Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a...
Transcript of Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a...
![Page 1: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/1.jpg)
www.iaik.tugraz.at
Hello from the Other Side:SSH over Robust CacheCovert Channels in the CloudClémentine Maurice, ManuelWeber, Michael Schwarz, Lukas Giner, DanielGruss, Carlo Alberto Boano, Stefan Mangard, Kay RömerGraz University of Technology
February 2017 — NDSS 2017
1 / 25
![Page 2: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/2.jpg)
www.iaik.tugraz.at
Outline
cache covert channels
how do we get a covert channel working in the cloud?
how do we get a covert channel working in a noisy environment?
what are the applications of such covert channel?
2 / 25
![Page 3: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/3.jpg)
www.iaik.tugraz.at
CPU cache
main memory is slow compared to the CPU
caches buffer frequently used data
every data access goes through the cache
caches are transparent to the OS and the software
3 / 25
![Page 4: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/4.jpg)
www.iaik.tugraz.at
CPU cache
main memory is slow compared to the CPU
caches buffer frequently used data
every data access goes through the cache
caches are transparent to the OS and the software
3 / 25
![Page 5: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/5.jpg)
www.iaik.tugraz.at
CPU cache
main memory is slow compared to the CPU
caches buffer frequently used data
every data access goes through the cache
caches are transparent to the OS and the software
3 / 25
![Page 6: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/6.jpg)
www.iaik.tugraz.at
CPU cache
main memory is slow compared to the CPU
caches buffer frequently used data
every data access goes through the cache
caches are transparent to the OS and the software
3 / 25
![Page 7: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/7.jpg)
www.iaik.tugraz.at
Caches on Intel CPUs
core 0
L1
L2
core 1
L1
L2
core 2
L1
L2
core 3
L1
L2 ringbus
LLCslice 0
LLCslice 1
LLCslice 2
LLCslice 3
L1 and L2 are private
last-level cache
divided in slices
shared across cores
inclusive
hash function maps aphysical address to a slice
4 / 25
![Page 8: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/8.jpg)
www.iaik.tugraz.at
Caches on Intel CPUs
core 0
L1
L2
core 1
L1
L2
core 2
L1
L2
core 3
L1
L2 ringbus
LLCslice 0
LLCslice 1
LLCslice 2
LLCslice 3
L1 and L2 are private
last-level cache
divided in slices
shared across cores
inclusive
hash function maps aphysical address to a slice
4 / 25
![Page 9: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/9.jpg)
www.iaik.tugraz.at
Caches on Intel CPUs
core 0
L1
L2
core 1
L1
L2
core 2
L1
L2
core 3
L1
L2 ringbus
LLCslice 0
LLCslice 1
LLCslice 2
LLCslice 3
L1 and L2 are private
last-level cache
divided in slices
shared across cores
inclusive
hash function maps aphysical address to a slice
4 / 25
![Page 10: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/10.jpg)
www.iaik.tugraz.at
Caches on Intel CPUs
core 0
L1
L2
core 1
L1
L2
core 2
L1
L2
core 3
L1
L2 ringbus
LLCslice 0
LLCslice 1
LLCslice 2
LLCslice 3
L1 and L2 are private
last-level cache
divided in slices
shared across cores
inclusive
hash function maps aphysical address to a slice
4 / 25
![Page 11: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/11.jpg)
www.iaik.tugraz.at
Caches on Intel CPUs
core 0
L1
L2
core 1
L1
L2
core 2
L1
L2
core 3
L1
L2 ringbus
LLCslice 0
LLCslice 1
LLCslice 2
LLCslice 3
L1 and L2 are private
last-level cache
divided in slices
shared across cores
inclusive
hash function maps aphysical address to a slice
4 / 25
![Page 12: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/12.jpg)
www.iaik.tugraz.at
Caches on Intel CPUs
core 0
L1
L2
core 1
L1
L2
core 2
L1
L2
core 3
L1
L2 ringbus
LLCslice 0
LLCslice 1
LLCslice 2
LLCslice 3
L1 and L2 are private
last-level cache
divided in slices
shared across cores
inclusive
hash function maps aphysical address to a slice
4 / 25
![Page 13: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/13.jpg)
www.iaik.tugraz.at
Set-associative caches0 16 17 25 26 31
Index OffsetAddress
Cache
5 / 25
![Page 14: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/14.jpg)
www.iaik.tugraz.at
Set-associative caches0 16 17 25 26 31
Index OffsetAddress
Cache
Cache set
Data loaded in a specific set depending on its address
5 / 25
![Page 15: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/15.jpg)
www.iaik.tugraz.at
Set-associative caches0 16 17 25 26 31
Index OffsetAddress
Cache
Cache set
way 0 way 3
Data loaded in a specific set depending on its address
Several ways per set
5 / 25
![Page 16: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/16.jpg)
www.iaik.tugraz.at
Set-associative caches0 16 17 25 26 31
Index OffsetAddress
Cache
Cache set
way 0 way 3
Cache line
Data loaded in a specific set depending on its address
Several ways per set
Cache line loaded in a specific way depending on the replacement policy
