A Noise-resilient Detection Method against Advanced Cache Timing Channel Attack

Recent researches show that computers which are physically shared by multiple users are vulnerable to microarchitecture-based information leakage. Among all microarchitecture components, cache provides the largest attack surface. Cache timing channels manipulate the cache access latency to leak information leaving no physical trace. To mitigate cache timing channels, various detection methods are proposed. However, with the knowledge of existing detection methods, an advanced adversary can intentionally inject noise to evade detection. For example, the detection based on correlation method which extracts the repetitive behavior of cache timing channels can be evaded by randomizing the gap between information transmitting and receiving activity. The classification based detection would be obfuscated if adversary imitate the behavior of benign applications. We propose a novel noise-resilient detection method which focuses on the dependency between behavior of two processes. For each process, we define a group of events and track the conditional probability of every event given the appearance of the events from another process. With this method, we are able to detect the existence of cache timing channels. Our detection method is hard to evade because the dependency of cache behavior is necessary for any communication through cache timing channels.