TY - GEN
T1 - Prune+PlumTree - Finding Eviction Sets at Scale
AU - Kessous, Tom
AU - Gilboa, Niv
N1 - Publisher Copyright:
© 2024 IEEE.
PY - 2024/1/1
Y1 - 2024/1/1
N2 - Finding eviction sets for a large fraction of the cache is an essential preprocessing step for Prime+Probe based cache side-channel attacks. Previous work on this problem reduces it to finding an eviction set for each cache set independently. In a w-way, set-associative cache with s cache sets this approach requires Ω(s2w) time.This work introduces the Prune+PlumTree algorithm, which finds eviction sets for any constant fraction of the cache in time O(sw log s), assuming the LRU cache replacement policy. We complement the asymptotic result with tests on current Intel processors, with 16k sets in the Last Level Cache (LLC) and 4 Kbyte memory pages, finding eviction sets for more than 98% of the LLC in 40-63 milliseconds, improving over previous work by two orders of magnitude. Simulating Prune+PlumTree on a standard, i.e. unskewed, randomized cache, mapping addresses to random cache sets, results in finding eviction sets for more than 98% of a 12-way cache with 214 sets in less than 7.4 seconds.We further adapt Prune+PlumTree to caches with a random replacement policy based on a novel method to prune a large set of random memory lines to a union of minimal eviction sets in this setting. This variant of Prune+PlumTree runs in time O(sw2 log s). As a final contribution, we show that Prune+PlumTree for the LRU replacement policy has asymptotically tight running time by proving that any algorithm that maps a constant fraction of the cache runs in time Ω(sw log s).
AB - Finding eviction sets for a large fraction of the cache is an essential preprocessing step for Prime+Probe based cache side-channel attacks. Previous work on this problem reduces it to finding an eviction set for each cache set independently. In a w-way, set-associative cache with s cache sets this approach requires Ω(s2w) time.This work introduces the Prune+PlumTree algorithm, which finds eviction sets for any constant fraction of the cache in time O(sw log s), assuming the LRU cache replacement policy. We complement the asymptotic result with tests on current Intel processors, with 16k sets in the Last Level Cache (LLC) and 4 Kbyte memory pages, finding eviction sets for more than 98% of the LLC in 40-63 milliseconds, improving over previous work by two orders of magnitude. Simulating Prune+PlumTree on a standard, i.e. unskewed, randomized cache, mapping addresses to random cache sets, results in finding eviction sets for more than 98% of a 12-way cache with 214 sets in less than 7.4 seconds.We further adapt Prune+PlumTree to caches with a random replacement policy based on a novel method to prune a large set of random memory lines to a union of minimal eviction sets in this setting. This variant of Prune+PlumTree runs in time O(sw2 log s). As a final contribution, we show that Prune+PlumTree for the LRU replacement policy has asymptotically tight running time by proving that any algorithm that maps a constant fraction of the cache runs in time Ω(sw log s).
UR - https://www.scopus.com/pages/publications/85204033335
U2 - 10.1109/SP54263.2024.00173
DO - 10.1109/SP54263.2024.00173
M3 - Conference contribution
AN - SCOPUS:85204033335
T3 - Proceedings - IEEE Symposium on Security and Privacy
SP - 3754
EP - 3772
BT - Proceedings - 45th IEEE Symposium on Security and Privacy, SP 2024
PB - Institute of Electrical and Electronics Engineers
T2 - 45th IEEE Symposium on Security and Privacy, SP 2024
Y2 - 20 May 2024 through 23 May 2024
ER -