Real-time Detection of Cache Side-channel Attack Using Non-cache Hardware Events

Cache side-channel attack is a class of attacks to retrieve sensitive information from a system by exploiting shared resource in CPUs. As the attacks are delivered to wide range of environments from mobile systems to cloud recently, many detection strategies have been proposed. Since the conventional cache side-channel are likely to incur tremendous number of cache events, most of the previous detection mechanisms were designed to carefully monitor cache events. However, recently proposed attacks tend to incur less cache events during the attack. PRIME+ABORT attack, for example, leverages the Intel TSX instead of accessing cache to measure access time. Because of the characteristic, cache event based detection mechanisms may hardly distinguish the attack. In this paper, we conduct an in-depth analysis of the PRIME+ABORT attack to identify the other useful hardware events for detection rather than cache events. Based on our finding, we present a novel mechanism called PRIME+ABORT Detector to detect the PRIME+ABORT attack and demonstrate that the detection mechanism can achieve 99.5% success rates with 0.3% performance overhead.