SEA Cache: A Performance-Efficient Countermeasure for Contention-based Attacks

TL;DR

The paper tackles contention-based side-channel attacks on shared caches in cloud-like environments and critiques existing randomized remapping schemes for either being too costly or too permissive. It introduces the Skewed Elastic-Associativity (SEA) cache, which enables per-user and per-process logical associativity through reconfigurable, domain-based protection via SDID, while maintaining parallel-bank access to limit latency. SEA achieves substantially stronger defense against aggressive contention-based attacks—reported as up to about $20\times$ reduction in attack success—while incurring only a modest CPI penalty of around $0.6\%$ for normal-protection users and manageable hardware and power overheads (approximately $3.4\%$ area and $0.41W$ power). The work demonstrates that fine-grained security-performance trade-offs are achievable in shared caches, enabling cloud systems to assign higher protection only to security-critical workloads without sacrificing overall performance.

Abstract

Many cache designs have been proposed to guard against contention-based side-channel attacks. One well-known type of cache is the randomized remapping cache. Many randomized remapping caches provide fixed or over protection, which leads to permanent performance degradation, or they provide flexible protection, but sacrifice performance against strong contention-based attacks. To improve the secure cache design, we extend an existing secure cache design, CEASER-SH cache, and propose the SEA cache. The novel cache configurations in both caches are logical associativity, which allows the cache line to be placed not only in its mapped cache set but also in the subsequent cache sets. SEA cache allows each user or each process to have a different local logical associativity. Hence, only those users or processes that request extra protection against contention-based attacks are protected with high logical associativity. Other users or processes can access the cache with lower latency and higher performance. Compared to a CEASER-SH cache with logical associativity of 8, an SEA cache with logical associativity of 1 for normal protection users and 16 for high protection users has a Cycles Per Instruction penalty that is about 0.6% less for users under normal protections and provides better security against contention-based attacks. Based on a 45nm technology library, and compared to a conventional cache, we estimate the power overhead is about 20% and the area overhead is 3.4%.

Figures (6)

• Figure 1: The alienation example of logical associativity. User 0 has a logical associativity of 2, and user 1 has a logical associativity of 3.
• Figure 2: An example of sharing data problem while two users have different logical associativities, which finally leads to a memory coherence problem.
• Figure 3: An example of SDID and logical associativity changes while the data is shared between A and B. Where A is in the $H=1$ domain (circled in blue) and B is in the $H=3$ domain (circled in red).
• Figure 4: The MPKI of the SEA cache with different $VH$ and $AH$.
• Figure 5: The CPI of core 0 for the SEA cache. Core 0 has different logical associativity, and the logical associativity of core 1 is set to 1.