A Benchmark Suite for Evaluating Caches' Vulnerability to Timing Attacks by Deng, Shuwen et al.
A Benchmark Suite for Evaluating Caches’ Vulnerability to Timing Attacks
Shuwen Deng, Wenjie Xiong, Jakub Szefer
Yale University
{shuwen.deng, wenjie.xiong, jakub.szefer}@yale.edu
Abstract
Timing-based side or covert channels in processor caches
continue to present a threat to computer systems, and they
are the key to many of the recent Spectre and Meltdown at-
tacks. Based on improvements to an existing three-step model
for cache timing-based attacks, this work presents 88 Strong
types of theoretical timing-based vulnerabilities in processor
caches. To understand and evaluate all possible types of vul-
nerabilities in processor caches, this work further presents
and implements a new benchmark suite which can be used
to test to which types of cache timing-based attacks a given
processor or cache design is vulnerable. In total, there are
1094 automatically-generated test programs which cover the
88 theoretical vulnerabilities. The benchmark suite generates
the Cache Timing Vulnerability Score which can be used to
evaluate how vulnerable a specific cache implementation is to
different attacks. A smaller Cache Timing Vulnerability Score
means the design is more secure, and the scores among differ-
ent machines can be easily compared. Evaluation is conducted
on commodity Intel and AMD processors and shows the dif-
ferences in processor implementations can result in different
types of attacks that they are vulnerable to. Beyond testing
commodity processors, the benchmarks and the Cache Timing
Vulnerability Score can be used to help designers of new se-
cure processor caches evaluate their design’s susceptibility to
cache timing-based attacks.
1. Introduction
Cache timing channels have long been used to deploy attacks
that can reconstruct sensitive data, especially secrets such as
cryptographic keys [3, 2, 36]. They usually make use of the
timing difference in the memory operations between observing
a cache hit and a cache miss to derive the victim’s secrets.
Since 2018, the cache timing-based attacks have gained new
attention due to their use in Spectre [26] and Meltdown [31].
With the long history of attacks, there are also many de-
fenses proposed or deployed in software, e.g., [7, 27], and in
hardware, e.g., [53, 54, 44, 45, 33, 6, 43, 30, 50, 14, 32, 24, 23,
25, 49, 4, 38, 47]. However, existing defenses can usually only
prevent a subset of the attacks. For example, RIC [23] cache
has been shown to be able to defend the Prime+Probe type of
attacks [36, 37], but is vulnerable to the Flush+Reload [52]
type of attacks. More importantly, so far most researchers have
focused on coming up with individual attacks (and defenses
for them), and there has been limited work on understanding
all possible types of attacks.
To address the need to understand and evaluate all the dif-
ferent possible types of attacks, this paper presents both a the-
oretical model of all possible timing-based attacks in caches,
and a benchmark suite that can test for the theoretical vulnera-
bilities on real processors, or simulations of new designs. A
key part of this work is an improved three-step model. Com-
pared to existing work [11], the new three-step model addition-
ally considers: (1) differences in “local” and “remote” cores
for making the timing observations, and running the victim
or the attacker code, (2) the victim and attacker running in
hyper-threading or time-slicing, (3) using both read and write
operations as memory accesses in the potential attacks (all
but one prior work only considered reads), and (4) two types
of cache line invalidation operations, through flush instruc-
tion, or using cache coherence by writing on “remote” core
to invalidate “local” core’s cache lines. The new three-step
model shows 32 new types of timing-based vulnerabilities not
considered before, which is in addition to new attacks found
in the three-step model in [11].
Based upon the new three-step model, we derive that there
are in total 88 Strong type of vulnerabilities, including 32 new
ones. For these vulnerabilities, we write scripts to automat-
ically generate a total of 1094 benchmarks, which consider
different variants for each vulnerability, such as using reads
vs. using writes. The benchmarks are then used to test com-
modity Intel and AMD machines on both workstations and
servers in lab and machines in Amazon’s EC2 cloud. The
benchmarks can also be run on simulators to evaluate new
types of secure processor caches. The benchmarks are fur-
ther used to generate a new Cache Timing Vulnerability Score
(CTVS), which can help evaluate how different processors are
vulnerable to different attacks – differences of the processor
implementations mean that not all processors have the same
vulnerabilities. Based on the CTVS, designers can have a
better understanding of the vulnerabilities in their designs and
can develop new defenses. The defenses can, for example, be
customized to vulnerabilities that CTVS detects on the given
processor, instead of a one-size-fits-all defense.
While the paper focuses on the 88 types of vulnerabilities
for the benchmark design, we also generated benchmarks for
all 4913 possible three-step combinations in the three-step
model. Based on the results, there are no more effective ones
that are found apart from the vulnerabilities we derived.
1.1. Contributions
The contributions of this work are as follows:
• Derivation of a set of timing vulnerabilities on caches by the
three-step model, based on improved modeling of the pro-
cessor’s behavior; a total of 88 Strong vulnerability types are
ar
X
iv
:1
91
1.
08
61
9v
1 
 [c
s.C
R]
  1
9 N
ov
 20
19
2 BACKGROUND
derived, including 32 new ones compared to prior work [11].
• Development of the first automatically-generated bench-
mark suite that is used to evaluate processor caches’ vulner-
ability to all possible timing attacks.
• Evaluation of the benchmarks on Intel and AMD processors
in the lab and on Amazon’s EC2 cloud environment.
• Generation of Cache Timing Vulnerability Score of proces-
sors to understand which attacks they are vulnerable to,
evaluate and customize defenses.
• Validation of the three-step model using the benchmarks,
demonstrating no benchmarks that give positive results be-
yond the ones corresponding to the 88 Strong types of vul-
nerabilities (in addition to Weak and repeat types).
The benchmarks and other code used in this paper will be re-
leased under open-source license at https://urlredacted.
2. Background
This section presents background on cache timing-based at-
tacks, the existing three-step model and existing metrics used
to help understand vulnerabilities of caches to timing attacks.
2.1. Timing of Memory Operations and Caches
Processor caches are the key to helping processors maintain
high performance when accessing data. However, the caches
are of finite size, not all data can fit in them, and timing related
to the memory operations involving caches, such as accesses
resulting in cache hits and misses, can reveal information
about the addresses or even data (for instruction caches it may
be possible to reveal information about instructions as well).
In general, two types of memory-related operations exhibit
timing variations that can be abused for timing-based side or
covert channel attacks in processor data caches. First, memory
access operations, such as loads and stores can be fast (e.g., a
cache hit) or slow (e.g., a cache miss). Second, invalidation-
related operations, such as cache flush, can be fast (e.g., there
is no dirty data in cache so flush finishes quickly) or slow (e.g.,
there is dirty data in the cache so it has to be written back,
resulting in longer timing).
2.2. Timing-Based Attacks on Processor Caches
Researchers have proposed to use the timing differences in
memory-related operations to attack software, e.g., [19, 37,
2, 3, 1]. Especially, the timing-based side-channel attacks
often focus on cryptographic applications, e.g., attacks on
software using AES with table lookups [8]. Further, there are
many timing-based covert-channel attacks where the sender
and receiver cooperate to leak data, e.g., there are cache covert
channels focusing on the last-level cache [34] and cross-core
cache covert channels [35]. And most recently, timing-based
channels are used as part of Spectre and Meltdown variants,
e.g., [26, 31, 40, 29].
Table 1: The 17 possible states for a single cache block of three-step
model in [11].
State Description
Vu
The cache block contains a specific memory location u brought
in by the victim, which is the address unknown to the attacker
but within the set of sensitive memory locations x.
V invu
The cache block state can be anything except u in the cache
block. The data and its address u are “removed” from the cache
block by the victim V invu .
Aa
or
Va
The cache block contains a specific memory location a, due to
a memory access by the attacker, Aa, or the victim, Va. The
address a is within the range of sensitive locations x and known
to the attacker.
Aaalias
or
Vaalias
The cache block contains a memory address aalias, due to a
memory access by the attacker, Aaalias , or the victim, Vaalias .
The address aalias is within the range x and not the same as a,
but it maps to the same cache block as a, i.e. it “aliases” to a.
The address aalias is known to the attacker.
Ad or
Vd
The cache block contains a memory address d due to a memory
access by the attacker, Ad , or the victim, Vd . The address d is
not within the range x and known to the attacker.
Ainv
or
V inv
The cache block is invalid. The data and its address are “re-
moved” from the cache block by the attacker, Ainv, or the victim,
V inv, as a result of cache block being invalidated.
Ainva
or
V inva
The cache block state can be anything except a in this cache
block now. The data and its address a are “removed” from the
cache block by the attacker, Ainva , or the victim, V
inv
a .
Ainv
aalias
or
V inv
aalias
The cache block state can be anything except aalias in this cache
block now. The data and its address aalias are “removed” from
the cache block by the attacker, Ainv
aalias
, or the victim, V inv
aalias
.
Ainvd
or
V invd
The cache block state can be anything except d in this cache
block now. The data and its address d are “removed” from the
cache block by the attacker Ainvd or the victim V
inv
d .
?
Any data, or no data, can be in the cache block. The attacker
has no knowledge of the memory address in this cache block.
2.3. Previous Three-Step Model for Timing-Based At-
tacks in Caches
Recent work [11] has presented a systematic approach to find
all possible cache timing-based vulnerabilities. Their model
is established based on two observations: all existing cache
timing attacks focusing on the data are within three memory
operations, and timing attacks can be analyzed by checking
the behavior of one cache block (since all blocks are updated
in the same manner by the cache logic).
Following these observations, the work in [11] presented a
three-step model focusing on one cache block for evaluating all
possible timing-based attacks. Further, a soundness analysis
of the three-step model was performed to show that three steps
are sufficient to model all the timing-based attacks in caches.
In the three-step model, each step represents the state of the
cache line after some memory-related operation is performed.
First, there is the initial step that sets the cache line into a
known state. Second, there is the following step that modifies
the state of the cache line. Finally, there is the last step, based
on the timing of which, the change in the state of the cache
line is observed. Each of the steps can be performed by the
attacker (A) or the victim (V). The goal of [11] is to find
which three-step combinations can represent timing attacks
2
2.4 Metrics for Vulnerabilities in Caches 3 MODELING FOR CACHE TIMING ATTACKS
from which the attacker learns information about the unknown
address accessed by the victim. The authors list 17 possible
states for a cache line, shown in Table 1. Among these states,
V represents that the state is a result of the victim’s operation,
while A represents that the state is a result of the attacker’s
operation. x denotes the set of virtual memory addresses
storing addresses of sensitive data, and u denotes the victim’s
secret address within x which is unknown to the attacker. a,
aalias and d denote known memory addresses that map to the
same cache line. d refers to an address outside of x, while the
others are the address within x. The attacker’s goal is to obtain
u, which could be the same as a or aalias, maps to the same set
as a, aalias and d, or not.
Given that there are 17 states and 3 steps, there are in total
173 = 4913 possible combinations of three steps that can be
derived. Their analysis demonstrated that 72 of the three-step
combinations are Strong effective vulnerabilities, where the
attacker can obtain the value of the unknown address u unam-
biguously with fast or slow timing. Meanwhile, 64 patterns
were shown to be Weak effective vulnerabilities, where there
are timing differences according to different values of u, but
no single timing corresponds to a unique possible value of u.
With their analysis, [11] showed that 29 out of 72 vulnerabili-
ties map to existing cache attacks. The other 43 types are new
without corresponding attacks in literature at that time.
The existing work [11], however, was limited in how they
model the caches. In particular, the work did not consider:
read vs. write accesses, invalidation using flush instruction
vs. invalidation using cache coherence, multithreading, and
multicore system, and the possibility that there are more than
just one “fast” and one “slow” timing in memory-related oper-
ation. Also, they did not present any code or benchmarks for
realizing and testing for the possible types of vulnerabilities.
Our work improves the model of caches, presents a set of
88 Strong vulnerability types, including 32 types not in prior
work [11], implements benchmarks for testing commodity
processors, and validates the theoretical analysis by running
all possible three-step combinations to show no other types of
timing differences (and thus vulnerabilities) exist.
2.4. Metrics for Vulnerabilities in Caches
Previously, [55] leveraged mutual information to measure
potential cache side-channel leakage. [20] modeled cache
interference using probabilistic information flow graph. How-
ever, [55] and [20] only examined limited attacks including
Evict + Time attack [36], Cache Collision attack [3], Bern-
stein’s attack [2], Prime + Probe attack [36, 37], and Flush +
Reload attack [52]. What’s more, an analytical model was pro-
posed in [13] to track the fraction of the victim’s critical items
accessible in the cache to determine leakage. In a different
work, SVF [10] metric measured information leakage by mea-
suring the signal-to-noise ratio in an attacker’s observations.
CSV [56] metric used direct correlation, in place of phase
correlation used by SVF, to measure leakage. The analytical
model [13], SVF [10] and CSV [56] all only evaluated Prime
+ Probe attack [36, 37]. Besides, the work in [28] quantified
the cache side-channel leakage but mainly focused on access-
driven attacks such as Evict + Time Attack [36]. CacheD [42]
identified cache-based timing channels but mainly targeted
access-driven attacks such as Evict + Time Attack [36] and
time-driven attacks such as Bernstein’s Attack [2] for timing-
related attacks. SCADET [39] provided a side-channel detec-
tion tool targeting Prime + Probe attack [36, 37].
This work is the first work to actually test for all possible
timing-based vulnerabilities in caches, not just verify the cases
concerning one or few attacks. It is also the first that presents
code which can be run on commodity processors and which
can generate the Cache Timing Vulnerability Score (CTVS)
to evaluate different processors’ caches.
3. Modeling for Cache Timing Attacks
The goal of this work is to present the first set of benchmarks
which can be used to evaluate all the vulnerabilities of proces-
sor caches to timing-based attacks. Such attacks can be used,
for example, by Spectre variants, e.g., [26, 31, 40, 29], to ex-
tract sensitive information. With our benchmarks, it is possible
to help test processor caches or future secure cache designs,
and understand which timing attacks they are vulnerable to.
3.1. Assumptions and Threat Model
The goal of the benchmarks is to evaluate timing-based vulner-
abilities in caches. The presented benchmarks are not actual
security exploits, rather they implement memory-related op-
erations that correspond to all possible timing-based attacks.
Each benchmark outputs whether there is a statistically signifi-
cant timing difference that the attacker could observe to extract
information from the timing channel about the unknown ad-
dress u of the victim.
The current model focuses on all possible timing-based
attacks in the L1 data cache. The model includes uses of
any memory-related operations (load, store, flush) and cache
coherence protocol. The model assumes a multi-core and
possibly hyper-threading processor, with a cache hierarchy of
local and remote L1 cache, L2 cache, and a shared L3 cache
(which is possibly divided into different cache slices).
Current benchmarks do not consider timing-based attacks
of other levels in cache hierarchy besides L1, but it should
be straightforward to extend to the other levels. We do not
consider directory-related attacks [51] or attacks based on
replacement policy [48], but it should be possible to model
these by adding more states to the model (and still keep an
only total of three steps). This work does not cover TLB
attacks [15, 21], but there is already a theoretical model for
TLBs [12], and similar benchmarks can be developed for TLB
attacks (possibly merge with our benchmarks).
The work considers more than just “fast” and “slow” tim-
ings (as was not done by [11]). This means that the influence
of structures such as Miss Status Handling Registers (MSHRs),
3
3.2 Improved Modeling of Real Processors 3 MODELING FOR CACHE TIMING ATTACKS
0 100 200 300 400 500 600 700 800 900 1000 1100 1200 1300 1400 1500 1600 1700 1800 1900 2000
0%
20%
40%
60%
80%
100%
{1}. L1cl (116)
{2}. L2cl (150)
{3}. L3cl (364)
{4}. rL1cl (134)
{5}. rL2cl (122)
{6}. rL3cl (118)
{7}. L1di (115)
{8}. L2di (121)
{9}. L3di (164)
{10}. rL1di (530)
{11}. rL2di (519)
{12}. rL3di (307)
{13}. DRAM (1084)
{14}. L1rL1cl (117)
{15}. L1rL2cl (117)
{16}. L1rL3cl (117)
{17}. L2rL1cl (157)
{18}. L2rL2cl (159)
{19}. L2rL3cl (158)
{20}. L3rL1cl (366)
{21}. L3rL2cl (363)
{22}. L3rL3cl (375)
(a) Timing of read access on Intel Xeon E5-1620 processor
0 100 200 300 400 500 600 700 800 900 1000 1100 1200 1300 1400 1500 1600 1700 1800 1900 2000
0%
20%
40%
60%
80%
100%
{1}. L1cl (91)
{2}. L2cl (117)
{3}. L3cl (301)
{4}. rL1cl (99)
{5}. rL2cl (116)
{6}. rL3cl (119)
{7}. L1di (95)
{8}. L2di (90)
{9}. L3di (128)
{10}. rL1di (558)
{11}. rL2di (538)
{12}. rL3di (275)
{13}. DRAM (1060)
{14}. L1rL1cl (111)
{15}. L1rL2cl (114)
{16}. L1rL3cl (110)
{17}. L2rL1cl (159)
{18}. L2rL2cl (155)
{19}. L2rL3cl (158)
{20}. L3rL1cl (344)
{21}. L3rL2cl (338)
{22}. L3rL3cl (390)
(b) Timing of read access on Intel Xeon E5-2690 processor
0 100 200 300 400 500 600 700 800 900 1000 1100 1200 1300 1400 1500 1600 1700 1800 1900 2000
0%
20%
40%
60%
80%
100%
{23}. L1cl (354)
{24}. L2cl (355)
{25}. L3cl (364)
{26}. rL1cl (638)
{27}. rL2cl (645)
{28}. rL3cl (657)
{29}. L1di (354)
{30}. L2di (353)
{31}. L3di (361)
{32}. rL1di (698)
{33}. rL2di (678)
{34}. rL3di (484)
{35}. DRAM (455)
{36}. L1rL1cl (620)
{37}. L1rL2cl (620)
{38}. L1rL3cl (629)
{39}. L2rL1cl (989)
{40}. L2rL2cl (624)
{41}. L2rL3cl (626)
{42}. L3rL1cl (994)
{43}. L3rL2cl (902)
{44}. L3rL3cl (896)
(c) Timing of write access on Intel Xeon E5-1620 processor
0 100 200 300 400 500 600 700 800 900 1000 1100 1200 1300 1400 1500 1600 1700 1800 1900 2000
0%
20%
40%
60%
80%
100% {23}. L1cl (293)
{24}. L2cl (277)
{25}. L3cl (278)
{26}. rL1cl (639)
{27}. rL2cl (660)
{28}. rL3cl (653)
{29}. L1di (331)
{30}. L2di (328)
{31}. L3di (280)
{32}. rL1di (730)
{33}. rL2di (693)
{34}. rL3di (446)
{35}. DRAM (361)
{36}. L1rL1cl (618)
{37}. L1rL2cl (649)
{38}. L1rL3cl (600)
{39}. L2rL1cl (607)
{40}. L2rL2cl (641)
{41}. L2rL3cl (633)
{42}. L3rL1cl (847)
{43}. L3rL2cl (873)
{44}. L3rL3cl (987)
(d) Timing of write access on Intel Xeon E5-2690 processor
0 100 200 300 400 500 600 700 800 900 1000 1100 1200 1300 1400 1500 1600 1700 1800 1900 2000
0%
20%
40%
60%
80%
100%
{45}. L1cl (1036)
{46}. L2cl (985)
{47}. L3cl (984)
{48}. rL1cl (986)
{49}. rL2cl (1068)
{50}. rL3cl (988)
{51}. L1di (1814)
{52}. L2di (1758)
{53}. L3di (1595)
{54}. rL1di (1644)
{55}. rL2di (1617)
{56}. rL3di (1295)
{57}. DRAM (925)
{58}. L1rL1cl (1032)
{59}. L1rL2cl (1119)
{60}. L1rL3cl (1036)
{61}. L2rL1cl (1031)
{62}. L2rL2cl (1118)
{63}. L2rL3cl (1032)
{64}. L3rL1cl (1035)
{65}. L3rL2cl (1119)
{66}. L3rL3cl (1030)
(e) Timing of flush operation on Intel Xeon E5-1620 processor
0 100 200 300 400 500 600 700 800 900 1000 1100 1200 1300 1400 1500 1600 1700 1800 1900 2000
0%
20%
40%
60%
80%
100%
{45}. L1cl (872)
{46}. L2cl (879)
{47}. L3cl (813)
{48}. rL1cl (1002)
{49}. rL2cl (1011)
{50}. rL3cl (1005)
{51}. L1di (1767)
{52}. L2di (1585)
{53}. L3di (1310)
{54}. rL1di (1630)
{55}. rL2di (1664)
{56}. rL3di (1229)
{57}. DRAM (900)
{58}. L1rL1cl (1034)
{59}. L1rL2cl (1036)
{60}. L1rL3cl (1044)
{61}. L2rL1cl (1053)
{62}. L2rL2cl (1045)
{63}. L2rL3cl (1050)
{64}. L3rL1cl (955)
{65}. L3rL2cl (915)
{66}. L3rL3cl (1120)
(f) Timing of flush operation on Intel Xeon E5-2690 processor
Figure 1: Histograms of read, write, and flush operations (each has 8 operations) timing under all possible data movements considered in this
work. The timing is for the timing observation step, i.e. Step 3, in the tested three-step patterns. Note, different processors have different timing,
and not all different types of data movements can be distinguished on different processors. The data is presented for Intel Xeon E5-1620 (a, c,
e) and Intel Xeon E5-2690 (b, d, f) processors. Numbers in the “{}” in the legend denote the different data movement types. {1} - {22} correspond
to read operation, {23} - {44} correspond to write operation, {45} - {66} correspond to flush operation, to access clean L1 data, clean L2 data,
clean L3 data, remote clean L1 data, remote clean L2 data, remote clean L3 data, dirty L1 data, dirty L2 data, dirty L3 data, remote dirty L1 data,
remote dirty L2 data, remote dirty L3 data, DRAM data, clean data in both L1 and remote L1, clean data in both L1 and remote L2, clean data in
both L1 and remote L3, clean data in both L2 and remote L1, clean data in both L2 and remote L2, clean data in both L2 and remote L3, clean
data in both L3 and remote L1, clean data in both L3 and remote L2, clean data in both L3 and remote L3, respectively. Numbers in the “()” in
the legend show the average cycles needed for completing that type of memory operation. The x axis shows the access latency in cycles.
