{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,5]],"date-time":"2026-06-05T04:48:24Z","timestamp":1780634904301,"version":"3.54.1"},"reference-count":64,"publisher":"Association for Computing Machinery (ACM)","issue":"1","license":[{"start":{"date-parts":[[2023,3,7]],"date-time":"2023-03-07T00:00:00Z","timestamp":1678147200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"EU Commission in the frame of the Horizon 2020 project SPARTA","award":["830892"],"award-info":[{"award-number":["830892"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Digital Threats"],"published-print":{"date-parts":[[2023,3,31]]},"abstract":"<jats:p>We present a kernel-level infrastructure that allows systemwide detection of malicious applications attempting to exploit cache-based side-channel attacks to break the process confinement enforced by standard operating systems. This infrastructure relies on hardware performance counters to collect information at runtime from all applications running on the machine. High-level detection metrics are derived from these measurements to maximize the likelihood of promptly detecting a malicious application. Our experimental assessment shows that we can catch a large family of side-channel attacks with a significantly reduced overhead. We also discuss countermeasures that can be enacted once a process is suspected of carrying out a side-channel attack to increase the overall tradeoff between the system\u2019s security level and the delivered performance under non-suspected process executions.<\/jats:p>","DOI":"10.1145\/3519601","type":"journal-article","created":{"date-parts":[[2022,4,30]],"date-time":"2022-04-30T11:10:48Z","timestamp":1651317048000},"page":"1-24","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":13,"title":["Fight Hardware with Hardware: Systemwide Detection and Mitigation of Side-channel Attacks Using Performance Counters"],"prefix":"10.1145","volume":"4","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-0325-1713","authenticated-orcid":false,"given":"Stefano","family":"Carn\u00e0","sequence":"first","affiliation":[{"name":"Sapienza, University of Rome, Roma, Italy"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4840-451X","authenticated-orcid":false,"given":"Serena","family":"Ferracci","sequence":"additional","affiliation":[{"name":"Sapienza, University of Rome, Roma, Italy"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5616-7980","authenticated-orcid":false,"given":"Francesco","family":"Quaglia","sequence":"additional","affiliation":[{"name":"University of Rome \u201cTor Vergata,\u201d, Roma, Italy"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0179-9868","authenticated-orcid":false,"given":"Alessandro","family":"Pellegrini","sequence":"additional","affiliation":[{"name":"University of Rome \u201cTor Vergata,\u201d, Roma, Italy"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"320","published-online":{"date-parts":[[2023,3,7]]},"reference":[{"key":"e_1_3_2_2_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICEEE2019.2019.00026"},{"key":"e_1_3_2_3_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-79263-5_16"},{"key":"e_1_3_2_4_2","volume-title":"Indirect Branch Control Extension","year":"2018","unstructured":"AMD. 2018. Indirect Branch Control Extension. Technical Report. AMD."},{"key":"e_1_3_2_5_2","unstructured":"AMD. 2019. Processor Programming Reference (PPR) for AMD Family 17h 01h 08h Revision B2 Processors. Technical Report. AMD."},{"key":"e_1_3_2_6_2","doi-asserted-by":"publisher","DOI":"10.1145\/1815961.1815970"},{"key":"e_1_3_2_7_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-662-48324-4_13"},{"key":"e_1_3_2_8_2","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"667","DOI":"10.1007\/978-3-642-10366-7_39","volume-title":"Advances in Cryptology","author":"Brumley Billy Bob","year":"2009","unstructured":"Billy Bob Brumley and Risto M. Hakala. 2009. Cache-timing template attacks. In Advances in Cryptology, Mitsuru Matsui (ed.). Lecture Notes in Computer Science, Vol. 5912. Springer, Berlin, 667\u2013684. 10.1007\/978-3-642-10366-7_39"},{"key":"e_1_3_2_9_2","doi-asserted-by":"publisher","DOI":"10.1109\/NETSOFT.2019.8806712"},{"key":"e_1_3_2_10_2","doi-asserted-by":"publisher","DOI":"10.1117\/12.2263029"},{"key":"e_1_3_2_11_2","doi-asserted-by":"publisher","DOI":"10.5555\/3361338.3361356"},{"key":"e_1_3_2_12_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.asoc.2016.09.014"},{"key":"e_1_3_2_13_2","doi-asserted-by":"publisher","DOI":"10.1145\/2843859.2843865"},{"key":"e_1_3_2_14_2","volume-title":"Taming STIBP","author":"Corbet Jonathan","year":"2018","unstructured":"Jonathan Corbet. 2018. Taming STIBP. Technical Report. LWN.net."},{"key":"e_1_3_2_15_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00021"},{"key":"e_1_3_2_16_2","doi-asserted-by":"publisher","DOI":"10.1145\/2485922.2485970"},{"key":"e_1_3_2_17_2","first-page":"51","volume-title":"Proceedings of the 26th USENIX Security Symposium","author":"Disselkoen Craig","year":"2017","unstructured":"Craig Disselkoen, David Kohlbrenner, Leo Porter, and Dean Tullsen. 2017. Prime+Abort: A timer-free high-precision L3 cache attack using intel TSX. In Proceedings of the 26th USENIX Security Symposium. USENIX Association, Berkeley, CA, 51\u201367."},{"key":"e_1_3_2_18_2","unstructured":"Alberto Garcia-Serrano. 2015. Anomaly detection for malware identification using hardware performance counters. arXiv:1508.07482. Retrieved from http:\/\/arxiv.org\/abs\/1508.07482."},{"key":"e_1_3_2_19_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-62105-0_11"},{"key":"e_1_3_2_20_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-40667-1_14"},{"key":"e_1_3_2_21_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2011.22"},{"key":"e_1_3_2_22_2","unstructured":"Dave Hansen. 2017. Hansen\u2019s KPTI Patch. Retrieved from https:\/\/lwn.net\/Articles\/738997\/."},{"key":"e_1_3_2_23_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2013.23"},{"key":"e_1_3_2_24_2","volume-title":"Intel\u00ae 64 and IA-32 Architectures Software Developer\u2019s Manual Volume 3 (3A, 3B and 3C): System Programming Guide","year":"2013","unstructured":"Intel. 2013. Intel\u00ae 64 and IA-32 Architectures Software Developer\u2019s Manual Volume 3 (3A, 3B and 3C): System Programming Guide. Intel Corporation, Santa Clara, CA."},{"key":"e_1_3_2_25_2","volume-title":"Intel Analysis of Speculative Execution Side Channels","author":"Corporation Intel","year":"2018","unstructured":"Intel Corporation. 2018. Intel Analysis of Speculative Execution Side Channels. Technical Report. Intel."},{"key":"e_1_3_2_26_2","volume-title":"8th and 9th Generation Intel Core Processor Family","author":"Corporation Intel","year":"2019","unstructured":"Intel Corporation. 2019. 8th and 9th Generation Intel Core Processor Family. Technical Report. Intel."},{"key":"e_1_3_2_27_2","volume-title":"Cross-core Microarchitectural Side Channel Attacks and Countermeasures","author":"Irazoqui Gorka","year":"2017","unstructured":"Gorka Irazoqui. 2017. Cross-core Microarchitectural Side Channel Attacks and Countermeasures. Ph.D. Dissertation. Worcester Polytechnic Institute."},{"key":"e_1_3_2_28_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.42"},{"key":"e_1_3_2_29_2","doi-asserted-by":"publisher","DOI":"10.1145\/2897937.2897962"},{"key":"e_1_3_2_30_2","doi-asserted-by":"publisher","DOI":"10.1109\/MICRO.2016.7783740"},{"key":"e_1_3_2_31_2","first-page":"189","volume-title":"Proceedings of the 21st USENIX Security Symposium","author":"Kim Taesoo","year":"2012","unstructured":"Taesoo Kim, Marcus Peinado, and Gloria Mainar-Ruiz. 2012. StealthMem: System-level protection against cache-based side channel attacks in the cloud. In Proceedings of the 21st USENIX Security Symposium. USENIX Association, Berkeley, CA, 189\u2013204."},{"key":"e_1_3_2_32_2","doi-asserted-by":"publisher","DOI":"10.1109\/ISCA.2014.6853210"},{"key":"e_1_3_2_33_2","unstructured":"Colin Ian King. 2017. Stress-ng: A stress-testing Swiss army knife."},{"key":"e_1_3_2_34_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00002"},{"key":"e_1_3_2_35_2","unstructured":"Michael Larabel and Matthew Tippett. 2022. Phoronix Test Suite. Retrieved from https:\/\/www.phoronix-test-suite.com\/"},{"key":"e_1_3_2_36_2","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2009.165"},{"key":"e_1_3_2_37_2","first-page":"973","volume-title":"Proceedings of the 27th USENIX Security Symposium","author":"Lipp Moritz","year":"2018","unstructured":"Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, and Mike Hamburg. 2018. Meltdown: Reading kernel memory from user space. In Proceedings of the 27th USENIX Security Symposium. USENIX Association, Berkeley, CA, 973\u2013990."},{"key":"e_1_3_2_38_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.43"},{"key":"e_1_3_2_39_2","volume-title":"Bypassing KPTI Using the Speculative Behavior of the SWAPGS Instruction","author":"Lu\u0163a\u015f Andrei","year":"2019","unstructured":"Andrei Lu\u0163a\u015f and Dan Lu\u0163a\u015f. 2019. Bypassing KPTI Using the Speculative Behavior of the SWAPGS Instruction. Technical Report. Bitdefender."