Theory and Practice of Finding Eviction Sets

2019 IEEE Symposium on Security and Privacy (SP) Pub Date : 2018-10-02 DOI:10.1109/SP.2019.00042

Pepe Vila, Boris Köpf, J. Morales

{"title":"Theory and Practice of Finding Eviction Sets","authors":"Pepe Vila, Boris Köpf, J. Morales","doi":"10.1109/SP.2019.00042","DOIUrl":null,"url":null,"abstract":"Many micro-architectural attacks rely on the capability of an attacker to efficiently find small eviction sets: groups of virtual addresses that map to the same cache set. This capability has become a decisive primitive for cache side-channel, rowhammer, and speculative execution attacks. Despite their importance, algorithms for finding small eviction sets have not been systematically studied in the literature. In this paper, we perform such a systematic study. We begin by formalizing the problem and analyzing the probability that a set of random virtual addresses is an eviction set. We then present novel algorithms, based on ideas from threshold group testing, that reduce random eviction sets to their minimal core in linear time, improving over the quadratic state-of-the-art. We complement the theoretical analysis of our algorithms with a rigorous empirical evaluation in which we identify and isolate factors that affect their reliability in practice, such as adaptive cache replacement strategies and TLB thrashing. Our results indicate that our algorithms enable finding small eviction sets much faster than before, and under conditions where this was previously deemed impractical.","PeriodicalId":272713,"journal":{"name":"2019 IEEE Symposium on Security and Privacy (SP)","volume":"350 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2018-10-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"95","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2019 IEEE Symposium on Security and Privacy (SP)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SP.2019.00042","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 95

Abstract

Many micro-architectural attacks rely on the capability of an attacker to efficiently find small eviction sets: groups of virtual addresses that map to the same cache set. This capability has become a decisive primitive for cache side-channel, rowhammer, and speculative execution attacks. Despite their importance, algorithms for finding small eviction sets have not been systematically studied in the literature. In this paper, we perform such a systematic study. We begin by formalizing the problem and analyzing the probability that a set of random virtual addresses is an eviction set. We then present novel algorithms, based on ideas from threshold group testing, that reduce random eviction sets to their minimal core in linear time, improving over the quadratic state-of-the-art. We complement the theoretical analysis of our algorithms with a rigorous empirical evaluation in which we identify and isolate factors that affect their reliability in practice, such as adaptive cache replacement strategies and TLB thrashing. Our results indicate that our algorithms enable finding small eviction sets much faster than before, and under conditions where this was previously deemed impractical.

查看原文本刊更多论文

寻找驱逐集的理论与实践

许多微体系结构攻击依赖于攻击者有效地找到小的驱逐集的能力:映射到相同缓存集的虚拟地址组。这种能力已经成为缓存侧信道攻击、回旋锤攻击和推测性执行攻击的决定性原语。尽管它们很重要，但寻找小驱逐集的算法尚未在文献中进行系统研究。在本文中，我们进行了这样一个系统的研究。我们首先将问题形式化，并分析一组随机虚拟地址是驱逐集的概率。然后，我们提出了基于阈值组测试思想的新算法，该算法在线性时间内将随机驱逐集减少到最小核心，改进了二次型技术。我们通过严格的经验评估来补充算法的理论分析，其中我们确定并隔离了在实践中影响其可靠性的因素，例如自适应缓存替换策略和TLB抖动。我们的研究结果表明，我们的算法能够比以前更快地找到小型驱逐集，并且在以前被认为不切实际的情况下。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2019 IEEE Symposium on Security and Privacy (SP)

自引率

0.00%

发文量