Vizard: Passing Over Profiling-Based Detection by Manipulating Performance Counters

Minkyu Song; Taeweon Suh; Gunjae Koo

doi:10.1109/ACCESS.2023.3260179

Vizard: Passing Over Profiling-Based Detection by Manipulating Performance Counters

Research output: Contribution to journal › Article › peer-review

Abstract

Cache side-channel attacks have been serious security threats to server computer systems, thus researchers have proposed software-based defense approaches that can detect the security attacks. Profiling-based detectors are lightweight detection solutions that rely on hardware performance counters to identify unique cache performance behaviors by cache side-channel attacks. The detectors typically need to set appropriate criteria to differentiate between attack processes and normal applications. In this paper, we explore the limitations of profiling-based detectors that rely on hardware performance counters. We present an attack scenario, called Vizard, that can bypass the existing profiling-based detectors by manipulating cache performance behaviors of an attack process. Our analysis discloses that cache side-channel attacks include idle periods that can be exploited as attack windows for creating cache events. Vizard generates counterbalancing cache events within the attack windows to hide particular cache performance behaviors of cache side-channel attacks. Our evaluation exhibits that Vizard can effectively bypass profiling-based detectors while maintaining high attack success rates. Our research work represents that attackers can bypass the existing detection approaches by manipulating performance counters.

Original language	English
Pages (from-to)	48099-48112
Number of pages	14
Journal	IEEE Access
Volume	11
DOIs	https://doi.org/10.1109/ACCESS.2023.3260179
Publication status	Published - 2023

Bibliographical note

Funding Information:
This work was supported in part by the Institute of Information and Communications Technology Planning and Evaluation (IITP) funded by the Korean Government (MSIT) (Research on CPU Vulnerability Detection and Validation) under Grant 2019-0-00533, in part by the ICT Creative Consilience Program under Grant IITP-2022-2020-0-01819, and in part by the National Research Foundation of Korea (NRF) funded by the Korean Government (MSIT) under Grant NRF-2022R1A2C1011469 and Grant NRF-2021R1C1C1012172.

Publisher Copyright:
© 2013 IEEE.

Keywords

Security attacks
cache side-channel attacks
hardware performance counters
security attack detectors

ASJC Scopus subject areas

Engineering(all)
Materials Science(all)
Computer Science(all)

Access to Document

10.1109/ACCESS.2023.3260179

Cite this

@article{ff7763c3e18b48fb9a9596afd78893d2,

title = "Vizard: Passing Over Profiling-Based Detection by Manipulating Performance Counters",

abstract = "Cache side-channel attacks have been serious security threats to server computer systems, thus researchers have proposed software-based defense approaches that can detect the security attacks. Profiling-based detectors are lightweight detection solutions that rely on hardware performance counters to identify unique cache performance behaviors by cache side-channel attacks. The detectors typically need to set appropriate criteria to differentiate between attack processes and normal applications. In this paper, we explore the limitations of profiling-based detectors that rely on hardware performance counters. We present an attack scenario, called Vizard, that can bypass the existing profiling-based detectors by manipulating cache performance behaviors of an attack process. Our analysis discloses that cache side-channel attacks include idle periods that can be exploited as attack windows for creating cache events. Vizard generates counterbalancing cache events within the attack windows to hide particular cache performance behaviors of cache side-channel attacks. Our evaluation exhibits that Vizard can effectively bypass profiling-based detectors while maintaining high attack success rates. Our research work represents that attackers can bypass the existing detection approaches by manipulating performance counters.",

keywords = "Security attacks, cache side-channel attacks, hardware performance counters, security attack detectors",

