Are cache side channel attacks reliable?
Nov. 26th, 2012 02:21 pmI have seen some fuss recently about one side channel attack on a hypervisor. I even seen a customer who was concerned about it!
My personal opinion is that this type of attacks are not practical in real world environment. Side channel attacks involving cache timings were described many times, and they were always conducted in sterile setup: when full h/w and s/w setup was known by the attackers, and there were no disturbances, just a attacker and victim running. It also helped that full source of victim was available to attacker, as well as full build script.
I do cache timing measurements were often, and always have to figure out how to factor out the noise. It gets in even in sterile environment.
Authors of most papers, like one I mentioned, rightfully admit that their setup is very restrictive, but they envision some bad guys coming and repeating their work in real world environment. They admit it is very complex and not really feasible, but "this is a fairly elaborate attack and we would expect it to be mounted only by a sophisticated attack organization such as a nation-state". I don't buy this!
And btw, executing WBINV at random times leaves no room for this types of attack :) (except maybe for L1I cache timings)
My personal opinion is that this type of attacks are not practical in real world environment. Side channel attacks involving cache timings were described many times, and they were always conducted in sterile setup: when full h/w and s/w setup was known by the attackers, and there were no disturbances, just a attacker and victim running. It also helped that full source of victim was available to attacker, as well as full build script.
I do cache timing measurements were often, and always have to figure out how to factor out the noise. It gets in even in sterile environment.
Authors of most papers, like one I mentioned, rightfully admit that their setup is very restrictive, but they envision some bad guys coming and repeating their work in real world environment. They admit it is very complex and not really feasible, but "this is a fairly elaborate attack and we would expect it to be mounted only by a sophisticated attack organization such as a nation-state". I don't buy this!
And btw, executing WBINV at random times leaves no room for this types of attack :) (except maybe for L1I cache timings)