5 / 25
![Page 17: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/17.jpg)
www.iaik.tugraz.at
Timing differences
50 100 150 200 250 300 350 400
101
104
107
Access time [CPU cycles]
Numberofaccesses
cache hits cache misses
6 / 25
![Page 18: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/18.jpg)
www.iaik.tugraz.at
Cache-based covert channels
cache attacks→ exploit timing differences of memory accesses
covert channel: two processes communicating with each other
not allowed to do so, e.g., across VMs
literature: stops working with noise on the machine
solution? “Just use error-correcting codes”
7 / 25
![Page 19: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/19.jpg)
www.iaik.tugraz.at
Cache-based covert channels
cache attacks→ exploit timing differences of memory accesses
covert channel: two processes communicating with each other
not allowed to do so, e.g., across VMs
literature: stops working with noise on the machine
solution? “Just use error-correcting codes”
7 / 25
![Page 20: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/20.jpg)
www.iaik.tugraz.at
Cache-based covert channels
cache attacks→ exploit timing differences of memory accesses
covert channel: two processes communicating with each other
not allowed to do so, e.g., across VMs
literature: stops working with noise on the machine
solution? “Just use error-correcting codes”
7 / 25
![Page 21: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/21.jpg)
www.iaik.tugraz.at
Cache-based covert channels
cache attacks→ exploit timing differences of memory accesses
covert channel: two processes communicating with each other
not allowed to do so, e.g., across VMs
literature: stops working with noise on the machine
solution? “Just use error-correcting codes”
7 / 25
![Page 22: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/22.jpg)
www.iaik.tugraz.at
Prime+Probe
attacker knows which cache set the victim accessed, not the content
works across CPU cores as the last-level cache is shared
does not need shared memory, e.g., memory de-deduplication
→ works across VM in the cloud, e.g., on Amazon EC2
8 / 25
![Page 23: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/23.jpg)
www.iaik.tugraz.at
Prime+Probe
attacker knows which cache set the victim accessed, not the content
works across CPU cores as the last-level cache is shared
does not need shared memory, e.g., memory de-deduplication
→ works across VM in the cloud, e.g., on Amazon EC2
8 / 25
![Page 24: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/24.jpg)
www.iaik.tugraz.at
Prime+Probe
attacker knows which cache set the victim accessed, not the content
works across CPU cores as the last-level cache is shared
does not need shared memory, e.g., memory de-deduplication
→ works across VM in the cloud, e.g., on Amazon EC2
8 / 25
![Page 25: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/25.jpg)
www.iaik.tugraz.at
Prime+Probe
attacker knows which cache set the victim accessed, not the content
works across CPU cores as the last-level cache is shared
does not need shared memory, e.g., memory de-deduplication
→ works across VM in the cloud, e.g., on Amazon EC2
8 / 25
![Page 26: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/26.jpg)
www.iaik.tugraz.at
Prime+Probe
Victim address space Cache Attacker address space
9 / 25
![Page 27: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/27.jpg)
www.iaik.tugraz.at
Prime+Probe
Victim address space Cache Attacker address space
Step 1: Attacker primes, i.e., fills, the cache (no shared memory)
9 / 25
![Page 28: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/28.jpg)
www.iaik.tugraz.at
Prime+Probe
Victim address space Cache Attacker address space
Step 1: Attacker primes, i.e., fills, the cache (no shared memory)
Step 2: Victim evicts cache lines while running
loads data
9 / 25
![Page 29: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/29.jpg)
www.iaik.tugraz.at
Prime+Probe
Victim address space Cache Attacker address space
Step 1: Attacker primes, i.e., fills, the cache (no shared memory)
Step 2: Victim evicts cache lines while running
loads data
9 / 25
![Page 30: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/30.jpg)
www.iaik.tugraz.at
Prime+Probe
Victim address space Cache Attacker address space
Step 1: Attacker primes, i.e., fills, the cache (no shared memory)
Step 2: Victim evicts cache lines while running
Step 3: Attacker probes data to determine if set has been accessed
fast access
9 / 25
![Page 31: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/31.jpg)
www.iaik.tugraz.at
Prime+Probe
Victim address space Cache Attacker address space
Step 1: Attacker primes, i.e., fills, the cache (no shared memory)
Step 2: Victim evicts cache lines while running
Step 3: Attacker probes data to determine if set has been accessed
slow access
9 / 25
![Page 32: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/32.jpg)
www.iaik.tugraz.at
Why can’t we just use error correcting codes?
