Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

RollingCache: Using Runtime Behavior to Defend Against Cache Side Channel Attacks

Divya Ojha, Sandhya Dwarkadas

TL;DR

RollingCache tackles cache side-channel leaks that arise from deterministic address-to-cache-set mappings by introducing runtime nondeterminism through an indirection layer that separates AddrSets from CacheSets. It uses two pointers, $PrPtr$ and $PsPtr$, to map each AddrSet to two CacheSets and updates the active mapping after $W$ fills, without relocating data; a freelist selects random replacement victims, and the mapping evolves with cache activity. Security analysis shows that prime/probe attacks lose precision because eviction sets continually morph and misses can arise from self-evictions, other AddrSets, or pointer rollovers, making victim inferences unreliable. Performance evaluation on ChampSim with SPEC2017 workloads reports an average slowdown of about $1.67\%$ and an area overhead around $5\%$, with scalability across LLC sizes, indicating practical viability for defending against contention-based attacks while preserving cache usability.

Abstract

Shared caches are vulnerable to side channel attacks through contention in cache sets. Besides being a simple source of information leak, these side channels form useful gadgets for more sophisticated attacks that compromise the security of shared systems. The fundamental design aspect that contention attacks exploit is the deterministic nature of the set of addresses contending for a cache set. In this paper, we present RollingCache, a cache design that defends against contention attacks by dynamically changing the set of addresses contending for cache sets. Unlike prior defenses, RollingCache does not rely on address encryption/decryption, data relocation, or cache partitioning. We use one level of indirection to implement dynamic mapping controlled by the whole-cache runtime behavior. Our solution does not depend on having defined security domains, and can defend against an attacker running on the same or another core. We evaluate RollingCache on ChampSim using the SPEC-2017 benchmark suite. Our security evaluation shows that our dynamic mapping removes the deterministic ability to identify the source of contention. The performance evaluation shows an impact of 1.67\% over a mix of workloads, with a corresponding

RollingCache: Using Runtime Behavior to Defend Against Cache Side Channel Attacks

TL;DR

RollingCache tackles cache side-channel leaks that arise from deterministic address-to-cache-set mappings by introducing runtime nondeterminism through an indirection layer that separates AddrSets from CacheSets. It uses two pointers, and , to map each AddrSet to two CacheSets and updates the active mapping after fills, without relocating data; a freelist selects random replacement victims, and the mapping evolves with cache activity. Security analysis shows that prime/probe attacks lose precision because eviction sets continually morph and misses can arise from self-evictions, other AddrSets, or pointer rollovers, making victim inferences unreliable. Performance evaluation on ChampSim with SPEC2017 workloads reports an average slowdown of about and an area overhead around , with scalability across LLC sizes, indicating practical viability for defending against contention-based attacks while preserving cache usability.

Abstract

Shared caches are vulnerable to side channel attacks through contention in cache sets. Besides being a simple source of information leak, these side channels form useful gadgets for more sophisticated attacks that compromise the security of shared systems. The fundamental design aspect that contention attacks exploit is the deterministic nature of the set of addresses contending for a cache set. In this paper, we present RollingCache, a cache design that defends against contention attacks by dynamically changing the set of addresses contending for cache sets. Unlike prior defenses, RollingCache does not rely on address encryption/decryption, data relocation, or cache partitioning. We use one level of indirection to implement dynamic mapping controlled by the whole-cache runtime behavior. Our solution does not depend on having defined security domains, and can defend against an attacker running on the same or another core. We evaluate RollingCache on ChampSim using the SPEC-2017 benchmark suite. Our security evaluation shows that our dynamic mapping removes the deterministic ability to identify the source of contention. The performance evaluation shows an impact of 1.67\% over a mix of workloads, with a corresponding
Paper Structure (33 sections, 18 equations, 12 figures, 2 tables)

This paper contains 33 sections, 18 equations, 12 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Cache Access
  4. Cache Side Channels
  5. Eviction Sets
  6. Hiding Eviction Sets
  7. RollingCache: Dynamic Contention
  8. Contention Across Address Sets
  9. Threat Model
  10. Goals and Insights
  11. Design and Implementation
  12. Using Indirection
  13. Pointer Update
  14. Replacement CacheSet Victim
  15. Cache Initialization
  16. ...and 18 more sections

Figures (12)

  • Figure 1: RollingCache has pointers from AddrSets to CacheSets and a freelist to identify CacheSets with free cache lines.
  • Figure 2: AddrSet A rolls from CacheSet K to L to I
  • Figure 3: Pointer updates result in cross AddrSet contention
  • Figure 4: Flowchart demonstrating pointer update.
  • Figure 5: Example attack sequence for a 2-way RollingCache
  • ...and 7 more figures