load and store buffers between processor and caches, and line-
fill buffers between cache levels are accounted for – however,
benchmarks for timing attacks that are just due to these struc-
tures could likely be developed.
The flush operation here refers to the clflush instruction in
x86, which causes data to be flushed from all levels of caches
back to main memory (including flushing data on other cores).
The timing measurements are from when each of the memory-
related operations is issued until the instruction commits.
3.2. Improved Modeling of Real Processors
We expand the model in [11] by considering more realistic
cases for a processor’s memory-related operation.
Timing Observation on Local vs. Remote Core. Our
cache attack model assumes a multi-core system and possibly
a hyper-threading system as well. We model such a system
using two cores: a “local” and “remote” core, each with L1, L2
and shared L3 caches. The target cache block is located in the
local core. Remote core affects the target cache block on the
local core by using cache coherence protocol. In particular, the
remote core is used to perform write operations to invalidate
the local core’s data due to the cache coherence protocol.
For each read, write or flush operation, it may target the
data that is in the local L1 cache, L2 cache, or L3 cache slice,
or that is in the remote L1 cache, L2 cache, or L3 cache slice.
The cache block can be either in a clean or dirty state for the
above 6 locations (6∗2 = 12 types). The clean data may also
be in both local or remote core, which can be in any cache
hierarchy (L1, L2, or L3 cache) for both cores (3∗3 = 9 types).
Otherwise, the data is not in any level of the cache hierarchy,
i.e., it is in the DRAM (1 type). We consider all these 66
timings (3 operations ∗ (12+9+1) = 66) to be different from
each other and use these 66 types of timings in our three-
step cache simulator, discusses in Section 4, to determine if a
three-step combination can be used in an attack.
Figure 1 shows the histograms of these 66 types of timing
observations for Intel Xeon E5-1620 and E5-2690 processors.
Based on the histograms, we found that some operations are
differentiable from each other, while some are not. In general,
the timing is processor-specific, so we need to consider and
examine all various cache timings and cannot just assume
“fast” and “slow” timings as was done by [11].
Hyper-Threading vs. Time-Slicing. Our cache model
further considers that each core supports hyper-threading. The
victim and the attacker on one core can then either run in time-
4
4 DERIVATION OF ALL VULNERABILITIES
slicing setting or run in parallel as two hyper-threads (if there
is hyper-threading support in the processor). For the case of
accesses on “local” vs. “remote” cores, the accesses on local
and remote cores can be done in parallel.
Read (Load) Access vs. Write (Store) Access. For
memory-access-related operations, our model considers that
they can be either read (load) or write (store). The timing of
writes is not well explored in attacks, except for one work [5].
In this work, the model considers both reads and writes. For
example, for Flush + Reload attack, the previous attack [52]
uses the load operation in the final step to reload secret data
and observe timing. In our model, we also test store operation
in the final step to access secret data and reveal that attack
with write in the final step is also possible, for example.
Flush vs. Write Invalidation. In our model, we consider
that a flush operation can be achieved by a cl f lush type instruc-
tion, that flushes data from all caches back to main memory.
Apart from that, our model considers the operation that can
invalidate the local core’s cache line by writing the correspond-
ing line in the remote core, which will trigger cache coherence
and result in the local cache line being invalidated.
4. Derivation of All Vulnerabilities
In this work, we build a new cache three-step simulator based
on the new model discussed in Section 3.2. It considers differ-
ent memory-related operations and differentiates among the
66 timing variations discussed in Section 3.2 that are related to
L1 cache timing-based attack for the final timing observation
step. Further, we give categorizations of vulnerabilities to find
common features that attacks exploit.
4.1. Judging the Effectiveness of Three-Step Combination
In order for a three-step combination to be effective for an
attack, at least the unknown victim’s address u should be
involved in one of the three steps since u is the unknown secret
the attacker tries to learn. In this case, the vulnerability will
have Vu or V invu as one or more of the three-steps to represent
the operations on the secret u.
Based on the 17 states shown in Table 1, for the three-step
model, the attacker tries to learn the value of u by guessing
if u equals: a, aalias or NIB. a denotes the address that is
within the set of sensitive locations x and maps to the target
cache line. aalias denotes any data address that belongs to
sensitive locations x and also maps to the cache line but is not
a. Apart from all possible sensitive address mapping to the
target cache line, u can possibly not map to the target cache
line the attacker is measuring. We denote these addresses as
NIB (not-in-block). Therefore, u can be either a, aalias, or NIB.
If the attacker is able to unambiguously correlate the timing to
one of the three values, he or she is able to learn the value of u
and the corresponding three-steps is a Strong type vulnerability.
Meanwhile, if the attacker is not able to clearly distinguish
whether u is a, aalias, or NIB based on the timing, but there
are still timing differences observed, then the corresponding
Exhaustive list
of all possible 
three-step
combinations
Cache 
Three-Step 
Simulator
Preliminary Strong 
Vulnerability
Preliminary Weak
Vulnerability
Ineffective Three-Step
Reduction 
Rules
Strong
Vulnerability
Weak
Vulnerability
Classification 
Step
Reduction 
Step
4913
203
624
4086
88
80
Types of 
timing 
observations
66
Figure 2: The derivation process of all the Strong and Weak types
of L1 cache timing-based vulnerabilities.
attacks belong to Weak type of vulnerabilities. Otherwise, if
the timing is always the same regardless of different values of
u, it will be an Ineffective three-step combination.
4.2. New Cache Three-Step Simulator
Figure 2 shows the derivation process of vulnerabilities. We
write Python scripts to develop the cache three-step simulator.
The simulator takes all 4913 combinations and 66 types of tim-
ing observations as input, checks and outputs the three-steps
that belong to Strong, Weak and Ineffective types, respectively.
For the step that is Vu, the simulator checks the timing when Vu
is Va, Vaalias , and VNIB. For the step that is V
inv
u , the simulator
checks the timing when V invu is V
inv
a , V
inv
aalias , and V
inv
NIB. The
timing variance exists if different possible values of u corre-
spond to different timings of the 66 types. We enumerate all
possible operations (read/write for access, remote write/flush
for invalidation) for a step and consider different timings for
each operation. Therefore, each three-step pattern may have
several types of timing observations. While in [11], only two
timing differences (“fast” and “slow”) were considered when
comparing the timing variation to identify effective vulnera-
bilities. The rules from [11] to remove repeat and redundant
three-step patterns are used for our work.
As shown in Figure 2, based on the much finer-grained
categorization of timing differences, we derived in total 88
Strong effective vulnerabilities and 80 Weak effective vulner-
abilities after removing repeat three-step patterns. They are
shown in Table 2, where light-blue colored rows (in total 32
types) are the new vulnerabilities (compared to [11]) which
we found through running of new cache three-step simula-
tor (16 types of the original Strong effective vulnerabilities
become Weak vulnerabilities when considering multi-core sys-
tems). We provide new names for the new attacks in Attack
Strategy in Table 2 while re-use existing names if the attacks
were presented before. As verified in Section 8 through the
tested processors, there are no other effective vulnerabilities
except the types we derive in Table 2, further strengthening
our findings.
