{"id":759472,"date":"2021-07-09T10:31:42","date_gmt":"2021-07-09T17:31:42","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/research\/?post_type=msr-research-item&p=759472"},"modified":"2021-07-09T10:59:16","modified_gmt":"2021-07-09T17:59:16","slug":"a-software-approach-to-defeating-side-channels-in-last-level-caches","status":"publish","type":"msr-research-item","link":"https:\/\/www.microsoft.com\/en-us\/research\/publication\/a-software-approach-to-defeating-side-channels-in-last-level-caches\/","title":{"rendered":"A Software Approach to Defeating Side Channels in Last-Level Caches"},"content":{"rendered":"
We present a software approach to mitigate access-driven side-channel attacks that leverage last-level caches (LLCs) shared across cores to leak information between security domains (e.g., tenants in a cloud). Our approach dynamically manages physical memory pages shared between security domains to disable sharing of LLC lines, thus preventing “Flush-Reload” side channels via LLCs. It also manages cacheability of memory pages to thwart cross-tenant “Prime-Probe” attacks in LLCs. We have implemented our approach as a memory management subsystem called CacheBar within the Linux kernel to intervene on such side channels across container boundaries, as containers are a common method for enforcing tenant isolation in Platform-as-a-Service (PaaS) clouds. Through formal verification, principled analysis, and empirical evaluation, we show that CacheBar achieves strong security with small performance overheads for PaaS workloads.<\/p>\n