Write Me and I'll Tell You Secrets -- Write-After-Write Effects On Intel CPUs

There is a long history of side channels in the memory hierarchy of modern CPUs. Especially the cache side channel is widely used in the context of transient execution attacks and covert channels. Therefore, many secure cache architectures have been proposed. Most of these architectures aim to make the construction of eviction sets infeasible by randomizing the address-to-cache mapping. In this paper, we investigate the peculiarities of write instructions in recent CPUs. We identify Write+Write, a new side channel on Intel CPUs that leaks whether two addresses contend for the same cache set. We show how Write+Write can be used for rapid construction of eviction sets on current cache architectures. Moreover, we replicate the Write+Write effect in gem5 and demonstrate on the example of ScatterCache how it can be exploited to efficiently attack state-of-the-art cache randomization schemes. In addition to the Write+Write side channel, we show how Write-After-Write effects can be leveraged to efficiently synchronize covert channel communication across CPU cores. This yields the potential for much more stealthy covert channel communication than before.