4.3. Categorizations of the Vulnerabilities
We first categorize different vulnerabilities as based on internal
(I) or external (E) interference. The types that only involve
the victim’s behavior, V , in the states of Step 2 and Step 3 are
internal interference vulnerabilities (I). The remaining ones
are external interference (E) vulnerabilities.
5
4.3 Categorizations of the Vulnerabilities 4 DERIVATION OF ALL VULNERABILITIES
No. Vulnerability Type Type Attack AttackStrategyS1 S2 S3
1 Ainv Vu Va I-A [3]
Cache
Collision
2 V inv Vu Va I-A [3]
3 Ainva Vu Va I-A [3]
4 V inva Vu Va I-A [3]
5 Ainva Vu Aa E-A [52, 17, 40]
Flush
+ Reload
6 V inva Vu Aa E-A [52, 17, 40]
7 Ainv Vu Aa E-A [52, 17, 40]
8 V inv Vu Aa E-A [52, 17, 40]
9 V invu Aa Vu E-A new in [11] Reload
+ Time10 V invu Va Vu I-A new in [11]
11 Aa V invu Aa E-A [41]
Flush
+ Probe
12 Aa V invu Va I-A new in [11]
13 Va V invu Aa E-A new in [11]
14 Va V invu Va I-A new in [11]
15 Vu Ainva Vu E-A new in [11] Flush
+ Time16 Vu V inva Vu I-A new in [11]
17 Ainv V invu Aa E-A new
18 Ainv V invu Va I-A new
19 V inv V invu Aa E-A new
20 V inv V invu Va I-A new
Cache
Coherence
Flush
+ Reload
21 Ainva V
inv
u Aa E-SA new
22 Ainva V
inv
u Va I-SA new
23 V inva V
inv
u Aa E-SA new
24 V inva V
inv
u Va I-SA new
25 Ainvd V
inv
u Ad E-S new
26 Ainvd V
inv
u Vd I-S new
27 V invd V
inv
u Ad E-S new
28 V invd V
inv
u Vd I-S new
Cache
Coherence
Prime
+ Probe
29 V invu A
inv
a Vu E-SA new
30 V invu V
inv
a Vu I-SA new
31 V invu A
inv
d Vu E-S new
32 V invu V
inv
d Vu I-S new
Cache
Coherence
Evict
+ Time
33 Vu Va Vu I-SA [2]
Bernstein’s
Attack
34 Vu Vd Vu I-S [2]
35 Vd Vu Vd I-S [2]
36 Va Vu Va I-SA [2]
37 Vd Vu Ad E-S new in [11] Evict
+ Probe38 Va Vu Aa E-SA new in [11]
39 Ad Vu Vd I-S new in [11] Prime
+ Time40 Aa Vu Va I-SA new in [11]
41 Vu Ad Vu E-S [36] Evict
+ Time42 Vu Aa Vu E-SA [36]
43 Ad Vu Ad E-S [36, 37, 18] Prime
+ Probe44 Aa Vu Aa E-SA [36, 37, 18]
(a) All the cache timing vulnerabilities with S3 as memory access operation.
No. Vulnerability Type Type Attack AttackStrategyS1 S2 S3
45 Ainv Vu V inva I-A new in [11] Cache
Collision Inv.46 V inv Vu V inva I-A new in [11]
47 Ainva Vu V
inv
a I-A [16] Flush +
Flush
48 V inva Vu V
inv
a I-A [16]
49 Ainva Vu A
inv
a E-A [16]
50 V inva Vu A
inv
a E-A [16]
51 Ainv Vu Ainva E-A new in [11] Flush +
Reload Inv.52 V inv Vu Ainva E-A new in [11]
53 V invu Aa V
inv
u E-A new in [11] Reload +
Time Inv.54 V invu Va V
inv
u I-A new in [11]
55 Aa V invu A
inv
a E-A new in [11] Flush +
Probe Inv.
56 Aa V invu V
inv
a I-A new in [11]
57 Va V invu A
inv
a E-A new in [11]
58 Va V invu V
inv
a I-A new in [11]
59 Vu Ainva V
inv
u E-A new in [11] Flush +
Time Inv.60 Vu V inva V
inv
u I-A new in [11]
61 Ainv V invu A
inv
a E-A new
62 Ainv V invu V
inv
a I-A new
63 V inv V invu A
inv
a E-A new
64 V inv V invu V
inv
a I-A new
Cache
Coherence
Flush +
Reload Inv.
65 Ainva V
inv
u A
inv
a E-SA new
66 Ainva V
inv
u V
inv
a I-SA new
67 V inva V
inv
u A
inv
a E-SA new
68 V inva V
inv
u V
inv
a I-SA new
69 Ainvd V
inv
u A
inv
d E-S new
70 Ainvd V
inv
u V
inv
d I-S new
71 V invd V
inv
u A
inv
d E-S new
72 V invd V
inv
u V
inv
d I-S new
Cache
Coherence
Prime +
Probe Inv.
73 V invu A
inv
a V
inv
u E-SA new
74 V invu V
inv
a V
inv
u I-SA new
75 V invu A
inv
d V
inv
u E-S new
76 V invu V
inv
d V
inv
u I-S new
Cache
Coherence
Evict +
Time Inv.
77 Vu Va V invu I-SA new in [11] Bernstein’s
Inv.
Attack
78 Vu Vd V invu I-S new in [11]
79 Vd Vu V invd I-S new in [11]
80 Va Vu V inva I-SA new in [11]
81 Vd Vu Ainvd E-S new in [11] Evict +
Probe Inv.82 Va Vu Ainva E-SA new in [11]
83 Ad Vu V invd I-S new in [11] Prime +
Time Inv.84 Aa Vu V inva I-SA new in [11]
85 Vu Ad V invu E-S new in [11] Evict +
Time Inv.86 Vu Aa V invu E-SA new in [11]
87 Ad Vu Ainvd E-S new in [11] Prime +
Probe Inv.88 Aa Vu Ainva E-SA new in [11]
(b) All the cache timing vulnerabilities with S3 as invalidation operation.
Table 2: The table shows all the L1 cache timing-based vulnerabilities. The No. column assigns each type of vulnerability a number. The
Vulnerability Type column shows the three steps that define each vulnerability. S# denotes Step#. The Type column proposes the categorization
the vulnerability belongs to. “E” and “I” are for internal and external interference types, respectively. “S”, “A” and “SA” are set-based, address-
based types and the types that are both set-based and address-based, respectively. The Attack column shows if a vulnerability has been
previously presented in the literature. The Attack Strategy column gives a common name for each set of vulnerabilities that would be exploited
in an attack in a similar manner. Inv. means invalidation. Light-blue colored rows are the vulnerabilities which are first presented in this work.
In [11, 55], the vulnerabilities are categorized as hit-based
and miss-based vulnerabilities, based on the cache behaviors
the attackers want to observe (cache misses or hits). This
definition does not fit our model since there are different types
of timings for L1 data hits and misses in the real machines.
For example, attacks can derive information on accesses using
timing difference from two types of cache misses, which are
not covered by the original categorizations.
Therefore, we create new categorizations for the vulnerabil-
ities. We categorize the vulnerabilities as address-based (A) if
they are able to derive the complete address of u by observing
cache hit of u and obtaining different timing compared with
other candidate data. Set-based (S) vulnerabilities are the ones
that can know the mapped set of u by conflicting and generat-
ing eviction between u and candidate data addresses. The third
type are the ones that potentially derive information from set
6
5 BENCHMARK IMPLEMENTATION
or address (SA) depending on timing differences derived for
all the candidates of u. For example, SA type #33 vulnerability
Vu Va Vu can be set-based if a and u are not the same but
map to the same cache set, which differs in timing between
{2}{8}{24}{30}, a local L2 hit, and {1}{7}{23}{29}, a local
L1 hit. Or it can be address-based if a maps to u and Step 1
(Vu) and Step 2 (Va) are accessed by different operations (read
or write), which have different timing between reads of L1
clean data and dirty data, {1} and {7}, or writes of L1 clean
data and dirty data, {23} and {29}.
5. Benchmark Implementation
This section presents details of how the benchmarks for the
different vulnerabilities are implemented.
5.1. Benchmarks for Each Vulnerability
For each vulnerability, there are three steps, and each step
can be two possible cases: read or write access for a mem-
ory access operation; flush or write in the remote core for
an invalidation-related operation. Thus, there are in total of
23 = 8 cases considering different types of operations. Further,
if the vulnerabilities have both the victim and the attacker run-
ning in one core, these two parties can run either time-slicing
or multi-threading. Based on that, one case may be doubled
for running in two settings. So for one vulnerability type,
there are corresponding 8-16 cases depending on the specific
vulnerability. In total, we found there are 1094 benchmarks
for all 88 Strong type vulnerabilities.
Since each type of states have the same implementation and
each three-step benchmark follows a similar pattern, we wrote
C scripts to automatically generate the C program for each of
the 1094 benchmarks.
5.2. Judging A Three-Step Combination
For a specific benchmark that implements one case of the
three-step combinations, following the idea of the cache three-
step simulator in Section 4, if the step is Vu, the benchmarks
separately test the timing when Vu is Va, Vaalias , or VNIB. If the
step is V invu , the benchmarks separately test the timing when
V invu is V
inv
a , V
inv
aalias , or V
inv
NIB. The timing of the last step in the
three-step pattern is measured. For each of the cases, there is
RUN_NUM number of trials, and Welch’s t-test [46] is used
to distinguish the distributions of the measured timings. We
consider two distributions to be significantly different from
each other if the probability of observing the data given that
they come from the same distribution is less than 0.05%.
For an effective vulnerability, one of the three candidates of
Vu (or V invu ) should generate timing distribution that is statisti-
cally different from the other two candidates. This is for the
Strong vulnerability types which are 88 types in total. The 80
Weak vulnerability types are not currently considered in the
benchmarks but can be straightforward to add if needed. At
end of each benchmark run, the benchmark outputs if there
was significant timing difference–“vulnerability is found”, or
not–“vulnerability not found”. Further, if any one of the cases
of the vulnerability returns “vulnerability is found”, the pro-
cessor cache is considered to be vulnerable to that attack type.
