clementine Maurice, and the anonymous reviewers for their valuable feedback. This work was supported by the European Union s Horizon 2020 research and innovation programme under grant agreements No. 786669 (ReAct) and No. 825377 (UNICORE), by Intel Corporation through the Side Channel Vulnerability ISRA, and by the Netherlands Organisation for Scientific Research through grants NWO 639.023.309 VICI "Dowsing", NWO 639.021.753 VENI "PantaRhei", and NWO 016.Veni.192.262. This paper reflects only the authors view. The funding agencies are not responsible for any use that may be made of the information it contains.

Funders	Funder number
European Union s Horizon 2020 research and innovation programme
Intel Corporation
Horizon 2020 Framework Programme	825377, 786669
Nederlandse Organisatie voor Wetenschappelijk Onderzoek	639.023.309

UN SDGs

This output contributes to the following UN Sustainable Development Goals (SDGs)

SDG 16 Peace, Justice and Strong Institutions

Access to Document

10.1109/SP40000.2020.00082

NetcatAccepted author manuscript, 1.25 MBLicence: Article 25fa Dutch Copyright Act

Persistent URL (handle)

Persistent link

Cite this

Kurth, M., Gras, B., Andriesse, D., Giuffrida, C., Bos, H., & Razavi, K. (2020). NetCAT: Practical cache attacks from the network. In 2020 IEEE Symposium on Security and Privacy (SP): [Proceedings] (pp. 20-38). Article 9152768 (Proceedings - IEEE Symposium on Security and Privacy; Vol. 2020-May). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/SP40000.2020.00082

@inproceedings{48b85d2741814d798ca476fe35bb2077,

title = "NetCAT: Practical cache attacks from the network",

abstract = "Increased peripheral performance is causing strain on the memory subsystem of modern processors. For example, available DRAM throughput can no longer sustain the traffic of a modern network card. Scrambling to deliver the promised performance, instead of transferring peripheral data to and from DRAM, modern Intel processors perform I/O operations directly on the Last Level Cache (LLC). While Direct Cache Access (DCA) instead of Direct Memory Access (DMA) is a sensible performance optimization, it is unfortunately implemented without care for security, as the LLC is now shared between the CPU and all the attached devices, including the network card.In this paper, we reverse engineer the behavior of DCA, widely referred to as Data-Direct I/O (DDIO), on recent Intel processors and present its first security analysis. Based on our analysis, we present NetCAT, the first Network-based PRIME+PROBE Cache Attack on the processor's LLC of a remote machine. We show that NetCAT not only enables attacks in cooperative settings where an attacker can build a covert channel between a network client and a sandboxed server process (without network), but more worryingly, in general adversarial settings. In such settings, NetCAT can enable disclosure of network timing-based sensitive information. As an example, we show a keystroke timing attack on a victim SSH connection belonging to another client on the target server. Our results should caution processor vendors against unsupervised sharing of (additional) microarchitectural components with peripherals exposed to malicious input.",

author = "Michael Kurth and Ben Gras and Dennis Andriesse and Cristiano Giuffrida and Herbert Bos and Kaveh Razavi",

year = "2020",

month = may,

doi = "10.1109/SP40000.2020.00082",

language = "English",

series = "Proceedings - IEEE Symposium on Security and Privacy",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "20--38",

booktitle = "2020 IEEE Symposium on Security and Privacy (SP)",

address = "United States",

note = "41st IEEE Symposium on Security and Privacy, SP 2020 ; Conference date: 18-05-2020 Through 21-05-2020",

}

Kurth, M, Gras, B, Andriesse, D, Giuffrida, C , Bos, H & Razavi, K 2020, NetCAT: Practical cache attacks from the network. in 2020 IEEE Symposium on Security and Privacy (SP): [Proceedings]., 9152768, Proceedings - IEEE Symposium on Security and Privacy, vol. 2020-May, Institute of Electrical and Electronics Engineers Inc., pp. 20-38, 41st IEEE Symposium on Security and Privacy, SP 2020, San Francisco, United States, 18/05/20. https://doi.org/10.1109/SP40000.2020.00082

NetCAT: Practical cache attacks from the network. / Kurth, Michael; Gras, Ben; Andriesse, Dennis et al.
2020 IEEE Symposium on Security and Privacy (SP): [Proceedings]. Institute of Electrical and Electronics Engineers Inc., 2020. p. 20-38 9152768 (Proceedings - IEEE Symposium on Security and Privacy; Vol. 2020-May).

