TY - GEN
T1 - Ghost Thread
T2 - 11th ACM Conference on Data and Application Security and Privacy, CODASPY 2021
AU - Brotzman, Robert
AU - Zhang, Danfeng
AU - Kandemir, Mahmut
AU - Tan, Gang
N1 - Publisher Copyright:
© 2021 ACM.
PY - 2021/4/26
Y1 - 2021/4/26
N2 - Cache-based side channel attacks pose a serious threat to computer security. Numerous cache attacks have been demonstrated, highlighting the need for effective and efficient defense mechanisms to shield systems from this threat. In this paper, we propose a novel application-level protection mechanism, called Ghost Thread. Ghost Thread is a flexible library that allows a user to protect cache accesses to a requested sensitive region to mitigate cache-based side channel attacks. This is accomplished by injecting random cache accesses to the sensitive cache region by separate threads. Compared with prior work that injects noise in a modified OS and hardware, our novel approach is applicable to commodity OS and hardware. Compared with other user-space mitigation mechanisms, our novel approach does not require any special hardware support, and it only requires slight code changes in the protected application making it readily deployable. Evaluation results on an Apache server show that Ghost Thread provides both strong protection and negligible overhead on real-world applications where only a fragment requires protection. In the worst-case scenario where the entire application requires protection, Ghost Thread still incurs negligible overhead when a system is under utilized, and moderate overhead when a system is fully utilized.
AB - Cache-based side channel attacks pose a serious threat to computer security. Numerous cache attacks have been demonstrated, highlighting the need for effective and efficient defense mechanisms to shield systems from this threat. In this paper, we propose a novel application-level protection mechanism, called Ghost Thread. Ghost Thread is a flexible library that allows a user to protect cache accesses to a requested sensitive region to mitigate cache-based side channel attacks. This is accomplished by injecting random cache accesses to the sensitive cache region by separate threads. Compared with prior work that injects noise in a modified OS and hardware, our novel approach is applicable to commodity OS and hardware. Compared with other user-space mitigation mechanisms, our novel approach does not require any special hardware support, and it only requires slight code changes in the protected application making it readily deployable. Evaluation results on an Apache server show that Ghost Thread provides both strong protection and negligible overhead on real-world applications where only a fragment requires protection. In the worst-case scenario where the entire application requires protection, Ghost Thread still incurs negligible overhead when a system is under utilized, and moderate overhead when a system is fully utilized.
UR - http://www.scopus.com/inward/record.url?scp=85105002491&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85105002491&partnerID=8YFLogxK
U2 - 10.1145/3422337.3447846
DO - 10.1145/3422337.3447846
M3 - Conference contribution
AN - SCOPUS:85105002491
T3 - CODASPY 2021 - Proceedings of the 11th ACM Conference on Data and Application Security and Privacy
SP - 233
EP - 244
BT - CODASPY 2021 - Proceedings of the 11th ACM Conference on Data and Application Security and Privacy
PB - Association for Computing Machinery, Inc
Y2 - 26 April 2021 through 28 April 2021
ER -