Journal "Software Engineering"
a journal on theoretical and applied science and technology
ISSN 2220-3397

Issue N9 2024 year

DOI: 10.17587/prin.15.443-449
Using Hardware Events to Detect Side-Channel Attacks
K. A. Kostiukhin, Senior Researcher, kost@niisi.ras.ru, S. V. Samborskii, Senior Researcher, sambor@niisi.ras.ru, Federal State Institution "Scientific Research Institute for System Analysis of the Russian Academy of Sciences", Moscow, 117218, Russian Federation
Corresponding author: Konstantin A. Kostiukhin, Senior Researcher, Federal State Institution "Scientific Research Institute for System Analysis of the Russian Academy of Sciences", Moscow, 117218, Russian Federation, E-mail: kost@niisi.ras.ru
Received on July 04, 2024
Accepted on July 08, 2024

The article discusses the monitoring system being developed by authors for the detection of Side-Channel Attacks, SCA. The theoretical justification of the chosen method of detecting SCA attacks is given: analysis of hardware events of the target system. The architecture of the monitoring system is described, including low-level data collection processes and an expert system that analyzes the collected data. The results of the proof-of-concept on various classes of SCA-attacks are presented. The paper considers a class of attacks on side-channels that use the processor cache to obtain secret information. A method of countering attacks of this class based on the use of a hardware event mechanism is proposed. As a result of the analysis of existing hardware events, predicates have been built for the Intel architecture, allowing one to identify the suspicious behavior of programs in the Linux OS environment. To test the proposed method, a prototype monitoring system was implemented that successfully coped with the detection of simulated SCA-attacks. The advantages and disadvantages of this method are considered, and the direction of further research is indicated.

Keywords: side-channel attacks, information security, hardware events, expert system, CLIPS
pp. 443—449
For citation:
Kostiukhin K. A., Samborskii S. V. Using Hardware Events to Detect Side-Channel Attacks, Programmnaya Ingeneria, 2024, vol. 15, no. 9, pp. 443—449. DOI: 10.17587/prin.15.443-449.
References:
  1. Maurice C. Introduction to micro-architectural attacks. Lecture in Ben Gurion University, Israel, April 30, 2019, available at: https://orenlab.sise.bgu.ac.il/AttacksonImplementation-sCourseBook/06_Cache_Attacks_Guest_Lecture (date of access 26.06.2024).
  2. TEMPEST in Action. Digital Interruption, available at: https://www.digitalinterruption.com/tempest-in-action (date of access 26.06.2024).
  3. Meltdown and Spectre, available at: https://meltdownattack.com (date of access 26.06.2024).
  4. Su Chao, Zeng Qingkai. Survey of CPU Cache-Based Side-Channel Attacks: Systematic Analysis, Security Models, and Countermeasures, Security and Communication Networks, 2021, vol. 2021, article ID 5559552, 15 p. DOI: 10.1155/2021/5559552.
  5. Limin Wang, Lei Bu, Fu Song. SCAGuard: Detection and Classification of Cache Side-Channel Attacks via Attack Behavior Modeling and Similarity Comparison. Technical Report No. NJU-SEG-2023-IC-003, Nanjing University, 2023, available at: https://seg.nju.edu.cn/uploadPublication/copyright/123-652778460.pdf (date of access 26.06.2024).
  6. Spectre vulnerability check, available at: https://github.com/adrb/public/tree/master/linux/spectre_multiarch (date of access 26.06.2024).
  7. OProfile, available at: https://oprofile.sourceforge.io (date of access 26.06.2024).
  8. PAPI User's Guide, available at: http://icl.cs.utk.edu/papi (date of access 26.06.2024).
  9. Perf: Linux profiling with performance counters, available at: https://perf.wiki.kernel.org/index.php/Main_Page (date of access 26.06.2024).
  10. Mastik: A Micro-Architectural Side-Channel Toolkit, available at: https://github.com/0xADE1A1DE/Mastik (date of access 26.06.2024).
  11. Processor model specific performance counter events, available at: https://illumos.org/man/3CPC/tgl_events (date of access 26.06.2024).
  12. Ferracci S. Detecting Cache-based Side Channel Attacks using Hardware Performance Counters. Master's thesis. Sapienza — University of Rome, 2019, available at: https://www.alessandropellegrini.it/publications/tFerr19.pdf (date of access 26.06.2024).
  13. Tatar A., Trujillo D., Giuffrida C., Bos H. TLB;DR: Enhancing TLB-based Attacks with TLB Desynchronized Reverse Engineering, 31st USENIX Security Symposium, 10—12 August 2022, Boston, MA, USA, 2022, pp. 989—1007, available at: https://www.usenix.org/system/files/sec22fall_tatar.pdf (date of access 26.06.2024).
  14. CLIPS, C Language Integrated Production System, available at: https://www.clipsrules.net (date of access 26.06.2024).