Write Me and I'll Tell You Secrets -- Write-After-Write Effects On Intel CPUs

TL;DR

This paper uncovers a new side channel called Write+Write on Intel CPUs that leaks cache contention information, enabling rapid eviction set construction and more stealthy covert channels, challenging existing cache security measures.

Contribution

It introduces the Write+Write side channel, demonstrates its use in attacking cache randomization, and shows how Write-After-Write effects can enhance covert channel stealthiness.

Findings

Write+Write leaks cache set contention information.

Write+Write enables fast eviction set construction.

Write-After-Write can improve covert channel stealthiness.

Abstract

There is a long history of side channels in the memory hierarchy of modern CPUs. Especially the cache side channel is widely used in the context of transient execution attacks and covert channels. Therefore, many secure cache architectures have been proposed. Most of these architectures aim to make the construction of eviction sets infeasible by randomizing the address-to-cache mapping. In this paper, we investigate the peculiarities of write instructions in recent CPUs. We identify Write+Write, a new side channel on Intel CPUs that leaks whether two addresses contend for the same cache set. We show how Write+Write can be used for rapid construction of eviction sets on current cache architectures. Moreover, we replicate the Write+Write effect in gem5 and demonstrate on the example of ScatterCache how it can be exploited to efficiently attack state-of-the-art cache randomization schemes. In addition to the Write+Write side channel, we show how Write-After-Write effects can be leveraged to efficiently synchronize covert channel communication across CPU cores. This yields the potential for much more stealthy covert channel communication than before.