CISPA
Browse

Rapid Reversing of Non-Linear CPU Cache Slice Functions: Unlocking Physical Address Leakage

Download (428.26 kB)
conference contribution
posted on 2025-04-16, 17:12 authored by Mikka RainerMikka Rainer, Lorenz Hetterich, Fabian Thomas, Tristan Hornetz, Leon Trampert, Lukas Gerlach, Michael Schwarz
Microarchitectural attacks are a growing threat to modern computing systems. CPU caches are an essential but complex element in many microarchitectural attacks, making it crucial to understand the inner workings. Despite progress in reverse-engineering techniques, non-linear cache-slice functions remain challenging to analyze, especially in recent Intel hybrid microarchitectures. In this paper, we introduce a novel approach towards reverse-engineering complex, non-linear cache-slice functions, particularly on modern Intel CPUs with hybrid microarchitectures. Our method significantly advances prior work by understanding the specific structure of microarchitectural hash functions, reducing the time required for reverse-engineering from days to minutes. In contrast to prior work, our technique successfully handles systems with 512GB of memory and diverse slice configurations. We present 17 newly identified functions used for cache-slice addressing and extend existing functions to support systems with more DRAM for multiple CPU generations. Additionally, we introduce an unprivileged virtual-to-physical address oracle that is a direct consequence of the complexity of the non-linear slice functions. Our method is particularly effective on modern Intel hybrid CPUs, including Alder Lake and Meteor Lake, where previously used methods for measuring slices or leaking physical addresses are unavailable. In 3 case studies, we validate our approach, demonstrating its effectiveness in executing targeted Spectre attacks on non-attacker-mapped memory, enabling DRAMA attacks, and creating cache eviction sets. Our findings emphasize the increased attack surface introduced by complex cache-slice functions in modern CPUs.

History

Primary Research Area

  • Threat Detection and Defenses

Name of Conference

IEEE Symposium on Security and Privacy (S&P)

CISPA Affiliation

  • Yes

BibTeX

@conference{Rainer:Hetterich:Thomas:Hornetz:Trampert:Gerlach:Schwarz:2025, title = "Rapid Reversing of Non-Linear CPU Cache Slice Functions: Unlocking Physical Address Leakage", author = "Rainer, Mikka" AND "Hetterich, Lorenz" AND "Thomas, Fabian" AND "Hornetz, Tristan" AND "Trampert, Leon" AND "Gerlach, Lukas" AND "Schwarz, Michael", year = 2025, month = 5 }

Usage metrics

    Categories

    No categories selected

    Licence

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC