# Are Coherence Protocol States vulnerable to Information Leakage?

Fan Yao, Milos Doroslovacki, Guru Venkataramani The George Washington University HPCA 2018, Vienna, Austria



# The Trend of Security Threats

# The Trend of Security Threats

#### **Traditional Attacks**



# The Trend of Security Threats

#### **Traditional Attacks**

### 

**Emerging Attacks** 

## Information Leakage on Processors

**Covert Timing Channels** 



#### Hardware Infrastructure

# Information Leakage on Processors

**Covert Timing Channels** 



## Information Leakage on Processors

**Covert Timing Channels** 



#### Related Works on Covert Timing Channels

- Cache timing channels are dominant
  - Caches expose relatively large attack surface
- Existing Channels
  - Flush + Reload attack
    - Spy flushes blocks and reloads them later
    - \* Yarom et al. USENIX Security'14, He et al. MICRO'17
  - Prime + Probe attack
    - Spy primes the cache with its own blocks and probes them later
    - \* Chen et al. MICRO'14, Hunger et al. HPCA'15, Yan et al. MICRO'16

# Is Cache Coherence Fabric Leaky?

### Is Cache Coherence Fabric Leaky?

Load operation latency in Exclusive and Shared states\*



\* Latency measurements from Intel Xeon 5650 processor

### Is Cache Coherence Fabric Leaky?

Load operation latency in Exclusive and Shared states\*



\* Latency measurements from Intel Xeon 5650 processor

#### Cache Coherence in Multi-core Processors



#### Cache Coherence in Multi-core Processors



#### Cache Coherence in Multi-core Processors





























# Full Latency Profiles

Intel Xeon Dual Socket Server

![](_page_27_Figure_2.jpeg)

# How to Create Shared Memory?

- \* Coherence transactions happen on shared memory
- One possible way: through shared libraries
- We use Kernel Same-page Merging (KSM)
  - OS routinely merges DRAM pages with same content
  - More stealthy

![](_page_30_Figure_1.jpeg)

![](_page_31_Figure_1.jpeg)

![](_page_32_Figure_1.jpeg)

1. Trojan and Spy create pages with same pattern (content)

![](_page_34_Figure_2.jpeg)

1. Trojan and Spy create pages with same pattern (content)

![](_page_35_Figure_2.jpeg)

2. Trojan and Spy wait for KSM to merge pages

1. Trojan and Spy create pages with same pattern (content)

![](_page_36_Figure_2.jpeg)

2. Trojan and Spy wait for KSM to merge pages

3. Trojan and Spy test page merging

![](_page_36_Picture_5.jpeg)

![](_page_38_Picture_1.jpeg)

![](_page_39_Picture_1.jpeg)

communication bit

![](_page_39_Picture_3.jpeg)

boundary

![](_page_40_Figure_1.jpeg)

![](_page_41_Figure_1.jpeg)

![](_page_42_Figure_1.jpeg)

![](_page_43_Figure_1.jpeg)

![](_page_44_Figure_1.jpeg)

![](_page_45_Figure_1.jpeg)

![](_page_46_Figure_1.jpeg)

![](_page_47_Figure_1.jpeg)

#### The Attack Scenarios

#### Differing latency profiles

- Local Exclusive
- Local Shared
- Remote Exclusive
- Remote Shared

#### Binary channel encoding - (bit comm., boundary )

| Location and Coherence State  | Notation                                          | Number of Trojan threads |
|-------------------------------|---------------------------------------------------|--------------------------|
| (Local Excl., Local Shared)   | LExcl <sub>comm</sub> -LShared <sub>bound</sub>   | 2 (local)                |
| (Remote Excl., Remote Shared) | RExcl <sub>comm</sub> -RShared <sub>bound</sub>   | 2 (remote)               |
| (Remote Excl., Local Excl.)   | RExcl <sub>comm</sub> -LExcl <sub>bound</sub>     | 2 (1 local, 1 remote)    |
| (Remote Excl., Local Shared)  | RExcl <sub>comm</sub> -LShared <sub>bound</sub>   | 3 (2 local, 1 remote)    |
| (Remote Shared, Local Excl.)  | RShared <sub>comm</sub> -LExcl <sub>bound</sub>   | 3 (1 local, 2 remote)    |
| (Remote Shared, Local Shared) | RShared <sub>comm</sub> -LShared <sub>bound</sub> | 4 (2 local, 2 remote)    |

