Xingjian Zhang,Ziqi Yuan,Rui Chang,Yajin Zhou

DOI: https://doi.org/10.1109/seed51797.2021.00014

2021-01-01

Abstract:Cache side-channel attacks can leak critical information from the target programs. The cache randomization methodology has proven to be an efficient way to mitigate such attacks. However, existing works do not take the cache hierarchy into consideration, failing to address the issue that different levels of caches have different performance and security requirements. In this work, we propose and implement a hybrid randomization scheme, named H(2)Cache, to mitigate cache side-channel attacks. H(2)Cache leverages two randomization approaches and applies them to different levels of caches. It strengthens the security of cache modules, while satisfying the performance and resource utilization requirements. Specifically, we design a table-based randomization method for the L1 cache, which uses a hashed virtual index to look up the actual cache set index. The L2 cache in H(2)Cache takes a computation-based randomization function to calculate the cache set index. We have implemented a prototype of H(2)Cache and extensively evaluated it using a self-designed RISC-V processor on the FPGA platform. We demonstrate the security of H(2)Cache through simulated attack programs and quantitative analysis. Meanwhile, the evaluation results of performance and resource utilization have shown its efficacy.

Zirui Neil Zhao,Adam Morrison,Christopher W. Fletcher,Josep Torrellas

DOI: https://doi.org/10.1145/3620665.3640403

2024-05-21

Abstract:Last-level cache side-channel attacks have been mostly demonstrated in highly-controlled, quiescent local environments. Hence, it is unclear whether such attacks are feasible in a production cloud environment. In the cloud, side channels are flooded with noise from activities of other tenants and, in Function-as-a-Service (FaaS) workloads, the attacker has a very limited time window to mount the attack. In this paper, we show that such attacks are feasible in practice, although they require new techniques. We present an end-to-end, cross-tenant attack on a vulnerable ECDSA implementation in the public FaaS Google Cloud Run environment. We introduce several new techniques to improve every step of the attack. First, to speed-up the generation of eviction sets, we introduce L2-driven candidate address filtering and a Binary Search-based algorithm for address pruning. Second, to monitor victim memory accesses with high time resolution, we introduce Parallel Probing. Finally, we leverage power spectral density from signal processing to easily identify the victim's target cache set in the frequency domain. Overall, using these mechanisms, we extract a median value of 81% of the secret ECDSA nonce bits from a victim container in 19 seconds on average.

Cryptography and Security

Guangyuan Hu,Ruby B. Lee

2023-06-05

Abstract:Hardware caches are essential performance optimization features in modern processors to reduce the effective memory access time. Unfortunately, they are also the prime targets for attacks on computer processors because they are high-bandwidth and reliable side or covert channels for leaking secrets. Conventional cache timing attacks typically leak secret encryption keys, while recent speculative execution attacks typically leak arbitrary illegally-obtained secrets through cache timing channels. While many hardware defenses have been proposed for each class of attacks, we show that those for conventional (non-speculative) cache timing channels do not work for all speculative execution attacks, and vice versa. We maintain that a cache is not secure unless it can defend against both of these major attack classes. We propose a new methodology and framework for covering such relatively large attack surfaces to produce a Speculative and Timing Attack Resilient (STAR) cache subsystem. We use this to design two comprehensive secure cache architectures, STAR-FARR and STAR-NEWS, that have very low performance overheads of 5.6% and 6.8%, respectively. To the best of our knowledge, these are the first secure cache designs that cover both non-speculative cache side channels and cache-based speculative execution attacks. Our methodology can be used to compose and check other secure cache designs. It can also be extended to other attack classes and hardware systems. Additionally, we also highlight the intrinsic security and performance benefits of a randomized cache like a real Fully Associative cache with Random Replacement (FARR) and a lower-latency, speculation-aware version (NEWS).

