ReplayConfusion: Detecting cache-based covert channel attacks using record and replay.

Cache-based covert channel attacks use highly-tuned shared-cache conflict misses to pass information from a trojan to a spy process. Detecting such attacks is very challenging. State of the art detection mechanisms do not consider the general characteristics of such attacks and, instead, focus on specific communication protocols. As a result, they fail to detect attacks using different protocols and, hence, have limited coverage. In this paper, we make the following observation about these attacks: not only are the malicious accesses highly tuned to the mapping of addresses to the caches; they also follow a distinctive cadence as bits are being received. Changing the mapping of addresses to the caches substantially disrupts the conflict miss patterns, but retains the cadence. This is in contrast to benign programs. Based on this observation, we propose a novel, high-coverage approach to detect cache-based covert channel attacks. It is called ReplayConfusion, and is based on Record and deterministic Replay (RnR). After a program's execution is recorded, it is deterministically replayed using a different mapping of addresses to the caches. We then analyze the difference between the cache miss rate timelines of the two runs. If the difference function is both sizable and exhibits a periodic pattern, it indicates that there is an attack. This paper also introduces a new taxonomy of cache-based covert channel attacks, and shows that ReplayConfusion uncovers examples from all the categories. Finally, ReplayConfusion only needs simple hardware.