A software approach to defeating side channels in last-level caches
This addresses security vulnerabilities in cloud computing environments where tenants share hardware resources, offering a practical solution for container-based isolation.
The researchers tackled side-channel attacks in cloud computing by developing CacheBar, a software approach that prevents information leakage between security domains through last-level caches. They demonstrated that CacheBar provides strong security with small performance overheads for Platform-as-a-Service workloads.
We present a software approach to mitigate access-driven side-channel attacks that leverage last-level caches (LLCs) shared across cores to leak information between security domains (e.g., tenants in a cloud). Our approach dynamically manages physical memory pages shared between security domains to disable sharing of LLC lines, thus preventing "Flush-Reload" side channels via LLCs. It also manages cacheability of memory pages to thwart cross-tenant "Prime-Probe" attacks in LLCs. We have implemented our approach as a memory management subsystem called CacheBar within the Linux kernel to intervene on such side channels across container boundaries, as containers are a common method for enforcing tenant isolation in Platform-as-a-Service (PaaS) clouds. Through formal verification, principled analysis, and empirical evaluation, we show that CacheBar achieves strong security with small performance overheads for PaaS workloads.