Cryptography and Security,Hardware Architecture

Ghada Dessouky,Alexander Gruler,Pouya Mahmoody,Ahmad-Reza Sadeghi,Emmanuel Stapf

DOI: https://doi.org/10.48550/arXiv.2110.08139

2021-10-15

Abstract:Shared cache resources in multi-core processors are vulnerable to cache side-channel attacks. Recently proposed defenses have their own caveats: Randomization-based defenses are vulnerable to the evolving attack algorithms besides relying on weak cryptographic primitives, because they do not fundamentally address the root cause for cache side-channel attacks. Cache partitioning defenses, on the other hand, provide the strict resource partitioning and effectively block all side-channel threats. However, they usually rely on way-based partitioning which is not fine-grained and cannot scale to support a larger number of protection domains, e.g., in trusted execution environment (TEE) security architectures, besides degrading performance and often resulting in cache underutilization. To overcome the shortcomings of both approaches, we present a novel and flexible set-associative cache partitioning design for TEE architectures, called Chunked-Cache. Chunked-Cache enables an execution context to "carve" out an exclusive configurable chunk of the cache if the execution requires side-channel resilience. If side-channel resilience is not required, mainstream cache resources are freely utilized. Hence, our solution addresses the security-performance trade-off practically by enabling selective and on-demand utilization of side-channel-resilient caches, while providing well-grounded future-proof security guarantees. We show that Chunked-Cache provides side-channel-resilient cache utilization for sensitive code execution, with small hardware overhead, while incurring no performance overhead on the OS. We also show that it outperforms conventional way-based cache partitioning by 43%, while scaling significantly better to support a larger number of protection domains.

Cryptography and Security

Sanchuan Chen,Fangfei Liu,Zeyu Mi,Yinqian Zhang,Ruby B. Lee,Haibo Chen,XiaoFeng Wang

DOI: https://doi.org/10.1145/3196494.3196501

2018-01-01

Abstract:A program's use of CPU caches may reveal its memory access pattern and thus leak sensitive information when the program performs secret-dependent memory accesses. In recent studies, it has been demonstrated that cache side-channel attacks that extract secrets by observing the victim program's cache uses can be conducted under a variety of scenarios, among which the most concerning are cross-VM attacks and those against SGX enclaves. In this paper, we propose a mechanism that leverages hardware transactional memory (HTM) to enable software programs to defend themselves against various cache side-channel attacks. We observe that when the HTM is implemented by retrofitting cache coherence protocols, as is the case of Intel's Transactional Synchronization Extensions, the cache interference that is necessary in cache side-channel attacks will inevitably terminate hardware transactions. We provide a systematic analysis of the security requirements that a software-only solution must meet to defeat cache attacks, propose a software design that leverages HTM to satisfy these requirements and devise several optimization techniques in our implementation to reduce performance impact caused by transaction aborts. The empirical evaluation suggests that the performance overhead caused by the HTM-based solution is low.

Jicheng Shi,Xiang Song,Haibo Chen,Binyu Zang

DOI: https://doi.org/10.1109/DSNW.2011.5958812

2011-01-01

Abstract:Multi-tenant cloud, which features utility-like computing resources to tenants in a “pay-as-you-go” style, has been commercially popular for years. As one of the sole purposes of such a cloud is maximizing resource usages to increase its revenue, it usually uses virtualization to consolidate VMs from different and even mutually-malicious tenants atop a powerful physical machine. This, however, also enables a malicious tenant to steal security-critical information such as crypto keys from victims, due to the shared physical resources such as caches. In this paper, we show that stealing crypto keys in a virtualized cloud may be a real threat by evaluating a cache-based side-channel attack against an encryption process. To mitigate such attacks while not notably degrading performance, we propose an approach that leverages dynamic cache coloring: when an application is doing security-sensitive operations, the VMM is notified to swap the associated data to a safe and isolated cache line. This approach may eliminate cache-based side-channel for security-critical operations, yet ensure efficient resource sharing during normal operations. We demonstrate the applicability by illustrating a preliminary implementation based on Xen and its performance overhead.

Junpeng Wan,Yanxiang Bi,Zhe Zhou,Zhou Li

DOI: https://doi.org/10.1109/sp46214.2022.9833794

2022-01-01

Abstract:Cache side-channel attacks lead to severe security threats to the settings where a CPU is shared across users, e.g., in the cloud. The majority of attacks rely on sensing the micro-architectural state changes made by victims, but this assumption can be invalidated by combining spatial (e.g., Intel CAT) and temporal isolation. In this work, we advance the state of cache side-channel attacks by showing stateless cache side-channel attacks on server-grade CPUs, that can bypass both spatial and temporal isolation. Unlike stateful cache side-channel attacks that rely on the timing difference between a cache hit or miss, our attack exploits the timing difference caused by the interconnect congestion. Specifically, to complete cache transactions, for Intel server CPUs, which use non-inclusive and mesh interconnect, cache lines would travel across cores via the CPU mesh and UPI interconnects. Nonetheless, the interconnects are shared by all cores, and cache isolation does not segregate the traffic. An attacker can generate traffic to contend with a victim on a link, measure the extra delay, deduce the memory access pattern of the victim’s program, and infer its sensitive data. Based on this idea, we implement MESHUP, a stateless cache side-channel against mesh interconnect, and test it against the existing RSA implementations of JDK for the cross-core attack and application fingerprinting for the the cross-CPU attack. We found the RSA private key used by a victim process can be partially recovered and the co-running application can be inferred at high accuracy.