5.3. Timing Measurement
We use rdtsc instruction in our benchmarks to do timing mea-
surements, which is the most effective method compared with
hardware performance counters, which may be limited [16] or
lacking-determinism [9], or using a “counting” thread. AMD’s
rdtsc instruction is not as accurate as Intel machine’s, but there
are plenty of works [1, 22, 21] showing that it is also able to
be used for cache timing-based attacks.
Noise and variation in the timing measurements could fur-
ther result in false negatives (if the time measurement was not
accurate enough to distinguish different timings of accesses) or
false positives (if timing changes resulted in timing measure-
ment differences even though there is no timing difference).
To reduce the noise, instead of measuring just one cache
block, we arbitrarily chose 8 cache blocks from different cache
sets to do operation on. Further, the measurements are all re-
peated RUN_NUM times and collect statistical data. fence
instructions are added between each memory-related instruc-
tion to enforce an ordering constraint for the attacks.
To reduce the variation of the timing among different cache
sets, the timing measurement of the last step is repeated for
each test if the last step is u-related step. Specifically, right
after the third step’s timing measurement, we trigger and mea-
sure the timing of this step again, which is guaranteed to result
in an L1 cache hit timing or timing to invalidate the data that
is not in the caches, depending on the concrete memory opera-
tions. We then compare the timing of the third step with the
repeated third step. This eliminates any variations in timing
among different cache sets.
5.4. Benchmark Code Example
Figure 3 shows an example pseudo code of #42 vulnerability
Vu Aa Vu’s benchmark for read (Vu), write (Aa), and write
(Vu) access of the three steps and running hyper-threading.
First, we define probability bound of Welch’s t-test (line
1) and initialize a shared array (line 2-3) used by mutexes to
control the sequence of the three-step accesses. Then, the data
(stored in the array) that will be accessed by the victim and the
attacker is loaded into the L1 cache (line 4), and consequently
possibly brought into L2 and L3 caches. We use fork() (line 6
and line 19) to create sub-process, one for the victim and one
for the attacker in this example. Each remote and local victim
and attacker will have one sub-process throughout the whole
test. Each sub-process is assigned to a hardware thread (line
8-9, line 21-22). When running hyper-threading, two local
or two remote sub-processes are run in different hardware
threads of one CPU, if applicable. If running time-slicing,
sub-processes are assigned to one hardware thread. Within
each sub-process, the test will be run for a certain predefined
RUN_NUM (line 10 and line 23) times so the timing statis-
7
6 EVALUATION AND SECURITY DISCUSSION
1. #define LIM 0.0005
2. //mutex to sequence three-step operations
3. mutex = mmap(mutex_size, PROT_READ|PROT_WRITE, …)
4. init_array(arr); //initialize data array and load it into L1, L2, and L3
5. mutex[0] = NOONE_RUN;
6. if ((pid_l1=fork()) < 0) { exit(1); //fail to fork process} //local attacker
7. else if (pid_l1==0){
8. CPU_SET(att_num, &mycpuset);
9. sched_setaffinity(getpid(), sizeof(cpu_set_t), &mycpuset);
10. for (int m=0; m<RUN_NUM; m++){
11. for (int j=0; j<4; j++){
12. // before the attack, initialize mutex
13. if(mutex[0]==NOONE_RUN){ mutex[0]=STEP1_RUN;}
14. // step 2 Aa
15. while(mutex[0]!=STEP2_RUN) sched_yield;
16. attacker_write_8_access(a);
17. mutex[0]=STEP3_RUN;
18. }} exit(0);}
19. if ((pid_l2=fork()) < 0) { exit(1); //fail to fork process} //local victim
20. else if (pid_l2==0){
21. CPU_SET(vic_num, &mycpuset);
22. sched_setaffinity(getpid(), sizeof(cpu_set_t), &mycpuset);
23. for (int m=0; m<RUN_NUM; m++){
24. for (int j=0; j<4; j++){
25. // step 1 Vu
26. while(mutex[0]!=STEP1_RUN) sched_yield;
27. if(j==0) victim_read_8_access(a);
28. else if (j==1) victim_read_8_access(a_alias);
29. else if (j==2) victim_read_8_access(NIB);
30. else if (j==3) dummy_operation;
31. mutex[0]=STEP2_RUN;
32. // step 3 Vu and measure time
33. while(mutex[0]!=STEP3_RUN) sched_yield;
34. if(j==0) {victim_write_8_access_time(a, t);
35. victim_write_8_access_time(a, t_r);}
36. else if (j==1) {victim_write_8_access_time(a_alias, t);
37. victim_write_8_access_time(a_alias, t_r);}
38. else if (j==2) {victim_write_8_access_time(NIB, t);
39. victim_write_8_access_time(NIB, t_r);}
40. else if (j==3) dummy_operation;
41. // timing store
42. store_third_step_timing(j,t);
43. store_repeat_access_timing(j,t_r);
44. mutex[0]=STEP1_RUN;
45. }}
46. //timing analysis
47. if((p_value(a, a_alias)<LIM && p_value(a, NIB)<LIM)||(                  
48. p_value(a, NIB)<LIM&& p_value(a_alias, NIB)<LIM)||(   
49. p_value(a, a_alias)<LIM&& p_value(a_alias, NIB)<LIM)
50. &&((!u_last_step) ||
51. ((pvalue(a_dif, a_alias_dif)<LIM&& pvalue(a_dif, NIB_dif)<LIM)||(
52. pvalue(a_dif, NIB_dif)<LIM && pvalue(a_alias_dif, NIB_dif)<LIM)||(
53. pvalue(a_dif, a_alias_dif)<LIM&& pvalue(a_alias_dif, NIB_dif)<LIM))))
54. printf(“Vulnerability is found”);  
55. else printf(“Vulnerability not found”);
56. exit(0);}
Figure 3: The pesudo code of #42 vulnerability Vu  Aa  Vu for
read (Vu), write (Aa), and write (Vu) case running hyper-threading.
tics can be done based on a large number of runs. We set
RUN_NUM at 600 to minimize noise and maintain a suitable
test set number for Welch’s t-test to measure distributions.
As discussed in Section 4.1, for all the effective vulnerabili-
ties, there will be at least one Vu step (or V invu ). Within each
running of the test, the three values (i.e., Va, Vaalias , or VNIB)
will be tested for the Vu or V invu (line 11 and line 24). The
“dummy operation” branch is used to avoid making the third
branch to be the last branch, which we found experimentally
Table 3: Configurations of the experimental machines, which all
have 64B L1 cache line size. (1) denotes the number of hardware
threads sharing one L1 cache; (2) denotes the number of hardware
threads per socket; (3) denotes the number of sockets.
Model
Name
L1-D
Cache
L1-I
Cache
L2
Cache
L3
Cache
(1) (2) (3)
Intel Xeon
E5-1620
32KB,
8-way
32KB,
8-way
256KB,
8-way
10MB,
20-way
2 8 1
Intel Xeon
E5-2667
32KB,
8-way
32KB,
8-way
256KB,
8-way
15MB,
20-way
2 12 2
Intel Xeon
E5-2690
32KB,
8-way
32KB,
8-way
256KB,
8-way
20MB,
20-way
2 16 1
Intel Core
i5-4570
32KB,
8-way
32KB,
8-way
256KB,
8-way
6MB,
12-way
1 4 1
Intel Xeon
E5-2686
32KB,
8-way
32KB,
8-way
1MB,
16-way
33MB,
11-way
1 4 1
Intel Xeon
P-8175
32KB,
8-way
32KB,
8-way
256KB,
8-way
45MB,
20-way
2 8 1
AMD
FX-8150
16KB,
4-way
64KB,
2-way
2MB,
16-way
8MB,
64-way
1 8 1
AMD
EPYC 7571
32KB,
8-way
64KB,
4-way
512KB 8MB 2 4 1
has an abnormal timing measurement result.
This particular test, shown in Figure 3, performs Step 1 (Vu,
line 25-31), Step 2 (Aa, line 14-17) and Step 3 (Vu, line 32-44).
Last step Step 3 is performed twice and results are stored (line
41-43). The first access of Step 3 is done to measure if the
attacker can observe timing differences when running different
values of u. The second access of the third step will always be
a hit (fast timing, and is used to obtain baseline “fast” timing
for that cache set, as we observed different cache sets can
have different timing). In this case, we can collect results
of difference between the first access timing and the second
access timing for each candidate of u to limit the possibilities
that timing difference is due to different cache sets but not
different values of u.
In the end, Welch’s t-test is first applied to each statistical
distribution of candidate values for Vu (or V invu ) to see whether
the attacker can observe different timing when Vu refers to
different addresses (line 47-49). If the three-step patterns have
u-related step as the last step (implemented by u_last_step in
line 50), to remove the noise in the timing among different
cache sets, the second access timing is considered. Welch’s
t-test is applied to test the difference of the first and the second
access of the last step Step 3. Only if one candidate’s distri-
bution has significant timing difference compared with the
other two, the cache sets’ noise is shown to be not the reason
of timing difference and the corresponding vulnerability is
judged to be effective (line 51-53).
6. Evaluation and Security Discussion
Experimental Setup. The experimental results reported for
Intel processors were performed on Intel Core i5-4570, Xeon
E5-2690, E5-2667, E5-1620, P-8175 and E5-2686 CPUs. The
AMD tests were on AMD EPYC 7571 and AMD FX-8150.
