Seeds of SEED: A Side-Channel Resilient Cache Skewed by a Linear Function over a Galois Field
This addresses cache side-channel vulnerabilities for systems with multiple distrusting principals, such as processes or virtual machines, offering a hardware-efficient solution to mitigate information leakage.
The paper tackles the problem of side-channel attacks in shared caches by proposing a linear skewing of cache sets over a Galois field, which ensures that each cache set of one security domain intersects every cache set of every other domain exactly once, making random evictions observable across domains via Prime+Probe attacks.
Consider a set-associative cache with $p^n$ sets and $p^n$ ways where $p$ is prime and $n>0$. Furthermore, assume that the cache may be shared among $p^n$ mutually distrusting principals that may use the Prime+Probe side-channel attack against one another; architecturally, these principals occupy separate security domains (for example, separate processes, virtual machines, sandboxes, etc.). This paper shows that there exists a linear skewing of cache sets over the Galois field $G_{p^n}$ that exhibits the following property: each cache set of each security domain intersects every cache set of every other security domain exactly once. Therefore, a random eviction from a single cache set in security domain $A$ may be observed via Prime+Probe in any of security domain $B$'s cache sets. This paper characterizes this linear skewing and describes how it can be implemented efficiently in hardware.