WHISPER: A Tool for Run-Time Detection of Side-Channel Attacks

Maria Mushtaq; Jeremy Bricq; Muhammad Khurram Bhatti; Ayaz Akram; Vianney Lapotre; Guy Gogniat; Pascal Benoit

doi:10.1109/ACCESS.2020.2988370

IEEE Access (Jan 2020)

WHISPER: A Tool for Run-Time Detection of Side-Channel Attacks

Maria Mushtaq,
Jeremy Bricq,
Muhammad Khurram Bhatti,
Ayaz Akram,
Vianney Lapotre,
Guy Gogniat,
Pascal Benoit

Affiliations

Maria Mushtaq: ORCiD; LIRMM, CNRS, Univ Montpellier, Montpellier, France
Jeremy Bricq: ORCiD; Department of Computer Science, University of Brussels, Bruxelles, Belgium
Muhammad Khurram Bhatti: ORCiD; ECLab, Information Technology University, Lahore, Pakistan
Ayaz Akram: ORCiD; Department of Computer Science, University of California at Davis, Davis, CA, USA
Vianney Lapotre: ORCiD; Lab-STICC, Université de Bretagne-Sud, Lorient, France
Guy Gogniat: ORCiD; Lab-STICC, Université de Bretagne-Sud, Lorient, France
Pascal Benoit: ORCiD; LIRMM, CNRS, Univ Montpellier, Montpellier, France

DOI: https://doi.org/10.1109/ACCESS.2020.2988370
Journal volume & issue: Vol. 8
pp. 83871 – 83900

Abstract

Read online

High resolution and stealthy attacks and their variants such as Flush+Reload, Flush+Flush, Prime+Probe, Spectre and Meltdown have completely exposed the vulnerabilities in Intel's computing architecture over the past few years. Mitigation techniques against such attacks are not very effective for two reasons: 1) Most mitigation techniques protect against a specific vulnerability and do not take a system-wide approach, and 2) they either completely remove or greatly reduce the performance benefits of resource sharing. In this work, we argue in favor of detection-based protection, which would help apply mitigation only after successful detection of the attack at runtime. As such, detection would serve as the first line of defense against such attacks. However, for a detection based protection strategy to be effective, detection needs to be highly accurate, to incur minimum system overhead at runtime, should cover a large set of attacks and be capable of early stage detection, i.e., at the very least before the attack is completed. We propose a machine learning based side-channel attack (SCA) detection tool, called WHISPER that satisfies the above mentioned design constraints. WHISPER uses multiple machine learning models in an Ensemble fashion to detect SCAs at runtime using behavioral data of concurrent processes, that are collected through hardware performance counters (HPCs). Through extensive experiments with different variants of state-of-the-art attacks, we demonstrate that the proposed tool is capable of detecting a large set of known attacks that target both computational and storage parts in computing systems. We present experimental evaluation of WHISPER against Flush+Reload, Flush+Flush, Prime+Probe, Spectre and Meltdown attacks. The results are provided under variable system load conditions and stringent evaluation metrics comprising detection accuracy, speed, system-wide performance overhead and distribution of error (i.e., False Positives & False Negatives). Our experiments show that WHISPER can detect a large and diverse attack vector with more than 99% accuracy at a reasonably low performance overhead.

Published in IEEE Access

ISSN: 2169-3536 (Online)
Publisher: IEEE
Country of publisher: United States
LCC subjects: Technology: Electrical engineering. Electronics. Nuclear engineering
Website: https://ieeexplore.ieee.org/xpl/RecentIssue.jsp?punumber=6287639

About the journal

Abstract

Keywords