In this work, we present a novel approach, called Detector${}^{+}$, to detect, isolate, and prevent timing-based side channel attacks (i.e., timing attacks) at runtime. The proposed approach is based on a simple observation that the time measurements required by the timing attacks differ from those required by the benign applications as these attacks need to measure the execution times of typically quite short-running operations. Detector${}^{+}$, therefore, monitors the time readings made by processes and mark consecutive pairs of readings that are close to each other in time as suspicious. In the presence of suspicious time measurements, Detector${}^{+}$ introduces noise into the measurements to prevent the attacker from extracting information by using these measurements. The sequence of suspicious time measurements are then analyzed by using a sliding window based approach to pinpoint the malicious processes at runtime. We have empirically evaluated the proposed approach by using five well known timing attacks, including Meltdown, together with their variations, representing some of the mechanisms that an attacker can employ to become stealthier. In one evaluation setup, each type of attack was carried out concurrently by multiple processes. In the other setup, multiple types of attacks were carried out concurrently. In all the experiments, Detector${}^{+}$ detected all the malicious time measurements with almost a perfect accuracy, prevented all the attacks, and correctly pinpointed all the malicious processes involved in the attacks without any false positives after they have made a few time measurements with an average runtime overhead of 1.56%.

在这项工作中，我们提出了一种新方法，称为检测器${}^{+}$，在运行时检测、隔离和防止基于时序的侧信道攻击（即时序攻击）。所提出的方法基于一个简单的观察，即定时攻击所需的时间测量与良性应用程序所需的时间测量不同，因为这些攻击需要测量通常运行时间非常短的操作的执行时间。探测器${}^{+}$，因此，监视进程所做的时间读数并将时间上彼此接近的连续读数对标记为可疑。在存在可疑的时间测量时，Detector${}^{+}$在测量中引入噪声，以防止攻击者通过使用这些测量来提取信息。然后通过使用基于滑动窗口的方法来分析可疑时间测量的序列，以在运行时查明恶意进程。我们通过使用五种众所周知的定时攻击（包括 Meltdown 及其变体）对所提出的方法进行了实证评估，这些攻击代表了攻击者可以用来变得更隐蔽的一些机制。在一个评估设置中，每种类型的攻击都由多个进程同时执行。在另一种设置中，同时进行了多种类型的攻击。在所有的实验中，Detector${}^{+}$ 以几乎完美的精度检测到所有恶意时间测量，阻止了所有攻击，并在进行了几次平均运行时间开销为 1.56% 的时间测量后，正确定位了所有参与攻击的恶意进程，没有任何误报。