--- id: wiki-2026-0508-cache-side-channel-attack title: Cache Side-Channel Attack category: 10_Wiki/Topics status: verified canonical_id: self aliases: [Cache Timing Attack, Flush+Reload, Prime+Probe, Spectre] duplicate_of: none source_trust_level: A confidence_score: 0.9 verification_status: applied tags: [security, hardware, microarchitecture, side-channel, crypto] raw_sources: [] last_reinforced: 2026-05-10 github_commit: pending tech_stack: language: C/Assembly framework: Linux/perf --- # Cache Side-Channel Attack ## 매 한 줄 > **"매 캐시 access timing 의 secret 를 leak"**. CPU cache 의 shared resource — attacker 가 victim 의 access pattern 을 timing 으로 observe 해서 key/data 를 복원. 2018 Spectre/Meltdown 이후 매 modern CPU 의 systemic threat — 2026 에도 hardware mitigation (Intel CET, ARM MTE) + software (constant-time crypto) 의 combo 가 필수. ## 매 핵심 ### 매 attack primitives - **Flush+Reload**: 매 shared memory (libcrypto) — `clflush` 후 victim run, 다시 access timing 으로 hit/miss 판별. L3 inclusive cache 의 cross-core leak. - **Prime+Probe**: 매 shared memory 없을 때 — attacker 가 cache set 을 fill, victim run, attacker 의 reload 시 evicted line 의 timing spike. - **Evict+Time**: 매 victim 의 own execution time 측정 — coarser 매 cache state 무관. - **Flush+Flush**: 매 `clflush` 의 latency 자체로 hit/miss — quieter 매 PMU detection 회피. ### 매 transient execution (Spectre/Meltdown) - **Spectre v1**: bounds-check bypass — speculative load of out-of-bounds → cache trace. - **Spectre v2**: branch target injection — indirect branch poisoning. - **Meltdown**: kernel memory leak via deferred permission check. - **MDS/L1TF/RIDL**: microarchitectural buffer leaks. ### 매 응용 1. AES key recovery (T-table lookup leak). 2. RSA key bit recovery (modular exponentiation pattern). 3. Cross-VM leak in cloud (Xen/KVM). 4. Cross-process key extraction (libssl shared library). ## 💻 패턴 ### Flush+Reload (skeleton, x86_64) ```c #include #include static inline uint64_t rdtscp_serialized(void) { uint32_t aux; _mm_lfence(); uint64_t t = __rdtscp(&aux); _mm_lfence(); return t; } int probe(const void *addr) { uint64_t t0 = rdtscp_serialized(); (void)*(volatile const uint8_t *)addr; uint64_t t1 = rdtscp_serialized(); _mm_clflush(addr); return (int)(t1 - t0); // < ~120 cycles → cached (hit) } ``` ### Prime+Probe set-associative eviction ```c // Build eviction set for target cache set (LLC) void prime(uint8_t **set, size_t ways) { for (size_t i = 0; i < ways; i++) { (void)*(volatile uint8_t *)set[i]; } } int probe_set(uint8_t **set, size_t ways) { uint64_t total = 0; for (size_t i = 0; i < ways; i++) { uint64_t t0 = rdtscp_serialized(); (void)*(volatile uint8_t *)set[i]; uint64_t t1 = rdtscp_serialized(); total += (t1 - t0); } return total > THRESHOLD; // victim accessed this set } ``` ### Constant-time AES (defensive) ```c // 매 T-table lookup 의 X — bitsliced AES 의 use // libgcrypt / OpenSSL 3.x 의 AES-NI fallback path 의 default #include __m128i aes_round(__m128i state, __m128i rk) { return _mm_aesenc_si128(state, rk); // hardware, no table } ``` ### Spectre v1 mitigation (LFENCE fence) ```c if (idx < array_len) { _mm_lfence(); // serialize speculation uint8_t v = array[idx]; secret_dependent_load(v); } ``` ### Speculative load hardening (Clang) ```bash clang -mspeculative-load-hardening -O2 victim.c -o victim # 매 conditional masking 의 inject — speculative path 의 secret 을 0 으로 mask ``` ### Constant-time comparison ```c int ct_memcmp(const void *a, const void *b, size_t n) { const uint8_t *x = a, *y = b; uint8_t diff = 0; for (size_t i = 0; i < n; i++) diff |= x[i] ^ y[i]; return diff; // 매 early-exit 의 X } ``` ### Cache partitioning (Intel CAT) ```bash # 매 LLC ways 의 isolate — victim domain 의 dedicated partition pqos -e "llc:1=0x00ff;llc:2=0xff00" pqos -a "core:1=1;core:2=2" ``` ## 매 결정 기준 | 상황 | Approach | |---|---| | Crypto library 작성 | Constant-time + AES-NI/VAES intrinsics | | Cloud multi-tenant | CAT partitioning + SMT off + KPTI | | Browser (JS sandbox) | Site isolation + COOP/COEP + jittered timers | | Embedded ARM | MTE + speculative barriers (CSDB) | | Detection | Intel PMU `MEM_LOAD_RETIRED.L3_MISS` anomaly | **기본값**: constant-time crypto + KPTI + retpoline/IBRS + browser site isolation. ## 🔗 Graph - 부모: [[Memory Hierarchy]] - 변형: [[Spectre]] · [[Rowhammer]] - Adjacent: [[Speculative Execution]] ## 🤖 LLM 활용 **언제**: red-team threat model 의 enumerate, mitigation review, constant-time code audit. **언제 X**: 매 actual exploit chain — practical attack 은 매 hardware-specific 의 measurement, LLM 의 hallucinate 가능. ## ❌ 안티패턴 - **Table-based AES in shared lib**: 매 T-table 의 cache footprint 가 key-dependent — Flush+Reload 의 즉시 leak. - **Branch on secret**: 매 BTB poisoning 의 vector — constant-time control flow 의 use. - **`memcmp` on secrets**: 매 early-exit timing — `ct_memcmp` 의 substitute. - **SMT enabled in cloud**: sibling thread 의 L1 share — 매 disable. - **Trusting `rdtsc` jitter as defense**: 매 attacker 의 amplify 가능 — fundamental fix 가 필요. ## 🧪 검증 / 중복 - Verified (Yarom & Falkner USENIX Security 2014; Kocher et al. 2018; Intel SDM Vol 3 §11). - 신뢰도 A. ## 🕓 Changelog | 날짜 | 변경 | |---|---| | 2026-05-08 | Phase 1 | | 2026-05-10 | Manual cleanup — Flush+Reload, Spectre, constant-time mitigation 정리 |