Skip to content

CPU Cache

CPU Cache

https://software.rajivprab.com/2018/04/29/myths-programmers-believe-about-cpu-caches/

Intel

  • Each CPU Core has a independent L1 and L2 cache. This is private to that CPU
  • Lower Level Cache (LLC) is divided in slices and shared across cores
  • All data in L1 and L2 are also in the LLC

Set Associative Caches

  • Using the address bits 17-25 are used for the index of the cache
  • Using the address bits 26-31 are used for the offset of the cache

Attacks

Flush and Reload

  1. Attacker maps shared memory
  2. Attacker flushes the shared cache line
  3. victim loads the data into the same cache line
  4. Attacker reloads the data into the cache line

Using this attack the Attacker can see if the victim has used the data in the mean time or looking at the timing of the data.

Prime and Probe

  1. Attacker Primes the full cache line
  2. The Victim is run and uses the same cache line overwriting some values
  3. Attacker get the data and measure the time that it takes to see if it was overwritten

Flush and Flush

  1. Shared memory between the attacker and victim (Lets say a library)
  2. Flush the cache from the attacker side
  3. Let the Victim run
  4. Flush the cache again from the attackers side and see if it takes a long amount of time or a short amount of time
  5. If its a long amount of time then the victim reloaded that data into the cache.

Address-translation Oracle

  1. Flush the cache from the Attacker side
  2. Run prefetch on the address of the kernel. You can do this even if you don't have permissions to view that data
  3. Measure cache Hit on the Attacker side. We try addresses until we get a cache hit with a timing difference