Han Wang,Ming Tang,Ke Xu,Quancheng Wang

DOI: https://doi.org/10.23919/date58400.2024.10546529

2024-01-01

Abstract:In the modern CPU architecture, enhancements such as the Line Fill Buffer (LFB) and Super Queue (SQ), which are designed to track pending cache requests, have significantly boosted performance. To exploit this structure, we deliberately engineered blockages in the L2 to L1d route by controlling LFB conflict and triggering prefetch prediction failures, while consciously dismissing other plausible influencing factors. This approach was subsequently extended to the L3 to L2 and L2 to L1i pathways, resulting in three potent covert channels, termed L2CC, L3CC, and LiCC, with capacities of 10.02 Mbps, 10.37 Mbps, and 1.83 Mbps, respectively. Strikingly, the capacities of L2CC and L3CC surpass those of earlier non-shared-memory-based covert channels, reaching a level comparable to their shared memory-dependent equivalents. Leveraging this congestion further facilitated the extraction of key bits from RSA and EdDSA designs. Coupled with SpectreV1 and V2, our covert channels effectively evade the majority of traditional Spectre defenses. Their confluence with Branch Prediction (BP) Timing assaults additionally undercuts balanced branch protections, hence broad-ening their capability to infiltrate a wide range of cryptography libraries. Index

Mengming Li,Kai Bu,Chenlu Miao,Kui Ren

DOI: https://doi.org/10.1109/tdsc.2024.3354991

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Cache side-channel attacks remain a stubborn source of cross-core secret leakage. Such attacks exploit the timing difference between cache hits and misses. Most defenses thus choose to prevent cache evictions. Given that two possible types of evictions—flush-based and conflict-based—use different architectural features, these defenses have to integrate hybrid defense strategies, incur OS modification, and sacrifice performance to completely throttle cache side-channel attacks. In this paper, we present TreasureCache against cache side-channel attacks without modifying OS or sacrificing performance. Instead of preventing cache evictions with various costs, we advocate to allow cache evictions as is and hide exploitable evictions in our specialized small eviction-hidden buffer. The buffer guarantees a fast hit time comparative to LLC hits. This instantly closes the timing gap between accessing exploitable blocks when they are in and out of the LLC. Moreover, with the help of our buffer, we no longer have to disable flush instructions or shared memory. A lightweight constant-time flush instruction can help TreasureCache to prevent both flush-based and conflict-based side-channel attacks. We validate TreasureCache security and performance through extensive experiments. With a hardware overhead of less than 0.5%, TreasureCache reduces the secret-leakage resolution by about 1,000 times without introducing any performance slowdown.

Wenjing Cai,Ziyuan Zhu,Yuxin Liu,Yusha Zhang,Xu Cheng

DOI: https://doi.org/10.1109/CSCWD57460.2023.10152573

2023-01-01

Abstract:Intel Software Guard Extensions (SGX) protect sensitive content of applications on the cloud platform by creating an isolated environment on an untrusted operating system. However, resent works have shown that the SGX is vulnerable to a variety of side channel attacks which could be severely damage the data confidentiality provided by SGX, such as the cache side channel attack. Unfortunately, existing defense mechanisms either provide an incomplete protection or incur too much performance costs. In this paper, we propose a defense countermeasure against cache side channel attacks for SGX by detecting abnormal each level cache use behaviors. We create auxiliary threads for each enclave thread and detect when asynchronous enclave exits (AEX) occur, which defeats the condition of L1/L2 cache side channel attacks that attacker and victim threads execute in the same physical core. We put some guard data to the cache lines and inspect access time, which detects last level cache eviction set behaviors. More importantly, we utilize optimizations to reduce the performance overhead caused by AEX detection. In comparison to existing approaches, our design is secure against any cache level side channel attacks and its performance loss increases less.