P-8175, E5-2686 and AMD EPYC 7571 instance are from
8
6.1 Vulnerability Evaluation on Commodity CPUs 6 EVALUATION AND SECURITY DISCUSSION
1 2 3 4 5 6 7 8 9 10111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788
vulnerabilities
Intel Xeon E5-1620
Intel Xeon E5-2667 on-chip
Intel Xeon E5-2667 inter-chip
Intel Xeon E5-2690
Intel Core i5-4570
Intel Xeon E5-2686
Intel Xeon P-8175
AMD FX-8150
AMD EPYC 7571
Found in all tested CPUs
Found in at least one tested CPU
CP
U 
Ty
pe
Figure 4: Evaluation of 88 Strong types of vulnerabilities on different machines. A dot means the corresponding processor is vulnerable to
the vulnerability type. Intel Xeon E5-2667 in our lab has two sockets. Therefore, the local and remote core can be both in one socket, i.e., run
on-chip; or local and remote core can be in different sockets, i.e., run inter-chip.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44
vulnerabilities
Intel Xeon E5-1620
Intel Xeon E5-2667 on-chip
Intel Xeon E5-2667 inter-chip
Intel Xeon E5-2690
Intel Core i5-4570
Intel Xeon E5-2686
Intel Xeon P-8175
AMD FX-8150
AMD EPYC 7571
Found in all tested CPUs
Found in at least one tested CPU
CP
U 
Ty
pe
(a) #1 - #44 vulnerability testing results on different machines.
45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88
vulnerabilities
Intel Xeon E5-1620
Intel Xeon E5-2667 on-chip
Intel Xeon E5-2667 inter-chip
Intel Xeon E5-2690
Intel Core i5-4570
Intel Xeon E5-2686
Intel Xeon P-8175
AMD FX-8150
AMD EPYC 7571
Found in all tested CPUs
Found in at least one tested CPU
CP
U 
Ty
pe
(b) #45 - #88 vulnerability testing results on different machines.
Figure 5: Evaluation of 88 Strong types of vulnerabilities for all the cases. A dot means the corresponding processor is vulnerable to the
vulnerability case. For each vulnerability, a fixed number of cases (see Section 5.1) are tested according to the vulnerability type. And there
are in total 1094 cases for 88 Strong types of vulnerabilities.
Amazon EC2. Table 3 shows the processor configurations.
6.1. Vulnerability Evaluation on Commodity CPUs
We evaluated 88 Strong effective vulnerabilities shown in Ta-
ble 2. Figure 4 lists the results of running the experiments
when testing the 9 types of processor configurations upon 88
effective vulnerabilities. For each type of processors, a dot
showing up in the figure means that the machine is vulnerable
to this vulnerability. Apart from the 9 types of tested proces-
sors, the first line of dots in Figure 4 show the or result of
9 types of processor configurations. The dot means that the
vulnerability is found in at least one tested processor. The sec-
ond line of dots in Figure 4 show the and result of 9 types of
processor configurations. The dot means that the vulnerability
is found in all tested processors.
Figure 4 shows that 88 effective vulnerabilities are mostly
found in all the tested CPUs. Since our new cache three-step
simulator considers the ideal case where 66 types of timing
observations all have unique results, it outputs all the possible
vulnerability types. For commodity processors, a subset of
them are shown to be effective. This is due to the actual cache
implementation and timing measurement methods, and thus,
some of the timing of the 66 types are not differentiable, as
can be seen from histograms in Figure 1. Figure 4 also demon-
strates that different machines are vulnerable to different types
of attacks. The and result of 9 types of processor configuration
experiments have relatively small percentage of vulnerabili-
ties to which machines are all vulnerable. We further list the
statistical results as CTVS for each machine in Section 7.
6.2. Analysis of Vulnerabilities Found
Figure 5 shows the results of benchmarks for the 88 vulnerabil-
ity types. Machines not supporting hyper-threading have much
fewer effective cases. Similar to Figure 4, the dot means the
related processor is vulnerable to the specific case. The gray
vertical lines are used to group all the cases per vulnerability
(there are thus 88 vertical bars and groupings). We further col-
lect the data in Figure 5 and group them with different Step 3
types as the timing observation steps in Table 4 to compare
effects of different operations on cache timing attacks.
Local read and local write of timing observation step.
Previous attacks normally used read access to implement the
side-channel attacks, as analyzed in Section 3.2. However,
write access is shown in Figure 5 and Table 4 to be an effective
method to implement attacks as well. It has generally smaller
rate compared with read access to trigger effective vulnerabili-
ties of different cases, especially for tested machine Intel Xeon
E5-1620 and E5-2690. For the 44 types of vulnerabilities (#1
9
7 CACHE TIMING VULNERABILITY SCORE
Table 4: Percentage of vulnerability cases that are effective for dif-
ferent types of timing observation steps for different machine config-
urations. The number on the right of “/” is the total cases of vulner-
abilities for the corresponding categorization; the number on the left
of “/” is the number of cases to which the corresponding processor
is vulnerable. Machines labeled * do not support hyper-threading.
Model Name
Local
Read
Local
Write
Remote
Write to Inv.
Flush to
Inv.
Intel Xeon E5-1620 137/277 118/277 127/277 129/263
Intel Xeon E5-2667
on-chip
121/277 117/277 80/277 119/263
Intel Xeon E5-2667
inter-chip
127/277 111/277 124/277 72/263
Intel Xeon E5-2690 128/277 101/277 77/277 107/263
Intel Core i5-4570* 82/277 66/277 57/277 63/263
Intel Xeon E5-2686* 87/277 74/277 69/277 80/263
Intel Xeon P-8175 124/277 120/277 75/277 105/263
AMD FX-8150* 68/277 65/277 89/277 65/263
AMD EPYC 7571 125/277 125/277 124/277 114/263
in all CPUs 49/277 34/277 10/277 30/263
at least one CPU 175/277 150/277 162/277 162/263
- #44) that have access operation as timing observation step,
Figure 5 demonstrates that there are 38 out of 44 vulnerabili-
ties to which at least one machine is vulnerable when using
read as the timing observation step. While using write access
as the timing observation step, 34 out of 44 vulnerabilities are
vulnerable to at least one machine.
Invalidation using cache coherence or flush for timing
observation step. According to Table 4, the percentage of vul-
nerabilities to which the machine is vulnerable mainly depends
on processor types when comparing different invalidation-
related operation as the timing observation step. Among
the tested processors, Intel Xeon E5-2667 running inter-chip,
AMD FX-8150 and AMD EPYC are more vulnerable to re-
mote write as the timing observation step. Intel Xeon E5-
1620, E5-2667 running on-chip, E5-2690, E5-2686, P-8175,
and Core i5-4570 are more vulnerable to flush observation
step. Overall, for the 44 types of vulnerabilities (#45 - #88)
that have invalidation for timing observation, remote write
and flush operations both have 38 out of 44 vulnerabilities to
which at least one machine is vulnerable.
Running time-slicing or hyper-threading. Besides differ-
ent kinds of operations, we also collect results in Table 5 for
running time-slicing and hyper-threading when the victim and
the attacker run on the same core (either local core or remote
core). There are also vulnerabilities for which the victim and
the attacker run on different cores, or vulnerabilities only hav-
ing victim steps. Based on the results, running time-slicing is
more vulnerable compared with running hyper-threading for
Intel processors. While AMD processor EPYC 7571 shows
that running time-slicing is more vulnerable. Furthermore,
hyper-threading provides more choices for the attacker to ex-
ploit the corresponding vulnerability in different ways.
Table 5: Percentage of vulnerability cases that are effective for the
victim (Vic.) and the attacker (Att.) running the same core (time-
slicing or hyper-threading), running different cores or within the vic-
tim for different machine configurations. The number on the right of
“/” is the total cases of vulnerabilities for the corresponding catego-
rization; the number on the left of “/” is the number of cases to which
the corresponding processor is vulnerable. Machines labeled * do
not support hyper-threading.
Model Name
Vic., Att. on the Same Core Vic., Att. on
Different
Cores
Within
VictimTime-
Slicing
Hyper-
Threading
Intel Xeon E5-1620 181/390 174/390 51/90 105/224
Intel Xeon E5-2667
on-chip
156/390 146/390 52/90 83/224
Intel Xeon E5-2667
inter-chip
151/390 146/390 49/90 88/224
Intel Xeon E5-2690 144/390 138/390 46/90 85/224
Intel Core i5-4570* 143/390 0/390 46/90 79/224
Intel Xeon
E5-2686*
166/390 0/390 50/90 94/224
Intel Xeon P-8175 148/390 143/390 38/90 95/224
AMD FX-8150* 155/390 0/390 43/90 89/224
AMD EPYC 7571 159/390 171/390 55/90 103/224
in all CPUs 67/390 0/390 18/90 38/224
at least one CPU 223/390 217/390 61/90 148/224
7. Cache Timing Vulnerability Score
Table 6 shows the CTVS values for each tested machine, as
well as the and result and or result for machines. For CTVS
number, smaller is better. For all the 88 Strong type vulnera-
bilities, AMD FX-8150 has relatively better CTVS compared
with Intel machines. Xeon E5-1620 and P-8175 are the most
vulnerable ones among Intel processors. Otherwise, the Xeon
family and AMD EPYC 7571 have generally similar results.
In Table 6, CTVS numbers for the and result of all pro-
cessors are small. This demonstrates that only a few attacks
can be effective in all the processors. These numbers are ex-
pected to be even smaller if more processors are tested. CTVS
numbers for the or result of all processors are large. This
confirms that nearly all of the vulnerabilities derived by the
new three-step model are found in the tested processors.
A type vulnerabilities generally have higher effective rates
than S type vulnerabilities. This is because that S type vul-
nerabilities normally differentiate timing between L1 cache
and L2 cache, i.e., accessing or invalidating L1 or L2 data,
which are shown in the histograms in Figure 1 to be much
smaller compared with the difference between L1 cache hit
and DRAM hit, for example. Especially, the timing difference
between remote write to invalidate dirty L1 data and L2 data
is almost non-differentiable, resulting in that related vulnera-
bilities (especially #25 - #28) are found to be not effective in
all tested processors (shown in Figure 4). A type vulnerabil-
ities generally rely on timing differences between L1 cache
hit and DRAM hit, or L1 cache hit and remote L1 cache hit;
histograms in Figure 1 demonstrate that these access types
have large timing differences, making these vulnerabilities
much more effective. SA type vulnerabilities generally lever-
10
7.1 for Design of Defense Features 9 CONCLUSION
Table 6: Cache Timing Vulnerability Score (CTVS) for each of the
tested processors. The number on the right of “/” is the total cases
of vulnerabilities for the corresponding categorization; the number
on the left of “/” is the number of types to which the corresponding
processor is vulnerable. Smaller is better. “E” and “I” are internal
and external interference vulnerabilities, respectively. “S” and “A”
are set-based and address-based vulnerabilities, respectively. “SA”
are the ones that are both set-based and address-based.
