There is a long history of side channels in the memory hierarchy of modern CPUs. Especially the cache side channel is widely used in the context of transient execution attacks and covert channels. Therefore, many secure cache architectures have been proposed. Most of these architectures aim to make the construction of eviction sets infeasible by randomizing the address-to-cache mapping. In this paper, we investigate the peculiarities of write instructions in recent CPUs. We identify Write+Write, a new side channel on Intel CPUs that leaks whether two addresses contend for the same cache set. We show how Write+Write can be used for rapid construction of eviction sets on current cache architectures. Moreover, we replicate the Write+Write effect in gem5 and demonstrate on the example of ScatterCache how it can be exploited to efficiently attack state-of-the-art cache randomization schemes. In addition to the Write+Write side channel, we show how Write-After-Write effects can be leveraged to efficiently synchronize covert channel communication across CPU cores. This yields the potential for much more stealthy covert channel communication than before.
翻译:现代 CPU 的记忆层有很长的侧端通道历史。 尤其是缓存侧端通道被广泛用于临时执行袭击和隐蔽通道。 因此, 已经提出了许多安全的缓存结构。 这些结构大多旨在通过随机绘制地址到缓存的映射图, 使拆迁装置的建造不可行。 在本文中, 我们调查最近的 CPU 的写指令的特殊性。 我们确定 Intel CPU 上的新侧端通道 : Write+Write, 它会泄露是否为同一缓存集争斗两个地址。 我们展示了如何使用 写+Write 快速构建当前缓存结构的拆迁套。 此外, 我们复制了 prem5 中的 写+Write 效果, 并在 ScatterCache 的示例上展示了它如何被利用来有效攻击状态的缓存缓存随机程序。 除了 写+Write 侧端通道外, 我们展示了如何利用 写- write 效应来高效同步同步跨 CPU 核心 的隐蔽通道通信 的可能性 。