author = "Minkyu Song and Taeweon Suh and Gunjae Koo",

note = "Funding Information: This work was supported in part by the Institute of Information and Communications Technology Planning and Evaluation (IITP) funded by the Korean Government (MSIT) (Research on CPU Vulnerability Detection and Validation) under Grant 2019-0-00533, in part by the ICT Creative Consilience Program under Grant IITP-2022-2020-0-01819, and in part by the National Research Foundation of Korea (NRF) funded by the Korean Government (MSIT) under Grant NRF-2022R1A2C1011469 and Grant NRF-2021R1C1C1012172. Publisher Copyright: {\textcopyright} 2013 IEEE.",

year = "2023",

doi = "10.1109/ACCESS.2023.3260179",

language = "English",

volume = "11",

pages = "48099--48112",

journal = "IEEE Access",

issn = "2169-3536",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

}

TY - JOUR

T1 - Vizard

T2 - Passing Over Profiling-Based Detection by Manipulating Performance Counters

AU - Song, Minkyu

AU - Suh, Taeweon

AU - Koo, Gunjae

N1 - Funding Information: This work was supported in part by the Institute of Information and Communications Technology Planning and Evaluation (IITP) funded by the Korean Government (MSIT) (Research on CPU Vulnerability Detection and Validation) under Grant 2019-0-00533, in part by the ICT Creative Consilience Program under Grant IITP-2022-2020-0-01819, and in part by the National Research Foundation of Korea (NRF) funded by the Korean Government (MSIT) under Grant NRF-2022R1A2C1011469 and Grant NRF-2021R1C1C1012172. Publisher Copyright: © 2013 IEEE.

PY - 2023

Y1 - 2023

N2 - Cache side-channel attacks have been serious security threats to server computer systems, thus researchers have proposed software-based defense approaches that can detect the security attacks. Profiling-based detectors are lightweight detection solutions that rely on hardware performance counters to identify unique cache performance behaviors by cache side-channel attacks. The detectors typically need to set appropriate criteria to differentiate between attack processes and normal applications. In this paper, we explore the limitations of profiling-based detectors that rely on hardware performance counters. We present an attack scenario, called Vizard, that can bypass the existing profiling-based detectors by manipulating cache performance behaviors of an attack process. Our analysis discloses that cache side-channel attacks include idle periods that can be exploited as attack windows for creating cache events. Vizard generates counterbalancing cache events within the attack windows to hide particular cache performance behaviors of cache side-channel attacks. Our evaluation exhibits that Vizard can effectively bypass profiling-based detectors while maintaining high attack success rates. Our research work represents that attackers can bypass the existing detection approaches by manipulating performance counters.

AB - Cache side-channel attacks have been serious security threats to server computer systems, thus researchers have proposed software-based defense approaches that can detect the security attacks. Profiling-based detectors are lightweight detection solutions that rely on hardware performance counters to identify unique cache performance behaviors by cache side-channel attacks. The detectors typically need to set appropriate criteria to differentiate between attack processes and normal applications. In this paper, we explore the limitations of profiling-based detectors that rely on hardware performance counters. We present an attack scenario, called Vizard, that can bypass the existing profiling-based detectors by manipulating cache performance behaviors of an attack process. Our analysis discloses that cache side-channel attacks include idle periods that can be exploited as attack windows for creating cache events. Vizard generates counterbalancing cache events within the attack windows to hide particular cache performance behaviors of cache side-channel attacks. Our evaluation exhibits that Vizard can effectively bypass profiling-based detectors while maintaining high attack success rates. Our research work represents that attackers can bypass the existing detection approaches by manipulating performance counters.

KW - Security attacks

KW - cache side-channel attacks

KW - hardware performance counters

KW - security attack detectors

UR - http://www.scopus.com/inward/record.url?scp=85151512454&partnerID=8YFLogxK

U2 - 10.1109/ACCESS.2023.3260179

DO - 10.1109/ACCESS.2023.3260179

M3 - Article

AN - SCOPUS:85151512454

SN - 2169-3536

VL - 11

SP - 48099

EP - 48112

JO - IEEE Access

JF - IEEE Access

ER -

Vizard: Passing Over Profiling-Based Detection by Manipulating Performance Counters

Abstract

Bibliographical note

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this