},{"key":"e_1_3_2_40_2","doi-asserted-by":"publisher","DOI":"10.1145\/2046582.2046596"},{"key":"e_1_3_2_41_2","doi-asserted-by":"publisher","DOI":"10.1109\/ISCA.2012.6237011"},{"key":"e_1_3_2_42_2","doi-asserted-by":"publisher","DOI":"10.1145\/3214292.3214293"},{"key":"e_1_3_2_43_2","doi-asserted-by":"publisher","DOI":"10.1016\/S1571-0661(04)81042-9"},{"key":"e_1_3_2_44_2","doi-asserted-by":"publisher","DOI":"10.1145\/2768566.2768575"},{"key":"e_1_3_2_45_2","doi-asserted-by":"publisher","DOI":"10.1007\/11605805_1"},{"key":"e_1_3_2_46_2","doi-asserted-by":"publisher","DOI":"10.1145\/3061639.3062202"},{"key":"e_1_3_2_47_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-30806-7_9"},{"key":"e_1_3_2_48_2","volume-title":"Techniques for Transparent Parallelization of Discrete Event Simulation Models","author":"Pellegrini Alessandro","year":"2014","unstructured":"Alessandro Pellegrini. 2014. Techniques for Transparent Parallelization of Discrete Event Simulation Models. Ph.D. Dissertation. Sapienza, University of Rome."},{"key":"e_1_3_2_49_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-981-10-2209-8_5"},{"key":"e_1_3_2_50_2","doi-asserted-by":"publisher","DOI":"10.1145\/1653662.1653687"},{"key":"e_1_3_2_51_2","doi-asserted-by":"publisher","DOI":"10.1145\/2948618.2948620"},{"key":"e_1_3_2_52_2","doi-asserted-by":"publisher","DOI":"10.1007\/s00145-009-9049-y"},{"key":"e_1_3_2_53_2","first-page":"991","volume-title":"Proceedings of the 27th USENIX Security Symposium","author":"Bulck Jo Van","year":"2018","unstructured":"Jo Van Bulck, Marina Minkin, Ofir Weisse, Daniel Genkin, Baris Kasikci, Frank Piessens, Mark Silberstein, Thomas F. Wenisch, Yuval Yarom, and Raoul Strackx. 2018. FORESHADOW: Extracting the keys to the intel SGX kingdom with transient out-of-order execution. In Proceedings of the 27th USENIX Security Symposium. USENIX Association, Berkeley, CA, 991\u20131008."},{"key":"e_1_3_2_54_2","first-page":"937","volume-title":"Proceedings of the 27th USENIX Security Symposium","author":"Schaik Stephan Van","year":"2018","unstructured":"Stephan Van Schaik, Cristiano Giuffrida, Herbert Bos, and Kaveh Razavi. 2018. Malicious management unit: Why stopping cache attacks in software is harder than you think. In Proceedings of the 27th USENIX Security Symposium. USENIX Association, Berkeley, CA, 937\u2013954."},{"key":"e_1_3_2_55_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00042"},{"key":"e_1_3_2_56_2","doi-asserted-by":"publisher","DOI":"10.1109\/TCAD.2015.2474374"},{"key":"e_1_3_2_57_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICCAD.2015.7372617"},{"key":"e_1_3_2_58_2","doi-asserted-by":"publisher","DOI":"10.1109\/TMSCS.2016.2569467"},{"key":"e_1_3_2_59_2","volume-title":"Foreshadow-NG: Breaking the Virtual Memory Abstraction with Transient Out-of-Order Execution","author":"Weisse Ofir","year":"2018","unstructured":"Ofir Weisse, Jo Van Bulck, Marina Minkin, Daniel Genkin, Baris Kasikci, Frank Piessens, Mark Silberstein, Raoul Strackx, Thomas F Wenisch, and Yuval Yarom. 2018. Foreshadow-NG: Breaking the Virtual Memory Abstraction with Transient Out-of-Order Execution. Technical Report. 7 pages."},{"key":"e_1_3_2_60_2","first-page":"719","volume-title":"Proceedings of the 23rd USENIX Security Symposium","author":"Yarom Yuval","year":"2014","unstructured":"Yuval Yarom and Katrina Falkner. 2014. FLUSH+RELOAD: A high resolution, low noise, L3 cache side-channel attack. In Proceedings of the 23rd USENIX Security Symposium. USENIX Association, Berkeley, CA, 719\u2013732."},{"key":"e_1_3_2_61_2","doi-asserted-by":"publisher","DOI":"10.1145\/2103799.2103807"},{"key":"e_1_3_2_62_2","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2012.6263958"},{"key":"e_1_3_2_63_2","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382230"},{"key":"e_1_3_2_64_2","doi-asserted-by":"publisher","DOI":"10.1145\/3196494.3196515"},{"key":"e_1_3_2_65_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-06320-1_14"}],"container-title":["Digital Threats: Research and Practice"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3519601","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3519601","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T17:49:38Z","timestamp":1750268978000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3519601"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,3,7]]},"references-count":64,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2023,3,31]]}},"alternative-id":["10.1145\/3519601"],"URL":"https:\/\/doi.org\/10.1145\/3519601","relation":{},"ISSN":["2692-1626","2576-5337"],"issn-type":[{"value":"2692-1626","type":"print"},{"value":"2576-5337","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,3,7]]},"assertion":[{"value":"2021-04-16","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2022-02-17","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-03-07","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}