Model
Name
CTVS
Score
I-A
Vul.
I-S
Vul.
I-SA
Vul.
E-A
Vul.
E-S
Vul.
E-SA
Vul.
Intel Xeon
E5-1620
73/88 20/20 6/12 12/12 20/20 5/12 10/12
Intel Xeon
E5-2667
on-chip
66/88 20/20 3/12 11/12 20/20 3/12 9/12
Intel Xeon
E5-2667
inter-chip
64/88 19/20 2/12 12/12 20/20 3/12 8/12
Intel Xeon
E5-2690
62/88 20/20 1/12 10/12 20/20 2/12 9/12
Intel Core
i5-4570
61/88 20/20 1/12 10/12 20/20 1/12 9/12
Intel Xeon
E5-2686
66/88 20/20 2/12 11/12 20/20 3/12 10/12
Intel Xeon
P-8175
73/88 20/20 5/12 12/12 20/20 5/12 11/12
AMD
FX-8150
50/88 18/20 1/12 7/12 18/20 0/12 6/12
AMD
EPYC
7571
62/88 20/20 2/12 10/12 20/20 1/12 9/12
in all
CPUs
47/88 17/20 0/12 6/12 18/20 0/12 6/12
at least
one CPU
79/88 20/20 9/12 12/12 20/20 7/12 11/12
age the timing differences between clean L1 data invalidation
and dirty L1 data invalidation or between local access of re-
mote clean L1 data and remote dirty L1 data; histograms in
Figure 1 again show large timing differences for these, and
related vulnerabilities are found to be very effective by CTVS.
For I and E type vulnerabilities, they do not have an explicit
distinction of CTVS numbers for the tested processors.
7.1. for Design of Defense Features
CTVS can be used to test existing processors, as we have
shown in this work. Further, the benchmarks can be used
to evaluate any new secure cache designs, by running the
benchmarks on a simulator.
CTVS has shown that different processors are vulnerable to
different attacks. Consequently, customized software or hard-
ware defenses can be deployed for each processor based on the
CTVS score, rather than defending vulnerabilities not present
in the specific processor’s caches. For software defenses, the
access patterns from the benchmarks could be used as a ref-
erence for scanning software to find if it has similar patterns,
e.g., to find malicious software that has such attack patterns.
Further, CTVS and our three-step model have shown new at-
tack types which are unknown before, and thus not considered
by defenses based on monitoring performance counters – this
points to the requirement of using new or different perfor-
mance counter types in works that use monitoring.
The CTVS can also be used to help understand the im-
plementation of different processors especially the micro-
architectures. In particular, processors that have similar imple-
mentations may have similar results of CTVS numbers, based
on common architectural features implemented for the whole
memory hierarchy.
8. Validation
To validate if there are any other vulnerabilities that are left out
apart from all the effective vulnerabilities we derived from our
cache three-step simulator, we empirically ran benchmarks for
all the cases of the whole 173 = 4913 three-step combinations
for 9 processor configurations.
We discovered a number of three-steps, besides the Strong,
Weak and repeat types, returned by the benchmarks to have
timing variations but consider all of them as false positives.
The false positives that show up in every processor we tested
all have the second or the third step to be Ainv, V inv or ?. The
corresponding types cannot be any effective vulnerabilities
because these three types of states will make the attacker
lose track of useful information due to whole cache flush
(Ainv, V inv) or zero-knowledge state inference (?) if they are
in Step 2 or Step 3. Reason of three-steps with the second
or the third step as Ainv, V inv to seem to be effective in the
result of running the benchmarks is that whole cache flush
currently cannot be implemented under user-level privilege.
We use approximate method to implement these states in the
benchmark by invalidating every address that is related to the
attacks. An approximate method is also used for ? to simulate
the zero-knowledge state. Therefore, the timings of Ainv, V inv
and ? are not accurate to measure for the real attack.
Overall, we found that there are no effective vulnerabilities
that are not covered by the vulnerabilities we derived. Detailed
analysis is not shown due to space limits of the paper.
9. Conclusion
This work presented a new three-step model and the first bench-
mark suite for evaluating all 88 possible Strong cache timing-
based attack types in processors. The model allowed us to find
32 new timing attack types. Further, we implemented scripts
to auto-generate the 1094 benchmark tests from our three-step
model’s 88 theoretical attack types for testing different cases.
The benchmarks were run on a number of commodity pro-
cessors to gave each machine the Cache Timing Vulnerability
Score (CTVS) to measure the degree of the machine’s robust-
ness against cache timing-based vulnerabilities. The three-step
model, benchmarks, and the CTVS can be used to measure
existing systems and help design future secure caches.
All code related to this work will be made open-source.
11
REFERENCES REFERENCES
References
[1] Onur Acıiçmez and Çetin Kaya Koç. Trace-Driven Cache Attacks on
AES (short paper). In International Conference on Information and
Communications Security, pages 112–121. Springer, 2006.
[2] Daniel J Bernstein. Cache-Timing Attacks on AES. 2005.
[3] Joseph Bonneau and Ilya Mironov. Cache-Collision Timing Attacks
against AES. In International Workshop on Cryptographic Hardware
and Embedded Systems, pages 201–215. Springer, 2006.
[4] Thomas Bourgeat, Ilia Lebedev, Andrew Wright, Sizhuo Zhang,
Arvind, and Srinivas Devadas. MI6: Secure Enclaves in a Speculative
Out-of-Order Processor. arXiv preprint arXiv:1812.09822, 2018.
[5] INTEL CORP. Speculative Store Bypass Bug CVE, 2018. CVE 2018-
3639. https://cve.mitre.org/cgi-bin/cvename.cgi?name=
CVE-2018-3639, accessed online.
[6] Victor Costan, Ilia A Lebedev, and Srinivas Devadas. Sanctum: Mini-
mal Hardware Extensions for Strong Software Isolation. In USENIX
Security Symposium, pages 857–874, 2016.
[7] Stephen Crane, Andrei Homescu, Stefan Brunthaler, Per Larsen, and
Michael Franz. Thwarting Cache Side-Channel Attacks Through Dy-
namic Software Diversity. In NDSS, pages 8–11, 2015.
[8] Joan Daemen and Vincent Rijmen. AES Proposal: Rijndael. 1999.
[9] Sanjeev Das, Jan Werner, Manos Antonakakis, Michalis Polychronakis,
and Fabian Monrose. SoK: The Challenges, Pitfalls, and Perils of Using
Hardware Performance Counters for Security. In Proceedings of 40th
IEEE Symposium on Security and Privacy (S&P’19), 2019.
[10] John Demme, Robert Martin, Adam Waksman, and Simha Sethumad-
havan. Side-Channel Vulnerability Factor: A Metric for Measuring
Information Leakage. In 2012 39th Annual International Symposium
on Computer Architecture (ISCA), pages 106–117. IEEE, 2012.
[11] Shuwen Deng, Wenjie Xiong, and Jakub Szefer. Analysis of Secure
Caches using a Three-Step Model for Timing-Based Attacks. Cryptol-
ogy ePrint Archive, Report 2019/167, 2019. https://eprint.iacr.
org/2019/167.
[12] Shuwen Deng, Wenjie Xiong, and Jakub Szefer. Secure TLBs. In
Proceedings of the 46th International Symposium on Computer Ar-
chitecture, ISCA ’19, pages 346–259, New York, NY, USA, 2019.
ACM.
[13] Leonid Domnitser, Nael Abu-Ghazaleh, and Dmitry Ponomarev. A
Predictive Model for Cache-Based Side Channels in Multicore and
Multithreaded Microprocessors. In International Conference on Math-
ematical Methods, Models, and Architectures for Computer Network
Security, pages 70–85. Springer, 2010.
[14] Leonid Domnitser, Aamer Jaleel, Jason Loew, Nael Abu-Ghazaleh, and
Dmitry Ponomarev. Non-Monopolizable Caches: Low-Complexity
Mitigation of Cache Side Channel Attacks. ACM Transactions on
Architecture and Code Optimization (TACO), 8(4):35, 2012.
[15] Ben Gras, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida. Trans-
lation Leak-aside Buffer: Defeating Cache Side-channel Protections
with TLB Attacks. In 27th {USENIX} Security Symposium ({USENIX}
Security 18), pages 955–972, 2018.
[16] Daniel Gruss, Clémentine Maurice, Klaus Wagner, and Stefan Mangard.
Flush+ Flush: a Fast and Stealthy Cache Attack. In International
Conference on Detection of Intrusions and Malware, and Vulnerability
Assessment, pages 279–299. Springer, 2016.
[17] Daniel Gruss, Raphael Spreitzer, and Stefan Mangard. Cache Template
Attacks: Automating Attacks on Inclusive Last-Level Caches. In
USENIX Security Symposium, pages 897–912, 2015.
[18] Roberto Guanciale, Hamed Nemati, Christoph Baumann, and Mads
Dam. Cache Storage Channels: Alias-Driven Attacks and Verified
Countermeasures. In Security and Privacy (SP), 2016 IEEE Symposium
on, pages 38–55. IEEE, 2016.
[19] David Gullasch, Endre Bangerter, and Stephan Krenn. Cache Games–
Bringing Access-Based Cache Attacks on AES to Practice. In Security
and Privacy (SP), 2011 IEEE Symposium on, pages 490–505. IEEE,
2011.