Yanan Guo,Andrew Zigerelli,Youtao Zhang,Jun Yang

DOI: https://doi.org/10.48550/arXiv.2110.12340

2022-08-17

Abstract:Modern x86 processors have many prefetch instructions that can be used by programmers to boost performance. However, these instructions may also cause security problems. In particular, we found that on Intel processors, there are two security flaws in the implementation of PREFETCHW, an instruction for accelerating future writes. First, this instruction can execute on data with read-only permission. Second, the execution time of this instruction leaks the current coherence state of the target data. Based on these two design issues, we build two cross-core private cache attacks that work with both inclusive and non-inclusive LLCs, named Prefetch+Reload and Prefetch+Prefetch. We demonstrate the significance of our attacks in different scenarios. First, in the covert channel case, Prefetch+Reload and Prefetch+Prefetch achieve 782 KB/s and 822 KB/s channel capacities, when using only one shared cache line between the sender and receiver, the largest-to-date single-line capacities for CPU cache covert channels. Further, in the side channel case, our attacks can monitor the access pattern of the victim on the same processor, with almost zero error rate. We show that they can be used to leak private information of real-world applications such as cryptographic keys. Finally, our attacks can be used in transient execution attacks in order to leak more secrets within the transient window than prior work. From the experimental results, our attacks allow leaking about 2 times as many secret bytes, compared to Flush+Reload, which is widely used in transient execution attacks.

Cryptography and Security

Samira Briongos,Gorka Irazoqui,Pedro Malagón,Thomas Eisenbarth

DOI: https://doi.org/10.48550/arXiv.1709.01795

2017-09-06

Abstract:Cache attacks pose a threat to any code whose execution flow or memory accesses depend on sensitive information. Especially in public clouds, where caches are shared across several tenants, cache attacks remain an unsolved problem. Cache attacks rely on evictions by the spy process, which alter the execution behavior of the victim process. We show that hardware performance events of cryptographic routines reveal the presence of cache attacks. Based on this observation, we propose CacheShield, a tool to protect legacy code by monitoring its execution and detecting the presence of cache attacks, thus providing the opportunity to take preventative measures. CacheShield can be run by users and does not require alteration of the OS or hypervisor, while previously proposed software-based countermeasures require cooperation from the hypervisor. Unlike methods that try to detect malicious processes, our approach is lean, as only a fraction of the system needs to be monitored. It also integrates well into today's cloud infrastructure, as concerned users can opt to use CacheShield without support from the cloud service provider. Our results show that CacheShield detects cache attacks fast, with high reliability, and with few false positives, even in the presence of strong noise.

Cryptography and Security

Divya Ojha,Sandhya Dwarkadas

DOI: https://doi.org/10.1109/ISCA52012.2021.00037

2021-12-17

Abstract:Timing side channels have been used to extract cryptographic keys and sensitive documents, even from trusted enclaves. In this paper, we focus on cache side channels created by access to shared code or data in the memory hierarchy. This vulnerability is exploited by several known attacks, e.g, evict+reload for recovering an RSA key and Spectre variants for data leaked due to speculative accesses. The key insight in this paper is the importance of the first access to the shared data after a victim brings the data into the cache. To eliminate the timing side channel, we ensure that the first access by a process to any cache line loaded by another process results in a miss. We accomplish this goal by using a combination of timestamps and a novel hardware design to allow efficient parallel comparisons of the timestamps. The solution works at all the cache levels and defends against an attacker process running on another core, same core, or another hyperthread. Our design retains the benefits of a shared cache: allowing processes to utilize the entire cache for their execution and retaining a single copy of shared code and data (data deduplication). Our implementation in the GEM5 simulator demonstrates that the system is able to defend against RSA key extraction. We evaluate performance using SPECCPU2006 and observe overhead due to first access delay to be 2.17%. The overhead due to the security context bookkeeping is of the order of 0.3%.

