Optimization and Amplification of Cache Side Channel Signals

TL;DR

This paper introduces novel CPU speculation gadgets that enhance cache side channel attacks by enabling signal modification and amplification, allowing effective attacks even with limited timer precision.

Contribution

The paper presents new speculative gadgets that optimize and amplify cache side channel signals, improving attack reliability under constrained timer access.

Findings

Cache signals can be reliably modified with near 100% accuracy.

Amplification techniques enable reading signals with timers as coarse as 100ms.

Techniques are effective on modern x86 CPUs.

Abstract

In cache-based side channel attacks, an attacker infers information about the victim based on the presence, or lack thereof, of one or more cachelines. Determining a cacheline's presence, which we refer to as "reading the signal", typically requires testing the access time of the line using a suitably high precision timer. In this paper we introduce novel gadgets which leverage CPU speculation to enable modification of these signals, before they are read, for a variety of purposes. First, these gadgets enable an attacker to optimize cache-based side channel attacks by evaluating arbitrary logic functions on cacheline signals prior to their measurement. Second, we demonstrate amplification techniques that enable an attacker to read a signal even if no high precision timer is available. Combined, these techniques can be used to improve existing side channel attacks even if timer access is limited. We evaluate the effectiveness of these techniques on a modern x86 CPU and demonstrate that when properly tuned, cache side channel signals can be reliably modified with near 100% accuracy and are able to be read with a timer as coarse as 100ms or more.