1 0 0 1 1 0Sender
1 0 0 1 1 0Receiver
(a) Transmission without errors
1 0 0 1 1 0Sender
1 1 0 1 1 0Receiver
(b) Noise: substitution error
1 0 0 1 1 0Sender
1 0 0 0 0 0 1 1 0Receiver
(c) Sender descheduled: insertions
1 0 0 1 1 0Sender
1 0 0Receiver
(d) Receiver descheduled: deletions
10 / 25
![Page 33: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/33.jpg)
www.iaik.tugraz.at
Why can’t we just use error correcting codes?
1 0 0 1 1 0Sender
1 0 0 1 1 0Receiver
(a) Transmission without errors
1 0 0 1 1 0Sender
1 1 0 1 1 0Receiver
(b) Noise: substitution error
1 0 0 1 1 0Sender
1 0 0 0 0 0 1 1 0Receiver
(c) Sender descheduled: insertions
1 0 0 1 1 0Sender
1 0 0Receiver
(d) Receiver descheduled: deletions
10 / 25
![Page 34: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/34.jpg)
www.iaik.tugraz.at
Why can’t we just use error correcting codes?
1 0 0 1 1 0Sender
1 0 0 1 1 0Receiver
(a) Transmission without errors
1 0 0 1 1 0Sender
1 1 0 1 1 0Receiver
(b) Noise: substitution error
1 0 0 1 1 0Sender
1 0 0 0 0 0 1 1 0Receiver
(c) Sender descheduled: insertions
1 0 0 1 1 0Sender
1 0 0Receiver
(d) Receiver descheduled: deletions
10 / 25
![Page 35: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/35.jpg)
www.iaik.tugraz.at
Why can’t we just use error correcting codes?
1 0 0 1 1 0Sender
1 0 0 1 1 0Receiver
(a) Transmission without errors
1 0 0 1 1 0Sender
1 1 0 1 1 0Receiver
(b) Noise: substitution error
1 0 0 1 1 0Sender
1 0 0 0 0 0 1 1 0Receiver
(c) Sender descheduled: insertions
1 0 0 1 1 0Sender
1 0 0Receiver
(d) Receiver descheduled: deletions
10 / 25
![Page 36: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/36.jpg)
www.iaik.tugraz.at
Our robust covert channel
physical layer:
transmits words as a sequence of ‘0’s and ‘1’s
deals with synchronization errors
data-link layer:
divides data to transmit into packets
corrects the remaining errors
11 / 25
![Page 37: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/37.jpg)
www.iaik.tugraz.at
Physical layer: Sending ‘0’s and ‘1’s
sender and receiver agree on one set
receiver probes the set continuously
sender transmits ’0’ doing nothing
→ lines of the receiver still in cache→ fast access
sender transmits ’1’ accessing addresses in the set
→ evicts lines of the receiver→ slow access
12 / 25
![Page 38: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/38.jpg)
www.iaik.tugraz.at
Physical layer: Sending ‘0’s and ‘1’s
sender and receiver agree on one set
receiver probes the set continuously
sender transmits ’0’ doing nothing
→ lines of the receiver still in cache→ fast access
sender transmits ’1’ accessing addresses in the set
→ evicts lines of the receiver→ slow access
12 / 25
![Page 39: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/39.jpg)
www.iaik.tugraz.at
Physical layer: Sending ‘0’s and ‘1’s
sender and receiver agree on one set
receiver probes the set continuously
sender transmits ’0’ doing nothing
→ lines of the receiver still in cache→ fast access
sender transmits ’1’ accessing addresses in the set
→ evicts lines of the receiver→ slow access
12 / 25
![Page 40: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/40.jpg)
www.iaik.tugraz.at
Physical layer: Sending ‘0’s and ‘1’s
sender and receiver agree on one set
receiver probes the set continuously
