S$A: A Shared Cache Attack That Works across Cores and Defies VM Sandboxing -- and Its Application to AES

Gorka Irazoqui, Thomas Eisenbarth, Berk Sunar


The cloud computing infrastructure relies on virtualized servers that provide isolation across guest OS's through sand boxing. This isolation was demonstrated to be imperfect in past work which exploited hardware level information leakages to gain access to sensitive information across co-located virtual machines (VMs). In response virtualization companies and cloud services providers have disabled features such as deduplication to prevent such attacks. In this work, we introduce a fine-grain cross-core cache attack that exploits access time variations on the last level cache. The attack exploits huge pages to work across VM boundaries without requiring deduplication. No configuration changes on the victim OS are needed, making the attack quite viable. Furthermore, only machine co-location is required, while the target and victim OS can still reside on different cores of the machine. Our new attack is a variation of the prime and probe cache attack whose applicability at the time is limited to L1 cache. In contrast, our attack works in the spirit of the flush and reload attack targeting the shared L3 cache instead. Indeed, by adjusting the huge page size our attack can be customized to work virtually at any cache level/size. We demonstrate the viability of the attack by targeting an Open SSL1.0.1f implementation of AES. The attack recovers AES keys in the cross-VM setting on Xen 4.1 with deduplication disabled, being only slightly less efficient than the flush and reload attack. Given that huge pages are a standard feature enabled in the memory management unit of OS's and that besides co-location no additional assumptions are needed, the attack we present poses a significant risk to existing cloud servers.
Original languageEnglish
Title of host publication2015 IEEE Symposium on Security and Privacy
Number of pages14
Publication date20.07.2015
ISBN (Electronic)978-1-4673-6949-7
Publication statusPublished - 20.07.2015
Event2015 IEEE Symposium on Security and Privacy - San Jose, United States
Duration: 17.05.201521.05.2015


Dive into the research topics of 'S$A: A Shared Cache Attack That Works across Cores and Defies VM Sandboxing -- and Its Application to AES'. Together they form a unique fingerprint.

Cite this