Presentation
ZenLeak: Practical Last-Level Cache Side-Channel Attacks on AMD Zen Processors*
DescriptionWhile Last-Level Cache (LLC) side-channel attacks often target inclusive caches, directory-based attacks on non-inclusive caches have been demonstrated on Intel and ARM processors. However, the vulnerability of AMD's non-inclusive caches to such attacks has remained uncertain, primarily due to challenges in reverse-engineering cache addressing, constructing eviction sets, and evicting private cache lines.
This paper addresses these challenges and demonstrates the feasibility of conducting LLC side-channel attacks on AMD's non-inclusive caches. We first reverse-engineer the cache addressing functions for the L2 set index, L3 slice, and L3 set index. Leveraging this insight, we construct the first eviction sets on AMD processors. We then introduce the first LLC side-channel attack on AMD's Zen series CPUs. The effectiveness of our approach is validated by attacking OpenSSL's AES T-table.
This paper addresses these challenges and demonstrates the feasibility of conducting LLC side-channel attacks on AMD's non-inclusive caches. We first reverse-engineer the cache addressing functions for the L2 set index, L3 slice, and L3 set index. Leveraging this insight, we construct the first eviction sets on AMD processors. We then introduce the first LLC side-channel attack on AMD's Zen series CPUs. The effectiveness of our approach is validated by attacking OpenSSL's AES T-table.
Event Type
Research Manuscript
TimeMonday, June 2310:45am - 11:00am PDT
Location3003, Level 3
Security
SEC3: Hardware Security: Attack & Defense