[20] Zecheng He and Ruby B Lee. How Secure is Your Cache against Side-
Channel Attacks? In International Symposium on Microarchitecture
(MICRO), pages 341–353. ACM, 2017.
[21] Ralf Hund, Carsten Willems, and Thorsten Holz. Practical Timing
Side Channel Attacks Against Kernel Space ASLR. In 2013 IEEE
Symposium on Security and Privacy, pages 191–205. IEEE, 2013.
[22] Gorka Irazoqui, Thomas Eisenbarth, and Berk Sunar. Cross Processor
Cache Attacks. In Proceedings of the 11th ACM on Asia conference on
computer and communications security, pages 353–364. ACM, 2016.
[23] Mehmet Kayaalp, Khaled N Khasawneh, Hodjat Asghari Esfeden,
Jesse Elwell, Nael Abu-Ghazaleh, Dmitry Ponomarev, and Aamer
Jaleel. RIC: Relaxed Inclusion Caches for Mitigating LLC Side-
Channel attacks. In Design Automation Conference (DAC), 2017 54th
ACM/EDAC/IEEE, pages 1–6. IEEE, 2017.
[24] Georgios Keramidas, Alexandros Antonopoulos, Dimitrios N Serpanos,
and Stefanos Kaxiras. Non Deterministic Caches: A Simple and
Effective Defense against Side Channel Attacks. Design Automation
for Embedded Systems, 12(3):221–230, 2008.
[25] Vladimir Kiriansky, Ilia Lebedev, Saman Amarasinghe, Srinivas De-
vadas, and Joel Emer. DAWG: A Defense Against Cache Timing
Attacks in Speculative Execution Processors.
[26] Paul Kocher, Daniel Genkin, Daniel Gruss, Werner Haas, Mike
Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael
Schwarz, and Yuval Yarom. Spectre Attacks: Exploiting Speculative
Execution. ArXiv e-prints, January 2018.
[27] Jingfei Kong, Onur Aciiçmez, Jean-Pierre Seifert, and Huiyang Zhou.
Hardware-Software Integrated Approaches to Defend against Software
Cache-Based Side Channel Attacks. In 2009 IEEE 15th International
Symposium on High Performance Computer Architecture, pages 393–
404. IEEE, 2009.
[28] Boris Köpf, Laurent Mauborgne, and Martín Ochoa. Automatic Quan-
tification of Cache Side-Channels. In International Conference on
Computer Aided Verification, pages 564–580. Springer, 2012.
[29] Esmaeil Mohammadian Koruyeh, Khaled N Khasawneh, Chengyu
Song, and Nael Abu-Ghazaleh. Spectre Returns! Speculation Attacks
Using the Return Stack Buffer. In 12th {USENIX} Workshop on
Offensive Technologies ({WOOT} 18), 2018.
[30] Ruby B Lee, Peter Kwan, John P McGregor, Jeffrey Dwoskin, and
Zhenghong Wang. Architecture for Protecting Critical Secrets in Mi-
croprocessors. In ACM SIGARCH Computer Architecture News, vol-
ume 33, pages 2–13. IEEE Computer Society, 2005.
[31] Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher,
Werner Haas, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval
Yarom, and Mike Hamburg. Meltdown. ArXiv e-prints, January 2018.
[32] Fangfei Liu, Qian Ge, Yuval Yarom, Frank Mckeen, Carlos Rozas,
Gernot Heiser, and Ruby B Lee. CATalyst: Defeating Last-Level Cache
Side Channel Attacks in Cloud Computing. In High Performance
Computer Architecture (HPCA), 2016 IEEE International Symposium
on, pages 406–418. IEEE, 2016.
[33] Fangfei Liu and Ruby B Lee. Random Fill Cache Architecture. In Mi-
croarchitecture (MICRO), 2014 47th Annual IEEE/ACM International
Symposium on, pages 203–215. IEEE, 2014.
[34] Fangfei Liu, Yuval Yarom, Qian Ge, Gernot Heiser, and Ruby B Lee.
Last-Level Cache Side-Channel Attacks are Practical. In 2015 IEEE
Symposium on Security and Privacy, pages 605–622. IEEE, 2015.
[35] Clémentine Maurice, Christoph Neumann, Olivier Heen, and Aurélien
Francillon. C5: Cross-Cores Cache Covert Channel. In International
Conference on Detection of Intrusions and Malware, and Vulnerability
Assessment, pages 46–64. Springer, 2015.
[36] Dag Arne Osvik, Adi Shamir, and Eran Tromer. Cache Attacks and
Countermeasures: the Case of AES. In Cryptographers’ Track at the
RSA Conference, pages 1–20. Springer, 2006.
[37] Colin Percival. Cache Missing for Fun and Profit, 2005.
[38] Moinuddin K Qureshi. CEASER: Mitigating Conflict-Based Cache
Attacks via Encrypted-Address and Remapping. In 2018 51st Annual
IEEE/ACM International Symposium on Microarchitecture (MICRO),
pages 775–787. IEEE, 2018.
[39] Majid Sabbagh, Yunsi Fei, Thomas Wahl, and A Adam Ding. SCADET:
A Side-Channel Attack Detection Tool for Tracking Prime-Probe. In
2018 IEEE/ACM International Conference on Computer-Aided Design
(ICCAD), pages 1–8. IEEE, 2018.
[40] Michael Schwarz, Martin Schwarzl, Moritz Lipp, and Daniel Gruss.
Netspectre: Read Arbitrary Memory over Network. arXiv preprint
arXiv:1807.10535, 2018.
[41] Caroline Trippel, Daniel Lustig, and Margaret Martonosi. Melt-
downprime and Spectreprime: Automatically-Synthesized Attacks
Exploiting Invalidation-Based Coherence Protocols. arXiv preprint
arXiv:1802.03802, 2018.
[42] Shuai Wang, Pei Wang, Xiao Liu, Danfeng Zhang, and Dinghao Wu.
CacheD: Identifying Cache-Based Timing Channels in Production
Software. In 26th {USENIX} Security Symposium ({USENIX} Security
17), pages 235–252, 2017.
[43] Yao Wang, Andrew Ferraiuolo, Danfeng Zhang, Andrew C Myers,
and G Edward Suh. SecDCP: Secure Dynamic Cache Partitioning for
Efficient Timing Channel Protection. In Design Automation Conference
(DAC), 2016 53nd ACM/EDAC/IEEE, pages 1–6. IEEE, 2016.
12
REFERENCES REFERENCES
[44] Zhenghong Wang and Ruby B Lee. New Cache Designs for Thwarting
Software Cache-Based Side Channel Attacks. In ACM SIGARCH
Computer Architecture News, volume 35, pages 494–505. ACM, 2007.
[45] Zhenghong Wang and Ruby B Lee. A Novel Cache Architecture
with Enhanced Performance and Security. In Microarchitecture, 2008.
MICRO-41. 2008 41st IEEE/ACM International Symposium on, pages
83–93. IEEE, 2008.
[46] Bernard L Welch. The Generalization of Student’s Problem When
Several Different Population Variances are Involved. Biometrika,
34(1/2):28–35, 1947.
[47] Mario Werner, Thomas Unterluggauer, Lukas Giner, Michael Schwarz,
Daniel Gruss, and Stefan Mangard. ScatterCache: Thwarting Cache
Attacks via Cache Set Randomization. In 28th USENIX Security
Symposium (USENIX Security 19), Santa Clara, CA, 2019. USENIX
Association.
[48] Wenjie Xiong and Jakub Szefer. Leaking Information Through Cache
LRU States. arXiv preprint arXiv:1905.08348, 2019.
[49] Mengjia Yan, Jiho Choi, Dimitrios Skarlatos, Adam Morrison, Christo-
pher Fletcher, and Josep Torrellas. InvisiSpec: Making Speculative
Execution Invisible in the Cache Hierarchy. In 2018 51st Annual
IEEE/ACM International Symposium on Microarchitecture (MICRO),
pages 428–441. IEEE, 2018.
[50] Mengjia Yan, Bhargava Gopireddy, Thomas Shull, and Josep Torrellas.
Secure Hierarchy-Aware Cache Replacement Policy (SHARP): De-
fending Against Cache-Based Side Channel Attacks. In Proceedings of
the 44th Annual International Symposium on Computer Architecture,
pages 347–360. ACM, 2017.
[51] Mengjia Yan, Read Sprabery, Bhargava Gopireddy, Christopher
Fletcher, Roy Campbell, and Josep Torrellas. Attack Directories, Not
Caches: Side Channel Attacks in a Non-inclusive World. In Attack
Directories, Not Caches: Side Channel Attacks in a Non-Inclusive
World, page 0. IEEE, 2019.
[52] Yuval Yarom and Katrina Falkner. FLUSH+ RELOAD: A High Resolu-
tion, Low Noise, L3 Cache Side-Channel Attack. In USENIX Security
Symposium, pages 719–732, 2014.
[53] Danfeng Zhang, Aslan Askarov, and Andrew C Myers. Language-
Based Control and Mitigation of Timing Channels. ACM SIGPLAN
Notices, 47(6):99–110, 2012.
[54] Danfeng Zhang, Yao Wang, G Edward Suh, and Andrew C Myers. A
Hardware Design Language for Timing-Sensitive Information-Flow
Security. In ACM SIGARCH Computer Architecture News, volume 43,
pages 503–516. ACM, 2015.
[55] Tianwei Zhang and Ruby B Lee. New Models of Cache Architec-
tures Characterizing Information Leakage from Cache Side Channels.
In Proceedings of the 30th Annual Computer Security Applications
Conference, pages 96–105. ACM, 2014.
[56] Tianwei Zhang, Fangfei Liu, Si Chen, and Ruby B Lee. Side Channel
Vulnerability Metrics: the Promise and the Pitfalls. In Proceedings
of the 2nd International Workshop on Hardware and Architectural
Support for Security and Privacy, page 2. ACM, 2013.
13
