CTPP: A Fast and Stealth Algorithm for Searching Eviction Sets on Intel Processors

Eviction sets are essential components of the conflict-based cache side-channel attacks. However, it is not an easy task to construct eviction sets on modern Intel processors. As a promising defense against conflict-based cache side-channels, dynamic cache randomization makes the construction of eviction sets even more difficult by periodically randomizing the mapping between addresses and cache set indices. It forces attackers to develop fast search algorithms to find an eviction set at runtime with the lowest latency. Several fast search algorithms have been proposed in recent years. By using these algorithms, attackers regain the capability of launching useful attacks on dynamically randomized caches. Consequently, a detector was recently introduced to catch the fast search algorithms in action according to the uneven distribution of cache evictions. All existing fast search algorithms fail to work. We present a new eviction set search algorithm called Conflict Testing with Probe+Prune (CTPP). Based on the evaluation on six Intel processors and a behavioral cache model, CTPP is found to achieve the lowest latency in finding an eviction set in all algorithms, potentially escape from the recently proposed detector, and present a strong tolerance to environmental noise.