IVcache: Defending Cache Side Channel Attacks via Invisible Accesses

ABSTRACTThe sharing of last-level cache (LLC) among different CPU cores makes cache vulnerable to side channel attacks. An attacker can get private information about co-running applications (victims) by monitoring their accesses in LLC. Cache side channel attacks can be mitigated by partitioning cache between the victim and attacker. However, previous partition works either make weak assumptions about the attacker's strength or force their security mechanisms and thus overhead to every user on the system, regardless of their security requirement. We argue that offering security protection as a service is a better choice for secure cache design. To achieve this, we propose Invisible-Victim cache (IVcache), a new cache partition design targeting both the original LLC attack and the new variant. IVcache classifies all security domains on the system as protected and unprotected. For LLC accesses from protected domains, IVcache handles cache state changes in a slightly different way to make those accesses invisible to any other security domains. We implement and evaluate IVcache in Gem5. The experimental results show that IVcache can defend against real-world attacks, and that it introduces negligible performance overhead to protected domains and no overhead to unprotected domains.