sender transmits ’0’ doing nothing
→ lines of the receiver still in cache→ fast access
sender transmits ’1’ accessing addresses in the set
→ evicts lines of the receiver→ slow access
12 / 25
![Page 41: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/41.jpg)
www.iaik.tugraz.at
Eviction set generation
need a set of addresses in the same cache set and same slice
problem: slice number depends on all bits of the physical address
physical address
cache tagcache setindex
cache lineoffset
2MB page offset
xxxx
we can build a set of addresses in the same cache set and same slice
without knowing which slice
13 / 25
![Page 42: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/42.jpg)
www.iaik.tugraz.at
Eviction set generation
need a set of addresses in the same cache set and same slice
problem: slice number depends on all bits of the physical address
physical address
cache tagcache setindex
cache lineoffset
2MB page offset
xxxx
we can build a set of addresses in the same cache set and same slice
without knowing which slice
13 / 25
![Page 43: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/43.jpg)
www.iaik.tugraz.at
Eviction set generation
need a set of addresses in the same cache set and same slice
problem: slice number depends on all bits of the physical address
physical address
cache tagcache setindex
cache lineoffset
2MB page offset
xxxx
we can build a set of addresses in the same cache set and same slice
without knowing which slice
13 / 25
![Page 44: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/44.jpg)
www.iaik.tugraz.at
Eviction set generation
need a set of addresses in the same cache set and same slice
problem: slice number depends on all bits of the physical address
physical address
cache tagcache setindex
cache lineoffset
2MB page offset
xxxx
we can build a set of addresses in the same cache set and same slice
without knowing which slice
13 / 25
![Page 45: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/45.jpg)
www.iaik.tugraz.at
Jamming agreement
sendereviction sets
#1#2#3#4
Cache Sets
receivereviction sets
14 / 25
![Page 46: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/46.jpg)
www.iaik.tugraz.at
Jamming agreement
sendereviction sets
#1 prime
#2#3#4
Cache Sets
S S S S S S S S
receivereviction sets
14 / 25
![Page 47: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/47.jpg)
www.iaik.tugraz.at
Jamming agreement
sendereviction sets
#1#2#3#4
Cache Sets
S S S S S S S SR R R R R R R R
receivereviction sets
prime
14 / 25
![Page 48: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/48.jpg)
www.iaik.tugraz.at
Jamming agreement
sendereviction sets
#1 probe
#2#3#4
Cache Sets
S S S S S S S SR R R R R R R R
receivereviction sets
14 / 25
![Page 49: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/49.jpg)
www.iaik.tugraz.at
Jamming agreement
sendereviction sets
#1#2#3#4
Cache Sets
S S S S S S S SR R R R R R R R
receivereviction sets
probe
14 / 25
![Page 50: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/50.jpg)
www.iaik.tugraz.at
Jamming agreement
sendereviction sets
#1 prime
#2#3#4
Cache Sets
S S S S S S S S
receivereviction sets
14 / 25
![Page 51: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/51.jpg)
www.iaik.tugraz.at
Jamming agreement
sendereviction sets
