RELOAD+REFRESH: Abusing Cache Replacement Policies to Perform Stealthy Cache Attacks

Authors: 

Samira Briongos, Pedro Malagón, and José M. Moya, Integrated Systems Laboratory, Universidad Politécnica de Madrid; Thomas Eisenbarth, University of Lübeck and Worcester Polytechnic Institute

Abstract: 

Caches have become the prime method for unintended information extraction across logical isolation boundaries. They are widely available on all major CPU platforms and, as a side channel, caches provide great resolution, making them the most convenient channel for Spectre and Meltdown. As a consequence, several methods to stop cache attacks by detecting them have been proposed. Detection is strongly aided by the fact that observing cache activity of co-resident processes is not possible without altering the cache state and thereby forcing evictions on the observed processes. In this work we show that this widely held assumption is incorrect. Through clever usage of the cache replacement policy, it is possible to track cache accesses of a victim's process without forcing evictions on the victim's data. Hence, online detection mechanisms that rely on these evictions can be circumvented as they would not detect the introduced RELOAD+REFRESH attack. The attack requires a profound understanding of the cache replacement policy. We present a methodology to recover the replacement policy and apply it to the last five generations of Intel processors. We further show empirically that the performance of RELOAD+REFRESH on cryptographic implementations is comparable to that of other widely used cache attacks, while detection methods that rely on L3 cache events are successfully thwarted.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {251542,
author = {Samira Briongos and Pedro Malagon and Jose M. Moya and Thomas Eisenbarth},
title = {RELOAD+REFRESH: Abusing Cache Replacement Policies to Perform Stealthy Cache Attacks},
booktitle = {29th {USENIX} Security Symposium ({USENIX} Security 20)},
year = {2020},
isbn = {978-1-939133-17-5},
pages = {1967--1984},
url = {https://www.usenix.org/conference/usenixsecurity20/presentation/briongos},
publisher = {{USENIX} Association},
month = aug,
}
Passed

Presentation Video