Hardware based approach to confine malicious processes from side channel attack

  • Zirak Allaf

Student thesis: Doctoral Thesis


Cryptography can be considered as a set of algorithms which primarily relies on mathematical theories with computational supports to be practised in computer systems. Therefore, Cryptography is employed as the main component to security solutions mainly in Internet and could computing. Despite this, hardware and firmware implementations have failed to securely manage program executions in computational environment. This limitation has made it possible for hackers to carry out side channel attacks on computer systems and steal sensitive cryptographic components, such as the secret keys, which are used in securing communication channels. Such issues are alarming, and crucial, and therefore obligate the detection and identification of attackers of the systems.

In this thesis, side channel attacks, exploiting the weakness in hardware and firmware implementations, are addressed along with existing counter-measures. The current side-channel attack techniques show that attackers can exploit the micro-architecture vulnerabilities to achieve their goals. The recent Meltdown attack for instance misuses program execution attributes such as “out-of-order execution”, through a Flush and Reload mechanism, to break the logical isolation between the memories of two independent processes in the kernel space.

Furthermore, in this work, a real-time detection and identification framework has been developed against side-channel attacks. The concept behind this is to take a course of program phase analysis to extract Malicious Loop (ML) phases at the processor core level. Unlike previous works, the proposed detection system within the framework does not rely on synchronisation between the attackers and the victim. Instead, it banks on the Hardware Performance Counters (HPC) utilisation, which is a hardware feature built-in to the modern computational environments. The framework offers high accuracy and efficient detection of Flush+Reload activities before the attacker completes the malicious task. Moreover, the detection can be achieved with minimum time required to detect the attack(s) in both native and cloud systems at the same cost. Additionally, the framework benefits from very low overhead performance approximately less than 1
Date of AwardJan 2018
Original languageEnglish
Awarding Institution
  • University of Portsmouth
SupervisorMo Adda (Supervisor) & Alexander Gegov (Supervisor)

Cite this