#1#2#3#4
Cache Sets
S S S S S S S S
R R R R R R R R
receivereviction sets
prime
14 / 25
![Page 52: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/52.jpg)
www.iaik.tugraz.at
Jamming agreement
sendereviction sets
#1 probe
#2#3#4
Cache Sets
S S S S S S S S
R R R R R R R R
receivereviction sets
14 / 25
![Page 53: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/53.jpg)
www.iaik.tugraz.at
Jamming agreement
sendereviction sets
#1#2#3#4
Cache Sets
S S S S S S S S
R R R R R R R R
receivereviction sets
probe
14 / 25
![Page 54: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/54.jpg)
www.iaik.tugraz.at
Jamming agreement
sendereviction sets
#1 prime
#2#3#4
Cache Sets
S S S S S S S S
receivereviction sets
14 / 25
![Page 55: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/55.jpg)
www.iaik.tugraz.at
Jamming agreement
sendereviction sets
#1#2#3#4
Cache SetsR R R R R R R RS S S S S S S S
receivereviction sets
prime
14 / 25
![Page 56: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/56.jpg)
www.iaik.tugraz.at
Jamming agreement
sendereviction sets
#1 probe
#2#3#4
Cache SetsR R R R R R R RS S S S S S S S
receivereviction sets
14 / 25
![Page 57: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/57.jpg)
www.iaik.tugraz.at
Jamming agreement
sendereviction sets
#1#2#3#4
Cache SetsR R R R R R R RS S S S S S S S
receivereviction sets
probe
14 / 25
![Page 58: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/58.jpg)
www.iaik.tugraz.at
Jamming agreement
sendereviction sets
#1 prime
#2#3#4
Cache Sets
S S S S S S S S
receivereviction sets
14 / 25
![Page 59: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/59.jpg)
www.iaik.tugraz.at
Jamming agreement
sendereviction sets
#1#2#3#4
Cache Sets
R R R R R R R R
receivereviction sets
prime
14 / 25
![Page 60: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/60.jpg)
www.iaik.tugraz.at
Jamming agreement
sendereviction sets
#1 probe
#2#3#4
Cache Sets
S S S S S S S S
receivereviction sets
14 / 25
![Page 61: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/61.jpg)
www.iaik.tugraz.at
Jamming agreement
sendereviction sets
#1#2#3#4
Cache Sets
R R R R R R R R
receivereviction sets
#1probe
14 / 25
![Page 62: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/62.jpg)
www.iaik.tugraz.at
Jamming agreement
sendereviction sets
#1 3
#2#3#4
Cache Sets
receivereviction sets
#1
14 / 25
![Page 63: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/63.jpg)
www.iaik.tugraz.at
Jamming agreement
sendereviction sets
#1 3
#2#3#4
Cache Sets
receivereviction sets
#1
14 / 25
![Page 64: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/64.jpg)
www.iaik.tugraz.at
Jamming agreement
sendereviction sets
#1 3
#2#3#4
repeat!
receivereviction sets
#1
14 / 25
![Page 65: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/65.jpg)
www.iaik.tugraz.at
Jamming agreement
sendereviction sets
#1 3
#2 3
#3#4
repeat!
receivereviction sets
#2#1
14 / 25
![Page 66: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/66.jpg)
www.iaik.tugraz.at
Jamming agreement
sendereviction sets
#1 3
#2 3
#3 3
#4
repeat!
receivereviction sets
#3#2#1
14 / 25
![Page 67: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/67.jpg)
www.iaik.tugraz.at
Jamming agreement
sendereviction sets
#1 3
#2 3
#3 3
#4 3
repeat!
