ClepsydraCache -- Preventing Cache Attacks with Time-Based Evictions

Both the shift towards attacks on the microarchitectural CPU level and the ongoing transition towards cloud computing and shared VM hosts have increasingly drawn attention towards cache attacks. In these fields of application, cache side-channels lay the cornerstone that is leveraged by attackers to exfiltrate secret information from the CPU microarchitecture. We build upon the observation that current cache side-channel attacks mostly exploit the architectural visibility of conflicting cache addresses. With ClepsydraCache, we break away this foundation by unraveling the linkage between cache evictions and accesses to conflicting addresses. Our solution takes a new approach that assigns each cache entry a random time-to-live to reduce the amount of cache conflicts. By making those conflicts unobservable to an attacker, ClepsydraCache efficiently protects against attacks like Prime+Probe and Flush+Reload. Furthermore, our solution is applicable to large last-level caches which are the most common targets for cache attacks. We implement ClepsydraCache using the Gem5 simulator and provide a proof-of-concept hardware design and simulation using 65-nm CMOS technology. ClepsydraCache matches the performance of traditional cache architectures while improving the system security against cache attacks.