dhruvvvv2019-pixel/Cache-side-channel-attack-detection-mitigation-framework

# Cache Side-Channel Attack Detection & Mitigation A Linux-based cybersecurity framework that simulates **Flush+Reload cache side-channel attacks**, detects anomalous cache behavior using **Hardware Performance Monitoring Unit (PMU) counters**, and automatically applies mitigation strategies through **CPU affinity isolation** and **process scheduling controls**. The project demonstrates how low-level hardware attacks can be observed at the operating system level and how performance monitoring data can be leveraged to detect and respond to suspicious cache activity in real time. ## Overview Cache side-channel attacks exploit shared CPU cache behavior to infer sensitive information from victim processes. Among these attacks, **Flush+Reload** is one of the most widely studied techniques due to its precision and effectiveness. In this project, I: * Implement a realistic Flush+Reload attack * Simulate victim and attacker processes * Monitor cache behavior using Linux PMU counters * Develop a statistical anomaly detection engine * Automatically trigger mitigation strategies upon detection * Collect experimental data and generate visualizations * Evaluate the effectiveness of detection and mitigation mechanisms The framework serves as a practical exploration of operating systems, computer architecture, performance monitoring, and cybersecurity concepts. ## Key Features ### Attack Simulation * Flush+Reload side-channel attack implementation * Continuous attack generation for realistic testing * Secret-dependent victim memory access patterns ### Detection Engine * PMU-based cache monitoring using Linux `perf` * Collection of cache references and cache misses * Adaptive threshold-based anomaly detection * Statistical baseline calibration ### Mitigation Mechanisms * CPU affinity isolation using `taskset` * Scheduling priority reduction using `chrt` * Process priority control using `renice` * Automated response upon attack detection ### Evaluation & Visualization * Experimental performance data collection * Automated result analysis * Graph generation and visualization support ## System Architecture The framework consists of four major components: ### 1. Victim Process The victim continuously accesses memory associated with a secret value, generating cache activity that may leak information to an attacker. ### 2. Flush+Reload Attack Module The attacker repeatedly: 1. Flushes selected cache lines 2. Waits for victim execution 3. Reloads memory locations 4. Measures memory access latency Low access latency indicates that the victim recently accessed the corresponding cache line. ### 3. Detection Engine The monitoring system continuously gathers cache-related PMU statistics through Linux performance counters. Monitored metrics include: * Cache Misses * Cache References * Cache Miss Rate ### 4. Mitigation Layer When abnormal cache activity is detected, the framework automatically applies defensive measures such as: * CPU core isolation * Scheduling demotion * Process priority reduction ## Detection Methodology Before active monitoring begins, the framework performs a calibration phase to establish normal system behavior. Adaptive thresholds are computed using: Threshold = μ + 2σ Where: * **μ** = Mean cache metric value * **σ** = Standard deviation A process is classified as suspicious when its observed cache behavior exceeds the computed threshold and significantly deviates from the baseline profile. This approach enables lightweight anomaly detection without requiring machine learning models. ## Technologies Used ### Programming Languages * C * Python ### Linux Utilities * `perf` * `taskset` * `chrt` * `renice` ### Python Libraries * NumPy * Matplotlib ## Project Structure . ├── victim.c ├── flush_attack_demo.c ├── flush_reload_attack.c ├── benign.c │ ├── detection_and_mitigation.py ├── measure_results.py ├── plot_all.py │ ├── data/ └── graphs/ ## Installation ### Recommended Environment * Ubuntu 22.04 or newer * Physical Linux installation ### Supported ### Not Recommended * WSL2 Some PMU events may not be exposed correctly under WSL2, which can negatively affect detection accuracy. ### Install Dependencies Update packages: sudo apt update sudo apt upgrade -y Install build tools: sudo apt install -y build-essential gcc g++ make Install Python: sudo apt install -y python3 python3-pip Install required Python libraries: pip3 install numpy matplotlib Install Linux performance tools: sudo apt install -y linux-tools-common linux-tools-generic Verify installation: perf --version ## Building the Project Compile the victim process: gcc -O0 -o victim victim.c Compile the attack demonstration: gcc -O0 -o flush_attack_demo flush_attack_demo.c -lm Compile the continuous attack: gcc -O0 -o flush_reload_attack flush_reload_attack.c -lm Compile the benign workload: gcc -O2 -o benign benign.c -lm ## Running the Flush+Reload Demo Start the victim process: ./victim Open a second terminal and execute: ./flush_attack_demo The attacker attempts to infer the victim's secret value by observing cache access timing patterns. ## Running Detection & Mitigation ### Terminal 1 ./victim ### Terminal 2 python3 detection_and_mitigation.py Choose a mitigation strategy: 1 → CPU Affinity Strategy 2 → Scheduling Strategy Allow the calibration phase to complete. ### Terminal 3 ./flush_reload_attack The detector continuously monitors cache behavior and automatically applies mitigation when suspicious activity is identified. ## Running a Benign Workload To compare normal application behavior against attack behavior: ./benign This provides baseline performance measurements for evaluation purposes. ## Experimental Evaluation Collect performance data: python3 measure_results.py Results are stored in: data/experiment_results.json Generate visualizations: python3 plot_all.py Generated graphs are saved in: graphs/ ## Future Improvements Potential extensions for future work include: * Prime+Probe attack implementation * Machine learning-based anomaly detection * Real-time monitoring dashboard * Additional PMU performance metrics * Multi-process attack scenarios * Advanced mitigation policies * Dynamic threshold adaptation * Containerized deployment support