receivereviction sets
#4#3#2#1
14 / 25
![Page 68: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/68.jpg)
www.iaik.tugraz.at
Sending the first image
15 / 25
![Page 69: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/69.jpg)
www.iaik.tugraz.at
Handling synchronization errors
deletion errors: request-to-send scheme that also serves as ack
3-bit sequence numberrequest: encoded sequence number (7 bits)
’0’-insertion errors: error detection code→ Berger codes
appending the number of ’0’s in the word to itself→ property: a word cannot consist solely of ’0’s
DataPhysical layer word
12 bits
SQN
3 bits
EDC
4 bits
16 / 25
![Page 70: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/70.jpg)
www.iaik.tugraz.at
Handling synchronization errors
deletion errors: request-to-send scheme that also serves as ack
3-bit sequence numberrequest: encoded sequence number (7 bits)
’0’-insertion errors: error detection code→ Berger codes
appending the number of ’0’s in the word to itself→ property: a word cannot consist solely of ’0’s
DataPhysical layer word
12 bits
SQN
3 bits
EDC
4 bits
16 / 25
![Page 71: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/71.jpg)
www.iaik.tugraz.at
Handling synchronization errors
deletion errors: request-to-send scheme that also serves as ack
3-bit sequence numberrequest: encoded sequence number (7 bits)
’0’-insertion errors: error detection code→ Berger codes
appending the number of ’0’s in the word to itself→ property: a word cannot consist solely of ’0’s
DataPhysical layer word
12 bits
SQN
3 bits
EDC
4 bits
16 / 25
![Page 72: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/72.jpg)
www.iaik.tugraz.at
Synchronization (before)
17 / 25
![Page 73: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/73.jpg)
www.iaik.tugraz.at
Synchronization (after)
18 / 25
![Page 74: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/74.jpg)
www.iaik.tugraz.at
Synchronization (after)
18 / 25
![Page 75: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/75.jpg)
www.iaik.tugraz.at
Synchronization (after)
18 / 25
![Page 76: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/76.jpg)
www.iaik.tugraz.at
Data-link layer: Error correction
Reed-Solomon codes to correct the remaining errors
RS word size = physical layer word size = 12 bits
packet size = 212 − 1 = 4095 RS words
10% error-correcting code: 409 parity and 3686 data RS words
Data Parity
3686 RS-words 409 RS-words
Data SQN EDC
12 bits 3 bits 4 bits
Data-link layer packet
Physical layer word
19 / 25
![Page 77: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/77.jpg)
www.iaik.tugraz.at
Data-link layer: Error correction
Reed-Solomon codes to correct the remaining errors
RS word size = physical layer word size = 12 bits
packet size = 212 − 1 = 4095 RS words
10% error-correcting code: 409 parity and 3686 data RS words
Data Parity
3686 RS-words 409 RS-words
Data SQN EDC
12 bits 3 bits 4 bits
Data-link layer packet
Physical layer word
19 / 25
![Page 78: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/78.jpg)
www.iaik.tugraz.at
Error correction (after)
20 / 25
![Page 79: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/79.jpg)
www.iaik.tugraz.at
Evaluation
Environment Bit rate Error rate Noise
Native 75.10KBps 0.00% –
Native 36.03KBps 0.00% stress -m 1Amazon EC2 45.25KBps 0.00% –Amazon EC2 45.09KBps 0.00% web server serving files on sender VMAmazon EC2 42.96KBps 0.00% stress -m 2 on sender VMAmazon EC2 42.26KBps 0.00% stress -m 1 on receiver VMAmazon EC2 37.42KBps 0.00% web server on all 3 VMs, stress -m 4
on 3rd VM, stress -m 1 on sender andreceiver VMs
Amazon EC2 34.27KBps 0.00% stress -m 8 on third VM
21 / 25
![Page 80: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/80.jpg)
www.iaik.tugraz.at
Evaluation
Environment Bit rate Error rate Noise
Native 75.10KBps 0.00% –Native 36.03KBps 0.00% stress -m 1
Amazon EC2 45.25KBps 0.00% –Amazon EC2 45.09KBps 0.00% web server serving files on sender VMAmazon EC2 42.96KBps 0.00% stress -m 2 on sender VMAmazon EC2 42.26KBps 0.00% stress -m 1 on receiver VMAmazon EC2 37.42KBps 0.00% web server on all 3 VMs, stress -m 4
on 3rd VM, stress -m 1 on sender andreceiver VMs
Amazon EC2 34.27KBps 0.00% stress -m 8 on third VM
21 / 25
![Page 81: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/81.jpg)
www.iaik.tugraz.at
Evaluation
Environment Bit rate Error rate Noise
Native 75.10KBps 0.00% –Native 36.03KBps 0.00% stress -m 1Amazon EC2 45.25KBps 0.00% –