Cryptography and Security

Chenlu Miao,Kai Bu,Mengming Li,Shaowu Mao,Jianwei Jia

DOI: https://doi.org/10.1109/micro56248.2022.00052

2022-01-01

Abstract:Cache coherence states have recently been exploited to leak secrets through timing-channel attacks. The root cause lies in the fact that shared data in state Exclusive (E) and state Shared (S) are served from different cache layers. The state-of-the-art countermeasure—S-MESI—serves both E- and S-state shared data from the last-level cache (LLC) by explicitly synchronizing the Modified (M) state across private caches and the LLC. This has to sacrifice the silent upgrade feature that MESI introduces for speedup. Moreover, it enforces protection to not only exploitable shared data but also unshared data. This further slows down performance, especially for write-after-read intensive applications. In this paper, we propose SwiftDir to efficiently secure cache coherence against cover-channel attacks without overprotection. SwiftDir fundamentally narrows down the protection scope to write-protected data. Such exploitable shared data can be uniquely identified with the write-protection permission in the memory management unit (MMU) and do not necessarily transit to state M. We validate this idea through tracing system calls of shared libraries on Linux. We then investigate all three commercial cache architectures (i.e., PIPT, VIPT, and VIVT) and find it feasible to hitchhike the address translation process to transmit the write-protection information from the MMU to the coherence controller. Then SwiftDir enforces protection over only write-protected data by serving all requests toward them directly from the LLC with a constant latency. This not only simplifies how MESI handles write-protected data but also avoids how S-MESI overprotects them. Meanwhile, SwiftDir still preserves silent upgrade for efficient handling of unshared data. Extensive experiments demonstrate that our SwiftDir can secure cache coherence while outperforming not only secure SMESI but also unprotected MESI.

Ankit Pulkit,Smita Naval,Vijay Laxmi

2023-12-18

Abstract:Side-channel attacks have become prominent attack surfaces in cyberspace. Attackers use the side information generated by the system while performing a task. Among the various side-channel attacks, cache side-channel attacks are leading as there has been an enormous growth in cache memory size in last decade, especially Last Level Cache (LLC). The adversary infers the information from the observable behavior of shared cache memory. This paper covers the detailed study of cache side-channel attacks and compares different microarchitectures in the context of side-channel attacks. Our main contributions are: (1) We have summarized the fundamentals and essentials of side-channel attacks and various attack surfaces (taxonomies). We also discussed different exploitation techniques, highlighting their capabilities and limitations. (2) We discussed cache side-channel attacks and analyzed the existing literature on cache side-channel attacks on various parameters like microarchitectures, cross-core exploitation, methodology, target, etc. (3) We discussed the detailed analysis of the existing mitigation strategies to prevent cache side-channel attacks. The analysis includes hardware- and software-based countermeasures, examining their strengths and weaknesses. We also discussed the challenges and trade-offs associated with mitigation strategies. This survey is supposed to provide a deeper understanding of the threats posed by these attacks to the research community with valuable insights into effective defense mechanisms.

Cryptography and Security

Junpeng Wan,Yanxiang Bi,Zhe Zhou,Zhou Li

DOI: https://doi.org/10.48550/arXiv.2103.04533

2021-03-08

Abstract:Cache side-channel attacks lead to severe security threats to the settings that a CPU is shared across users, e.g., in the cloud. The existing attacks rely on sensing the micro-architectural state changes made by victims, and this assumption can be invalidated by combining spatial (\eg, Intel CAT) and temporal isolation (\eg, time protection). In this work, we advance the state of cache side-channel attacks by showing stateless cache side-channel attacks that cannot be defeated by both spatial and temporal isolation. This side-channel exploits the timing difference resulted from interconnect congestion. Specifically, to complete cache transactions, for Intel CPUs, cache lines would travel across cores via the CPU mesh interconnect. Nonetheless, the mesh links are shared by all cores, and cache isolation does not segregate the traffic. An attacker can generate interconnect traffic to contend with the victim's on a mesh link, hoping that extra delay will be measured. With the variant delays, the attacker can deduce the memory access pattern of a victim program, and infer its sensitive data. Based on this idea, we implement Volcano and test it against the existing RSA implementations of JDK. We found the RSA private key used by a victim process can be partially recovered. In the end, we propose a few directions for defense and call for the attention of the security community.

