Flexible Cuckoo directory to protect against side channel attacks

Abstract

Directories used for cache coherence are vulnerable to side channel attacks. Directories are inclusive by nature, even if caches are non-inclusive because directories need to track all cache lines in the system. Attackers can leverage this inclusivity to evict victim directory entries and trigger the eviction of victim cache lines from private caches. Thus, there is a need to redesign directories with security in mind. To prevent attackers’ ability to evict victim entries, we need to block interference between processes. One of the most common approaches employed in caches is to partition among different processes to provide isolation. However, partitioning efficiently is a major challenge especially with an increasing number of cores without severely inhibiting the associativity and performance of the system.

This thesis presents a secure directory design in the form of a flexible cuckoo directory. The goal of the proposed design is to provide both performance and security. Each process receives its own partition designed using cuckoo hashing. Both the associativity and size of a partition can be resized dynamically based on the needs of the application. Partitions provide isolation between processes while flexible cuckoo hashing provides high performance. We propose two designs | On-Demand cuckoo (OD) where partitions can be resized on-demand and Limited cuckoo where partitions can be resized only at fixed intervals. Limited cuckoo has additional security guarantees. Simulations show an average 18.7% and 15.4% improvement in IPC in OD and limited cuckoo, respectively, over a baseline modeled after the Intel Skylake-X architecture in a single program environment and a 27.9% and 26.7% improvement in IPC in a four-program environment. Our proposed design, thus, not only provides security but also improves the performance, eliminating the performance-security trade-off.