Amazon EC2 45.09KBps 0.00% web server serving files on sender VMAmazon EC2 42.96KBps 0.00% stress -m 2 on sender VMAmazon EC2 42.26KBps 0.00% stress -m 1 on receiver VMAmazon EC2 37.42KBps 0.00% web server on all 3 VMs, stress -m 4
on 3rd VM, stress -m 1 on sender andreceiver VMs
Amazon EC2 34.27KBps 0.00% stress -m 8 on third VM
21 / 25
![Page 82: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/82.jpg)
www.iaik.tugraz.at
Evaluation
Environment Bit rate Error rate Noise
Native 75.10KBps 0.00% –Native 36.03KBps 0.00% stress -m 1Amazon EC2 45.25KBps 0.00% –Amazon EC2 45.09KBps 0.00% web server serving files on sender VMAmazon EC2 42.96KBps 0.00% stress -m 2 on sender VMAmazon EC2 42.26KBps 0.00% stress -m 1 on receiver VMAmazon EC2 37.42KBps 0.00% web server on all 3 VMs, stress -m 4
on 3rd VM, stress -m 1 on sender andreceiver VMs
Amazon EC2 34.27KBps 0.00% stress -m 8 on third VM
21 / 25
![Page 83: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/83.jpg)
www.iaik.tugraz.at
Building an SSH connection
Hypervisor
Last Level Cache (LLC)
VM 1
Covert Channel
Prime+Probe
TCP↔FileFile System
TCP Client(e.g. ssh)
Socket
VM 2
Covert Channel
Prime+Probe
TCP↔FileFile System
TCP Server(e.g. sshd)
Socket
22 / 25
![Page 84: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/84.jpg)
www.iaik.tugraz.at
SSH evaluation
Between two instances on Amazon EC2
Noise ConnectionNo noise 3stress -m 8 on third VM 3Web server on third VM 3Web server on SSH server VM 3Web server on all VMs 3stress -m 1 on server side unstable
Telnet also works with occasional corrupted bytes with stress -m 1
23 / 25
![Page 85: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/85.jpg)
www.iaik.tugraz.at
SSH evaluation
Between two instances on Amazon EC2
Noise ConnectionNo noise 3stress -m 8 on third VM 3Web server on third VM 3Web server on SSH server VM 3Web server on all VMs 3stress -m 1 on server side unstable
Telnet also works with occasional corrupted bytes with stress -m 1
23 / 25
![Page 86: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/86.jpg)
www.iaik.tugraz.at
Conclusion
cache covert channels are practical
even in the cloud, even in presence of extraordinary noise
our robust covert channel supports an SSH connection
we extended Amazon’s product portfolio :)
24 / 25
![Page 87: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/87.jpg)
www.iaik.tugraz.at
Conclusion
cache covert channels are practical
even in the cloud, even in presence of extraordinary noise
our robust covert channel supports an SSH connection
we extended Amazon’s product portfolio :)
24 / 25
![Page 88: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/88.jpg)
www.iaik.tugraz.at
Conclusion
cache covert channels are practical
even in the cloud, even in presence of extraordinary noise
our robust covert channel supports an SSH connection
we extended Amazon’s product portfolio :)
24 / 25
![Page 89: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/89.jpg)
www.iaik.tugraz.at
Conclusion
cache covert channels are practical
even in the cloud, even in presence of extraordinary noise
our robust covert channel supports an SSH connection
we extended Amazon’s product portfolio :)
24 / 25
![Page 90: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/90.jpg)
www.iaik.tugraz.at
Conclusion
cache covert channels are practical
even in the cloud, even in presence of extraordinary noise
our robust covert channel supports an SSH connection
we extended Amazon’s product portfolio :)
24 / 25
![Page 91: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/91.jpg)
www.iaik.tugraz.at
Conclusion
cache covert channels are practical
even in the cloud, even in presence of extraordinary noise
our robust covert channel supports an SSH connection
we extended Amazon’s product portfolio :)
24 / 25
![Page 92: Hello from the Other Side: SSH over Robust Cache …...hash function maps a physical address to a slice 4/25 Caches on Intel CPUs core0 L1 L2 core1 L1 L2 core2 L1 L2 core3 L1 L2 ring](https://reader035.fdocuments.net/reader035/viewer/2022070815/5f0eade17e708231d4406779/html5/thumbnails/92.jpg)
www.iaik.tugraz.at
Hello from the Other Side:SSH over Robust CacheCovert Channels in the CloudClémentine Maurice, ManuelWeber, Michael Schwarz, Lukas Giner, DanielGruss, Carlo Alberto Boano, Stefan Mangard, Kay RömerGraz University of Technology
February 2017 — NDSS 2017
25 / 25