Cloud computing is convenient to provide adequate resources for tenants. However, since multiple tenants share the underlying hardware resources, malicious tenants can use the shared processor to launch cache-based attacks. Such attacks can help malicious tenants steal private data of other tenants bypassing isolation mechanisms provided by the system, resulting in information leakage. Moreover, Spectre and Meltdown vulnerabilities can even extract memory contents arbitrarily with the help of cache attacks. Therefore, cache-based attacks pose a serious threat to the security of cloud platforms. To defeat such attacks, many detection methods have been proposed. However, most methods induce high false positives because they completely rely on the hardware performance counters (HPCs) and detect attacks with static criteria. To solve this problem, this article proposes a self-feedback detector named CBA-Detector to detect cache-based attacks in real time. Specifically, CBA-Detector first uses machine learning technologies to create models for identifying suspicious programs with abnormal hardware behaviors, then analyzes suspicious programs from the instruction level to identify real attacks and provide feedback. Based on the feedback, the models can be updated to further improve their detection accuracy. As our experiments show, CBA-Detector can accurately identify cache-based attacks in real time and introduces a little overhead. Besides, the misjudgment rate decreases with the running time.
Read full abstract