Research output: Chapter in Book / Report / Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - NetCAT: Practical cache attacks from the network

AU - Kurth, Michael

AU - Gras, Ben

AU - Andriesse, Dennis

AU - Giuffrida, Cristiano

AU - Bos, Herbert

AU - Razavi, Kaveh

PY - 2020/5

Y1 - 2020/5

N2 - Increased peripheral performance is causing strain on the memory subsystem of modern processors. For example, available DRAM throughput can no longer sustain the traffic of a modern network card. Scrambling to deliver the promised performance, instead of transferring peripheral data to and from DRAM, modern Intel processors perform I/O operations directly on the Last Level Cache (LLC). While Direct Cache Access (DCA) instead of Direct Memory Access (DMA) is a sensible performance optimization, it is unfortunately implemented without care for security, as the LLC is now shared between the CPU and all the attached devices, including the network card.In this paper, we reverse engineer the behavior of DCA, widely referred to as Data-Direct I/O (DDIO), on recent Intel processors and present its first security analysis. Based on our analysis, we present NetCAT, the first Network-based PRIME+PROBE Cache Attack on the processor's LLC of a remote machine. We show that NetCAT not only enables attacks in cooperative settings where an attacker can build a covert channel between a network client and a sandboxed server process (without network), but more worryingly, in general adversarial settings. In such settings, NetCAT can enable disclosure of network timing-based sensitive information. As an example, we show a keystroke timing attack on a victim SSH connection belonging to another client on the target server. Our results should caution processor vendors against unsupervised sharing of (additional) microarchitectural components with peripherals exposed to malicious input.

AB - Increased peripheral performance is causing strain on the memory subsystem of modern processors. For example, available DRAM throughput can no longer sustain the traffic of a modern network card. Scrambling to deliver the promised performance, instead of transferring peripheral data to and from DRAM, modern Intel processors perform I/O operations directly on the Last Level Cache (LLC). While Direct Cache Access (DCA) instead of Direct Memory Access (DMA) is a sensible performance optimization, it is unfortunately implemented without care for security, as the LLC is now shared between the CPU and all the attached devices, including the network card.In this paper, we reverse engineer the behavior of DCA, widely referred to as Data-Direct I/O (DDIO), on recent Intel processors and present its first security analysis. Based on our analysis, we present NetCAT, the first Network-based PRIME+PROBE Cache Attack on the processor's LLC of a remote machine. We show that NetCAT not only enables attacks in cooperative settings where an attacker can build a covert channel between a network client and a sandboxed server process (without network), but more worryingly, in general adversarial settings. In such settings, NetCAT can enable disclosure of network timing-based sensitive information. As an example, we show a keystroke timing attack on a victim SSH connection belonging to another client on the target server. Our results should caution processor vendors against unsupervised sharing of (additional) microarchitectural components with peripherals exposed to malicious input.

UR - https://www.scopus.com/pages/publications/85091561212

UR - https://www.scopus.com/pages/publications/85091561212#tab=citedBy

U2 - 10.1109/SP40000.2020.00082

DO - 10.1109/SP40000.2020.00082

M3 - Conference contribution

AN - SCOPUS:85091561212

T3 - Proceedings - IEEE Symposium on Security and Privacy

SP - 20

EP - 38

BT - 2020 IEEE Symposium on Security and Privacy (SP)

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 41st IEEE Symposium on Security and Privacy, SP 2020

Y2 - 18 May 2020 through 21 May 2020

ER -

NetCAT: Practical cache attacks from the network

Abstract

Publication series

Conference

Funding

UN SDGs

Access to Document

Persistent URL (handle)

Other files and links

Fingerprint

Cite this