Cache Speculation Side-Channels

A look at the susceptibility of Arm implementations based upon new attack mechanisms.


Cache timing side-channels are a well understood concept in the area of security research. As such, this whitepaper will provide a simple conceptual overview rather than an in-depth explanation.

The basic principle behind cache timing side-channels is that the pattern of allocations into the cache, and, in particular, which cache sets have been used for the allocation, can be determined by measuring the time taken to access entries that were previously in the cache, or by measuring the time to access the entries that have been allocated. This then can be used to determine which addresses have been allocated into the cache.

The novelty of speculation-based cache timing side-channels is their use of speculative memory reads. Speculative memory reads are typical of advanced micro-processors and part of the overall functionality which enables very high performance. By performing speculative memory reads to cacheable locations beyond an architecturally unresolved branch (or other change in program flow), and, further, the result of those reads can themselves be used to form the addresses of further speculative memory reads. These speculative reads cause allocations of entries into the cache whose addresses are indicative of the values of the first speculative read. This becomes an exploitable side-channel if untrusted code is able to control the speculation in such a way it causes a first speculative read of location which would not otherwise be accessible at that untrusted code. But the effects of the second speculative allocation within the caches can be measured by that untrusted code.

At this time, three variant mechanisms have been identified. Each potentially using the speculation of a processor to influence which cache entries have been allocated in a way to extract some information which would not otherwise be accessible to software.

This paper examines the nature of these three mechanisms, their state of knowledge and potential mitigations for the mechanisms in Arm software. It looks at the susceptibility of Arm implementations following recent research findings from security researchers at Google on new potential cache timing side-channels exploiting processor speculation. This paper also outlines possible mitigations that can be employed for software designed to run on existing Arm processors.

To read more, click here.

Leave a Reply