Advanced profiling for probabilistic Prime+Probe attacks and covert channels in ScatterCache

Abstract: Timing channels in cache hierarchies are an important enabler in many microarchitectural attacks. ScatterCache (USENIX 2019) is a protected cache architecture that randomizes the address-to-index mapping with a keyed cryptographic function, aiming to thwart the usage of cache-based timing channels in microarchitectural attacks. In this note, we advance the understanding of the security of ScatterCache by outlining two attacks in the noise-free case, i.e. matching the assumptions in the original analysis. As a first contribution, we present more efficient eviction set profiling, reducing the required number of observable victim accesses (and hence profiling runtime) by several orders of magnitude. For instance, to construct a reliable eviction set in an 8-way set associative cache with 11 index bits, we relax victim access requirements from approximately $2^{25}$ to less than $2^{10}$. As a second contribution, we demonstrate covert channel profiling and transmission in probabilistic caches like ScatterCache. By exploiting arbitrary collisions instead of targeted ones, our approach significantly outperforms known covert channels (e.g. full-cache eviction).