A Systematic Evaluation of Novel and Existing Cache Side Channels

Fabian Rauscher, Carina Fiedler, Andreas Kogler, Daniel Gruss

Research output: Chapter in Book/Report/Conference proceedingConference paperpeer-review

Abstract

CPU caches are among the most widely studied side-channel targets, with Prime+Probe and Flush+Reload being the most prominent techniques. These generic cache attack techniques can leak cryptographic keys, user input, and are a building block of many microarchitectural attacks.

In this paper, we present the first systematic evaluation using 9 characteristics of the 4 most relevant cache attacks, Flush+Reload, Flush+Flush, Evict+Reload, and Prime+Probe, as well as three new attacks that we introduce: Demote+Reload, Demote+Demote, and DemoteContention. We evaluate hit-miss margins, temporal precision, spatial precision, topological scope, attack time, blind spot length, channel capacity, noise resilience, and detectability on recent Intel microarchitectures. Demote+Reload and Demote+Demote perform similar to previous attacks and slightly better in some cases, e.g., Demote+Reload has a 60.7 % smaller blind spot than Flush+Reload. With 15.48 Mbit/s, Demote+Reload has a 64.3 % higher channel capacity than Flush+Reload. We also compare all attacks in an AES T-table attack and compare Demote+Reload and Flush+Reload in an inter-keystroke timing attack. Beyond the scope of the prior attack techniques, we demonstrate a KASLR break with Demote+Demote and the amplification of power side-channel leakage with Demote+Reload. Finally, Sapphire Rapids and Emerald Rapids CPUs use a non-inclusive L3 cache, effectively limiting eviction-based cross-core attacks, e.g., Prime+Probe and Evict+Reload, to rare cases where the victim’s activity reaches the L3 cache. Hence, we show that in a cross-core attack, DemoteContention can be used as a reliable alternative to Prime+Probe and Evict+Reload that does not require reverse-engineering of addressing functions and cache replacement policy.
Original languageEnglish
Title of host publicationNetwork and Distributed System Security Symposium (NDSS) 2025
DOIs
Publication statusPublished - 23 Feb 2025
EventNetwork and Distributed System Security Symposium 2025: NDSS 2025 - San Diego, United States
Duration: 23 Feb 202528 Feb 2025
https://www.ndss-symposium.org/ndss2025/

Conference

ConferenceNetwork and Distributed System Security Symposium 2025
Abbreviated titleNDSS 2025
Country/TerritoryUnited States
CitySan Diego
Period23/02/2528/02/25
Internet address

Keywords

  • side-channel attack
  • cache attacks
  • systematic approach
  • flush+reload

Fields of Expertise

  • Information, Communication & Computing

Fingerprint

Dive into the research topics of 'A Systematic Evaluation of Novel and Existing Cache Side Channels'. Together they form a unique fingerprint.

Cite this