Dabangg timing channel attack can be used against Intel and AMD processors and even against non-Linux systems.
Dabangg means one who is without fear in Hindi. Two Indian researchers have discovered a new way of timing channel attack. They have named this new timing channel attack as Dabangg after a famous Salman Khan movie.
The research team of Anish Saxena and Biswabandan Panda from the Indian Institute of Technology Kanpur have written a research paper detailing how the new timing channel attack works. The attack method detailed by the duo improves the effectiveness of flush-based attacks such as Flush+Reload and Flush+Flush.
What is a Flush+Reload and Flush+Flush attack?
Popular among timing channel attacks are the Flush+Reload and Flush+Flush attacks. Flush+Reload and Flush+Flush attacks work by flushing out the memory line (using the “clflush” instruction), then waiting for the victim process to access the memory line, and subsequently reloading (or flushing) the memory line, measuring the time needed to load it. The Indian researcher team found that while the flush-based attacks are accurate in controlled environments, in an open environment these attacks lose efficiency due to noise.
The researchers noted that the reasons for flush-based attacks failing in an open environment are the dynamic nature of core frequency (depending on system load), and the relative placement of victim and attacker threads in the processor (based on logical and physical cores). These two causes affect the cache latency calibration step of the attack.
Now the researchers have refined the flush-based attacks to make them resilient even when there is a frequency change or system noise.
“On average, across eight possible combinations of computing, memory, and I/O noise, a single-character based key-logging attack using LLC as a side-channel show that Flush+Reload and Flush+Flush provide F1 scores of 42.8% and 8.1%, respectively. In a covert channel attack, Flush+Reload and Flush+Flush attacks suffer from maximum error rates of 45% and 53%, respectively,” the researchers state in their research paper.
The newly proposed technique improves latency calibration and attacker’s waiting (sleeping) strategy, thus ensuring that the cache access latency threshold remains consistent and resilient to system noise. The researchers said that the Dabangg timing channel attack refinements include the use of calibration tools to “capture the stepped frequency distribution of the processor while distinguishing a cache hit from a miss;” the use of victim-specific parameters to identify the victim’s memory access pattern; and the use of compute-intensive functions for “a better grip over waiting period.”
By employing these refinements, the researchers argue, the attacker becomes frequency-aware and victim-aware. By making the attacker aware of the victim’s behavior, the effectiveness of the attack can be increased, the researchers say.
DABANGG timing channel attack works with both Intel and AMD processors and can be used even against non-Linux systems.