Show HN: Barnowld - Daemon for live detection of cache side-channel attacks

1 point

3 years ago

The idea behind barnowld is that cache side channel attacks almost always leave a very special signature: they usually generate cache miss rates above 90% which have nothing in common with "natural" applications. It is precisely this conspicuous characteristics that barnwold takes advantage of.

Mode of operation: the daemon iterates over the cores and analyzes them individually for a random amount of seconds. After all cores are analyzed, it starts again. For analyzing, the CPU Performance Monitoring Unit (PMU) is used in counting mode. This approach has effectively no overhead and is through the Linux perf subsystem extremely generic usable for the various architectures such as x86-64, ARM, IBM or RISC-V.

If potential attacks are detected, an alarm message is logged into the journal with severity error. Third party log analyzer can simply filter for error messages in unit barnowld.

Of course, it can not prevent attacks - microcode updates from the vendors should always be installed preferentially - no question! The daemon is used to detect attacks which are known - or not yet known.

I am grateful for criticism or ideas!