A Systematic Evaluation of Novel and Existing Cache Side Channels

Fabian Rauscher, Carina Fiedler, Andreas Kogler, Daniel Gruss

Publikation: Beitrag in Buch/Bericht/KonferenzbandBeitrag in einem KonferenzbandBegutachtung

Abstract

CPU caches are among the most widely studied side-channel targets, with Prime+Probe and Flush+Reload being the most prominent techniques. These generic cache attack techniques can leak cryptographic keys, user input, and are a building block of many microarchitectural attacks.

In this paper, we present the first systematic evaluation using 9 characteristics of the 4 most relevant cache attacks, Flush+Reload, Flush+Flush, Evict+Reload, and Prime+Probe, as well as three new attacks that we introduce: Demote+Reload, Demote+Demote, and DemoteContention. We evaluate hit-miss margins, temporal precision, spatial precision, topological scope, attack time, blind spot length, channel capacity, noise resilience, and detectability on recent Intel microarchitectures. Demote+Reload and Demote+Demote perform similar to previous attacks and slightly better in some cases, e.g., Demote+Reload has a 60.7 % smaller blind spot than Flush+Reload. With 15.48 Mbit/s, Demote+Reload has a 64.3 % higher channel capacity than Flush+Reload. We also compare all attacks in an AES T-table attack and compare Demote+Reload and Flush+Reload in an inter-keystroke timing attack. Beyond the scope of the prior attack techniques, we demonstrate a KASLR break with Demote+Demote and the amplification of power side-channel leakage with Demote+Reload. Finally, Sapphire Rapids and Emerald Rapids CPUs use a non-inclusive L3 cache, effectively limiting eviction-based cross-core attacks, e.g., Prime+Probe and Evict+Reload, to rare cases where the victim’s activity reaches the L3 cache. Hence, we show that in a cross-core attack, DemoteContention can be used as a reliable alternative to Prime+Probe and Evict+Reload that does not require reverse-engineering of addressing functions and cache replacement policy.
Originalspracheenglisch
TitelNetwork and Distributed System Security Symposium (NDSS) 2025
DOIs
PublikationsstatusVeröffentlicht - 23 Feb. 2025
VeranstaltungNetwork and Distributed System Security Symposium 2025: NDSS 2025 - San Diego, USA / Vereinigte Staaten
Dauer: 23 Feb. 202528 Feb. 2025
https://www.ndss-symposium.org/ndss2025/

Konferenz

KonferenzNetwork and Distributed System Security Symposium 2025
KurztitelNDSS 2025
Land/GebietUSA / Vereinigte Staaten
OrtSan Diego
Zeitraum23/02/2528/02/25
Internetadresse

Fields of Expertise

  • Information, Communication & Computing

Fingerprint

Untersuchen Sie die Forschungsthemen von „A Systematic Evaluation of Novel and Existing Cache Side Channels“. Zusammen bilden sie einen einzigartigen Fingerprint.

Dieses zitieren