Description
Modern CPUs rely heavily on caches to speed up memory accesses. Caches are shared
resources, and their behavior has been shown to leak information between processes.
This side-channel can, for instance, be exploited to retrieve private cryptographic keys
or passwords. A large group of these side-channel attacks rely on the targeted eviction
of data and instructions from the cache. The efficiency of this eviction increases through
knowledge about the implementation details of the cache. The cache replacement
policies are particularly relevant since they directly affect the targeted eviction. While
the implementation details of these policies are usually not publicly available, they are
crucial for assessing the vulnerability of processors and systems to cache attacks. In
this work, we thus study cache replacement policies on ARMv8-A CPUs and infer their
functionality from careful observation of the cache behavior. Previous research has
proposed multiple effective approaches for the x86 architecture. We select two existing
frameworks, combine and port them to the ARMv8-A architecture, and add support
for hardware debugging probes. With this setup, we infer the replacement policy of the
ARM Cortex-A76 L1 data cache, study the pseudo-random replacement policy of the
ARM Cortex-A55 L1 data cache, and develop approximations of the currently unknown
replacement policy employed by the ARM Cortex-A76 L2 cache. The results show that
our framework is capable of revealing implementation details of replacement policies
found on ARM CPUs, which establishes a foundation for in-depth risk analysis and for
developing next-generation cache replacement policies with increased resilience against
cache attacks.
|
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching