Security Experts:

Connect with us

Hi, what are you looking for?


Endpoint Security

New Technique Improves Effectiveness of Timing Channel Attacks

Two researchers have discovered a new timing channel attack technique that remains effective even if multiple processes are running on a system.

Two researchers have discovered a new timing channel attack technique that remains effective even if multiple processes are running on a system.

Called DABANGG (the Hindi word for fearless), the newly proposed technique improves the effectiveness of flush-based attacks such as Flush+Reload and Flush+Flush, researchers Anish Saxena and Biswabandan Panda from the Indian Institute of Technology Kanpur claim in a research paper.

According to them, the majority of flush-based attacks are accurate in controlled environments, where only the attacker and victim processes run on the system by sharing OS pages. When additional processes are running on multi-core systems, however, the attacks lose efficiency due to noise.

The dynamic nature of core frequency (depending on system load), and the relative placement of victim and attacker threads in the processor (based on logical and physical cores) are the two root causes affecting the accuracy of flush-based attacks, as they affect the cache latency calibration step of the attack.

The two researchers propose a series of refinements that would make “flush attacks resilient to frequency changes and thread placement in the processor, and therefore system noise.”

These refinements apply to pre-attack and attack steps, and ensure latency change awareness. When tested against standard Flush+Reload and Flush+Flush attacks across multiple scenarios (side-channel based keylogging, AES secret key extraction, covert channel, and Spectre), the new technique yields improvements in both F1 score and accuracy, the researchers claim.

These attacks involve flushing a cache line address using clflush, waiting for the flushed address to be accessed, and reloading or flushing the flushed cache line address to measure latency. The issue with these attacks is the precise identification of the difference in execution latency of clflush and reload instructions. Also of high importance in the effectiveness of the attack is the sleep step.

“On average, across eight possible combinations of compute, memory, and I/O noise, a single-character based key-logging attack using LLC as a side-channel show that Flush+Reload and Flush+Flush provide F1 scores of 42.8% and 8.1%, respectively. In a covert channel attack, Flush+Reload and Flush+Flush attacks suffer from maximum error rates of 45% and 53%, respectively,” the researchers say.

The newly proposed technique improves latency calibration and attacker’s waiting (sleeping) strategy, thus ensuring that the cache access latency threshold remains consistent and resilient to system noise.

Proposed DABANGG refinements include the use of calibration tools to “capture the stepped frequency distribution of the processor while distinguishing a cache hit from a miss;” the use of victim-specific parameters to identify the victim’s memory access pattern; and the use of compute-intensive functions for “a better grip over waiting period.”

By employing these refinements, the researchers argue, the attacker becomes frequency-aware and victim-aware. By making the attacker aware of the victim’s behavior, the effectiveness of the attack can be increased, the researchers say.

DABANGG is a timing channel attack that is resilient to system noise and can improve the effectiveness of attacks such as Spectre (which uses a cache covert channel). The attack works with both Intel and AMD processors and can be used even against non-Linux systems.

Essentially, DABANGG attacks are flush-based attacks, meaning that all of the mitigation techniques that apply to Flush+Reload and Flush+Flush attacks are applicable to DABANGG refined attacks.

“The improved, noise resilient DABANGG-enabled attacks pose a significant challenge to the micro-architectural security community. DABANGG-enabled attacks have all of the perks of flush based attacks while being significantly more accurate and precise, making the flush based attacks more practical,” the researchers conclude.

Related: New Class of Vulnerabilities Leak Data From Intel Chips

Related: NetCAT Attack: Hackers Can Remotely Steal Data From Servers With Intel CPUs

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.