Artifact repository for 'Side Channel Attacks on Optane Persistent Memory'.

This readme contains basic commands to reproduce results of the experiments.

Supported Environment

Hardware dependencies

The experiments require a hardware platform as listed below:

• CPU: Intel Cascade Lake.
• Persistent Memory: 1st generation Optane DCPMM. If the server contains multiple Optane modules, they must be running under non-interleaved mode.
• Network: one-hop Ethernet connection between the two Optane servers (for remote covert channels and side-channel attacks).

Software dependencies

The experiments require a software environment as listed below:

• Operating system: Ubuntu 18.04, kernel v5.4.
• Compiler: gcc and g++-7.5.
• Libraries and tools: PMDK v1.9, ndctl v68, ipmctl v02.00.00.3852, pmemkv v1.3, libuv v1.18 and websocket-client (pip package).
• Optane mode: The Optane memory must be running in \emph{App Direct} mode using ipmctl.
• File system for Optane: The Optane device must be mounted in DAX mode.

Installing required dependencies

• pmdk v1.9 can be cloned, built, and installed from the PMDK repository
• ndctl can be built from source or can be installed from your distribution's package repository
• ipmctl can be built from source or can be installed from your distribution's package repository
• pmemkv can be built from source. It requires libpmemobj-cpp, which can be installed from here.
• libuv can be installed from your distribution's package repository.
• websocket-client can be installed by running pip install websocket-client.

Configuring Optane

• First, all Optane modules in your system need to be configured in AppDirect mode, without interleaving. This can be achieved with ipmctl create -goal PersistentMemoryType=AppDirectNotInterleaved. After a reboot, the new memory goal will be in effect.
• Each of the persistent memory region needs to be configured in fsdax mode, which will create /dev/pmemX devices from persistent memory regions. Running ndctl create-namespace -m fsdax will create these fsdax namespaces.
• Once we have a /dev/pmemX device, we need to create a DAX aware filesystem (such as ext4) on it. This can be done using mkfs.ext4 /dev/pmemX
• Finally, this filesystem needs to be mounted in dax mode: mount /dev/pmemX -o dax /mnt/pmemX.

Experimental Setup

• To run all our experiments, we need 2 servers, both with Intel Optane DCPMM DIMMs installed. This is because some of our security attacks are performed over the network.
• Moreover, our reverse-engineering experiments are performed on a server with prefetchers disabled.
• Thus, we have one server with prefetching enabled (where we perform security attacks), and one server with prefetching disabled (where we perform reverse-engineering experiments).
• On each server, each /dev/pmemX device is mounted (with -o dax) on /mnt/pmemX. Morevoer, /mnt/ramdisk is symlinked to some /dev/pmemX device. Setting this up on each server can be automated by running the common/startup.sh script on each server.

Running Experiments

Running the runall-ae.sh script (on the server with prefetching disabled) will re-run all experiments, re-generate all the results, and compile the report. The runall-ae.sh comminicates with the other server (using the remote_ip and remote_user environment variables) to automatically coordinate the experiments.

More precisely, this script does the following:

• Runs each one of our experiments one by one. Each experiment directory has a script-ae.sh script which runs the experiment. When one runs runall-ae.sh, we find all script-ae.sh files, and run them sequentially.
• Once all the experiments have completed, the results of each experiment is copied to the report/ diretory, which also contains the tex file of the report.
• Finally, the final report (report/report.pdf) is generated by running make in the report/ directory.

Repository Directory Structure

.
├── common          # Programs + scripts common to many experiments
├── keystroke       # Keystroke attack code + keystroke data
├── local_covert    # Single machine cross-core covert channel
├── noteboard       # Noteboard covert channel: A persistent, asynchrnous covert channel
├── remote_covert   # Cross-network covert channel
├── report          # Final report tex files
├── reverse         # Reverse engineering experiments
└── util            # Low level (C / asm) code used in many experiments

Resources used per experiment

• Reverse Engineering Heirarchy: [25 compute-minutes + 64GB pmem disk]
• Reverse Engineering Bitmask Pointer Chasing: [3.5 compute-hours + 64 GB pmem disk]
• Reverse Engineering Replacement Policy: [10 compute-minutes + 1 GB pmem disk]
• Reverse Engineering Wearlevelling Policy: [15 compute-seconds + 1 GB pmem disk]
• Reverse Engineering Read-Write Contention: [1 compute-minute + 1 GB pmem disk]
• Local Covert Channel: [45 compute-minutes + 2 GB pmem disk]
• Keystroke Side Channel: [1 compute-hour + 1 GB pmem disk]
• Remote Covert Channel: [35 compute-seconds + 2 GB pmem disk]
• Noteboard Attack: [1 compute-hour + 1 GB pmem disk]

Cite Us

@inproceedings{Liu2023Side,
 author = {Liu, Sihang and Kanniwadi, Suraaj and Schwarzl, Martin and Kogler, Andreas and Gruss, Daniel and Khan, Samira},
 booktitle = {USENIX Security Symposium},
 title = {Side-Channel Attacks on Optane Persistent Memory},
 url = {media/files/optane.pdf},
 year = {2023}
}