CacheShield: Detecting Cache Attacks through Self-Observation

Samira Briongos, Pedro Malagón, Gorka Irazoqui, Thomas Eisenbarth


Microarchitectural attacks pose a great threat to any code running in parallel to other untrusted processes. Especially in public clouds, where system resources such as caches are shared across several tenants, microarchitectural attacks remain an unsolved problem. Cache attacks rely on evictions by the spy process, which alter the execution behavior of the victim process. Similarly, all attacks exploiting shared resource access will influence these resources, thereby influencing the process they are targeting. We show that hardware performance events reveal the presence of such attacks. Based on this observation, we propose CacheShield, a tool to protect legacy code by self-monitoring its execution and detecting the presence of microarchitectural attacks. CacheShield can be run by users and does not require alteration of the OS or hypervisor, while previously proposed software-based countermeasures require cooperation from the hypervisor. Unlike methods that try to detect malicious processes, our approach is lean, as only a fraction of the system needs to be monitored. It also integrates well into today’s cloud infrastructure, as concerned users can opt to use CacheShield without support from the cloud service provider. Our results show that CacheShield detects attacks fast, with high reliability, and with few false positives, even in the presence of strong noise.

Original languageEnglish
Title of host publicationCODASPY '18: Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy
Number of pages12
PublisherAssociation for Computing Machinery
Publication date13.03.2018
ISBN (Print)978-145035632-9
Publication statusPublished - 13.03.2018
Event8th ACM Conference on Data and Application Security and Privacy - Tempe, United States
Duration: 19.03.201821.03.2018
Conference number: 135355


Dive into the research topics of 'CacheShield: Detecting Cache Attacks through Self-Observation'. Together they form a unique fingerprint.

Cite this