ClepsydraCache -- Preventing Cache Attacks with Time-Based Evictions
This addresses security vulnerabilities in computer systems for users and organizations vulnerable to microarchitectural attacks, representing a novel mitigation approach rather than an incremental improvement.
The paper tackles the problem of cache side-channel attacks on CPU microarchitecture by introducing ClepsydraCache, a method that combines cache decay and index randomization with a dynamic Time-To-Live scheduling mechanism, effectively protecting against state-of-the-art attacks like Prime+(Prune+)Probe while maintaining performance, as demonstrated through a prototype in gem5 and a proof-of-concept hardware design.
In the recent past, we have witnessed the shift towards attacks on the microarchitectural CPU level. In particular, cache side-channels play a predominant role as they allow an attacker to exfiltrate secret information by exploiting the CPU microarchitecture. These subtle attacks exploit the architectural visibility of conflicting cache addresses. In this paper, we present ClepsydraCache, which mitigates state-of-the-art cache attacks using a novel combination of cache decay and index randomization. Each cache entry is linked with a Time-To-Live (TTL) value. We propose a new dynamic scheduling mechanism of the TTL which plays a fundamental role in preventing those attacks while maintaining performance. ClepsydraCache efficiently protects against the latest cache attacks such as Prime+(Prune+)Probe. We present a full prototype in gem5 and lay out a proof-of-concept hardware design of the TTL mechanism, which demonstrates the feasibility of deploying ClepsydraCache in real-world systems.