AutoCAT: Reinforcement Learning for Automated Exploration of Cache Timing-Channel Attacks

The aggressive performance optimizations in modern microprocessors can result in security vulnerabilities. For example, the timing-based attacks in processor caches are shown to be successful in stealing secret keys or causing privilege escalation. So far, finding cache-timing vulnerabilities is mostly performed by human experts, which is inefficient and laborious. There is a need for automatic tools that can explore vulnerabilities because unreported vulnerabilities leave the systems at risk. In this paper, we propose AutoCAT, an automated exploration framework that finds cache timing-channel attacks using reinforcement learning (RL). Specifically, AutoCAT formulates the cache timing-channel attack as a guessing game between the attacker program and the victim program holding a secret, which can thus be solved via modern deep RL techniques. AutoCAT can explore attacks in various cache configurations without knowing design details and under different attacker and victim configurations, and also find attacks to bypass known detection and defense mechanisms. In particular, AutoCAT discovered StealthyStreamline, a new attack that is able to bypass detection based on performance counters and has up to a 71% higher information leakage rate than the state-of-the-art LRU-based attacks on real processors. AutoCAT is the first of its kind using RL for crafting microarchitectural timing-channel attack sequences and can accelerate cache timing-channel exploration for secure microprocessor designs.