Cryptography and Security

Ghada Dessouky,Tommaso Frassetto,Ahmad-Reza Sadeghi

DOI: https://doi.org/10.48550/arXiv.1909.09599

2019-09-21

Abstract:Modern multi-core processors share cache resources for maximum cache utilization and performance gains. However, this leaves the cache vulnerable to side-channel attacks, where timing differences in shared cache behavior are exploited to infer information on the victim's execution patterns, ultimately leaking private information. The root cause for these attacks is mutually distrusting processes sharing cache entries and accessing them in a deterministic manner. Various defenses against cache side-channel attacks have been proposed. However, they either degrade performance significantly, impose impractical restrictions, or can only defeat certain classes of these attacks. More importantly, they assume that side-channel-resilient caches are required for the entire execution workload and do not allow to selectively enable the mitigation only for the security-critical portion of the workload. We present a generic mechanism for a flexible and soft partitioning of set-associative caches and propose a hybrid cache architecture, called HybCache. HybCache can be configured to selectively apply side-channel-resilient cache behavior only for isolated execution domains, while providing the non-isolated execution with conventional cache behavior, capacity and performance. An isolation domain can include one or more processes, specific portions of code, or a Trusted Execution Environment. We show that, with minimal hardware modifications and kernel support, HybCache can provide side-channel-resilient cache only for isolated execution with a performance overhead of 3.5-5%, while incurring no performance overhead for the remaining execution workload. We provide a simulator-based and hardware implementation of HybCache to evaluate the performance and area overheads, and show how it mitigates typical access-based and contention-based cache attacks.

Cryptography and Security

Han Wang,Ming Tang,Ke Xu,Quancheng Wang

2023-06-03

Abstract:In the modern CPU architecture, enhancements such as the Line Fill Buffer (LFB) and Super Queue (SQ), which are designed to track pending cache requests, have significantly boosted performance. To exploit this structures, we deliberately engineered blockages in the L2 to L1d route by controlling LFB conflict and triggering prefetch prediction failures, while consciously dismissing other plausible influencing factors. This approach was subsequently extended to the L3 to L2 and L2 to L1i pathways, resulting in three potent covert channels, termed L2CC, L3CC, and LiCC, with capacities of 10.02 Mbps, 10.37 Mbps, and 1.83 Mbps, respectively. Strikingly, the capacities of L2CC and L3CC surpass those of earlier non-shared-memory-based covert channels, reaching a level comparable to their shared memory-dependent equivalents. Leveraging this congestion further facilitated the extraction of key bits from RSA and EdDSA implementations. Coupled with SpectreV1 and V2, our covert channels effectively evade the majority of traditional Spectre defenses. Their confluence with Branch Prediction (BP) Timing assaults additionally undercuts balanced branch protections, hence broadening their capability to infiltrate a wide range of cryptography libraries.

Cryptography and Security

Divya Ojha,Sandhya Dwarkadas

2024-08-26

Abstract:Shared caches are vulnerable to side channel attacks through contention in cache sets. Besides being a simple source of information leak, these side channels form useful gadgets for more sophisticated attacks that compromise the security of shared systems. The fundamental design aspect that contention attacks exploit is the deterministic nature of the set of addresses contending for a cache set. In this paper, we present RollingCache, a cache design that defends against contention attacks by dynamically changing the set of addresses contending for cache sets. Unlike prior defenses, RollingCache does not rely on address encryption/decryption, data relocation, or cache partitioning. We use one level of indirection to implement dynamic mapping controlled by the whole-cache runtime behavior. Our solution does not depend on having defined security domains, and can defend against an attacker running on the same or another core. We evaluate RollingCache on ChampSim using the SPEC-2017 benchmark suite. Our security evaluation shows that our dynamic mapping removes the deterministic ability to identify the source of contention. The performance evaluation shows an impact of 1.67\% over a mix of workloads, with a corresponding

Cryptography and Security,Hardware Architecture

Stephan van Schaik,Marina Minkin,Andrew Kwong,Daniel Genkin,Yuval Yarom

DOI: https://doi.org/10.48550/arXiv.2006.13353

2020-06-24

Abstract:Recent transient-execution attacks, such as RIDL, Fallout, and ZombieLoad, demonstrated that attackers can leak information while it transits through microarchitectural buffers. Named Microarchitectural Data Sampling (MDS) by Intel, these attacks are likened to "drinking from the firehose", as the attacker has little control over what data is observed and from what origin. Unable to prevent the buffers from leaking, Intel issued countermeasures via microcode updates that overwrite the buffers when the CPU changes security domains. In this work we present CacheOut, a new microarchitectural attack that is capable of bypassing Intel's buffer overwrite countermeasures. We observe that as data is being evicted from the CPU's L1 cache, it is often transferred back to the leaky CPU buffers where it can be recovered by the attacker. CacheOut improves over previous MDS attacks by allowing the attacker to choose which data to leak from the CPU's L1 cache, as well as which part of a cache line to leak. We demonstrate that CacheOut can leak information across multiple security boundaries, including those between processes, virtual machines, user and kernel space, and from SGX enclaves.

Cryptography and Security