Trojan's transmitted bits

![](_page_49_Figure_2.jpeg)

Bit pattern (100 bits) covertly transmitted by the trojan

#### Spy's reception

![](_page_50_Figure_2.jpeg)

#### **RExcl**<sub>comm</sub>-LShared<sub>bound</sub>

#### Spy's reception

![](_page_51_Figure_2.jpeg)

RExcl<sub>comm</sub>-LShared<sub>bound</sub>

#### Spy's reception

![](_page_52_Figure_2.jpeg)

RExcl<sub>comm</sub>-LShared<sub>bound</sub>

#### Spy's reception

![](_page_53_Figure_2.jpeg)

RExcl<sub>comm</sub>-LShared<sub>bound</sub>

#### Spy's reception

![](_page_54_Figure_2.jpeg)

RExcl<sub>comm</sub>-LShared<sub>bound</sub>

RShared<sub>comm</sub>-LExcl<sub>bound</sub>

Achieved bitrate: 700Kbps

# Sensitivity to External Noise

- Additional noise
  - Run memory intensive background threads (Kernel Build)
  - Vary number of threads from 1~8

# Sensitivity to External Noise

#### Additional noise

- Run memory intensive background threads (Kernel Build)
- Vary number of threads from 1~8

![](_page_56_Figure_4.jpeg)

# Multi-bit Symbol Transmission

- \* With 4 latency values, we can create 2-bit symbols
  - Each latency value represents a symbol
  - Much higher transmission bitrate

![](_page_57_Figure_4.jpeg)

Multi-bit Symbol Transmission Scheme

#### 

![](_page_57_Figure_7.jpeg)

# Multi-bit Symbol Transmission

- \* With 4 latency values, we can create 2-bit symbols
  - Each latency value represents a symbol
  - Much higher transmission bitrate

![](_page_58_Figure_4.jpeg)

#### Achieved bitrate: 1100 Kbps!

#### Mitigating Coherence State-based Leakage

Key Observation: current processor treats E and S state differently

E state cache line is owned by private cache

S state cache line is owned by shared cache

#### Hardware-based Mitigation

Shared cache directly responds with cache blocks in E state

Add notification to shared cache when core writes to private cache

Software-based Mitigation

Software based timing obfuscators

KSM usage pattern analysis and detection

## Summary

- \* We *highlight* the vulnerability of cache coherence states
  - We demonstrate that they are prone to information leakage
- \* This vulnerability can compromise sensitive user data
  - Can affect millions of processors
  - Can achieve considerably high transmission rates
- We provide insights for information security aware cache coherence design

# Thanks! Questions?

#### **Contacts** Fan Yao: <u>albertyao@gwu.edu</u> Guru Venkataramani: <u>guruv@gwu.edu</u>

#### Acknowledgements

R

![](_page_61_Picture_3.jpeg)

Semiconductor Research Corporation

# Bit Accuracy vs. Bitrate

#### Factors that influence raw bit rates

- Spy's operation interval
- Number of occurrences for info. bit states
- Number of occurrences for bit boundary states

![](_page_62_Figure_5.jpeg)

#### Channel with Retransmission Scheme

- Simple retransmission scheme
  - Trojan and spy switch role (spy sends ACK bit)

#### Channel with Retransmission Scheme

- Simple retransmission scheme
  - Trojan and spy switch role (spy sends ACK bit)

![](_page_64_Figure_3.jpeg)

transmit secrets through Cache Coherence States

#### Channel with Retransmission Scheme

- Simple retransmission scheme
  - Trojan and spy switch role (spy sends ACK bit)

![](_page_65_Figure_3.jpeg)

transmit secrets through Cache Coherence States

Effective rates under different noise levels

#### Secure E and S States

![](_page_66_Figure_1.jpeg)