Connect with us

Hi, what are you looking for?


Security Architecture

New MIT Framework Evaluates Side-Channel Attack Mitigations

The framework helps evaluate the effectiveness of obfuscation side-channel mitigation schemes against data leaks.

A group of researchers from the Massachusetts Institute of Technology (MIT) has devised a framework for evaluating the effectiveness of some side-channel mitigation schemes against data leaks.

Named Metior (PDF), the framework provides a view of how programs, attacker techniques, and obfuscation scheme configurations may impact the amount of data that can be leaked via side-channel attacks.

“Metior builds upon existing information theoretic approaches, allowing for the comprehensive side-channel leakage evaluation of active attackers, real victim applications, and state-of-the-art microarchitectural obfuscation schemes,” the researchers explain.

Side-channel attacks target shared microarchitectural structures to access sensitive information, and are often mitigated through obfuscation schemes (including randomly mapped cache, memory traffic obfuscation, and degrading attacker timing granularities), altering the microarchitectural footprint to make it more difficult for the attacker to leak secrets.

Metior, which is meant to evaluate these defenses, can be used with a variety of microarchitectural obfuscation schemes, courtesy of a random variable model that incorporates both victim and attacker access patterns to shared structures on a chip, to map the flow of information through the scheme.

The researchers have used the framework to test fully-associative random replacement caches when protecting AES against cache occupancy attacks, Skewed-CEASER schemes against probabilistic prime and probe (PPP) and cache occupancy attacks, and Camouflage, an obfuscation scheme that targets ephemeral channels.

According to the researchers, Metior can be used to identify behaviors that were not fully understood before, such as the fact that, under certain configurations, a PPP attack works by exploiting cache occupancy effects instead of relying on targeted collisions.

Advertisement. Scroll to continue reading.

“Metior offers key contributions in describing the side-channel information flow through these schemes for wide classes of attacks, including those which leverage both persistent and ephemeral side-channels. By extending existing work from information theory to quantify this flow, we have shown that Metior reveals interesting leakage behaviors of state-of-the-art obfuscating schemes,” the researchers note.

Related: New ‘Hertzbleed’ Remote Side-Channel Attack Affects Intel, AMD Processors

Related: Academics Devise Side-Channel Attack Targeting Multi-GPU Systems

Related: Researchers Disclose New Side-Channel Attacks Affecting All AMD CPUs

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Artificial Intelligence

Microsoft and Mitre release Arsenal plugin to help cybersecurity professionals emulate attacks on machine learning (ML) systems.

Risk Management

In this virtual summit, SecurityWeek brings together expert defenders to share best practices around reducing attack surfaces in modern computing.


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...