2nd/10_Wiki/Topics/Backend/Cache Side-Channel Attack.md

---
id: wiki-2026-0508-cache-side-channel-attack
title: Cache Side-Channel Attack
category: 10_Wiki/Topics
status: verified
canonical_id: self
aliases: [Cache Timing Attack, Flush+Reload, Prime+Probe, Spectre]
duplicate_of: none
source_trust_level: A
confidence_score: 0.9
verification_status: applied
tags: [security, hardware, microarchitecture, side-channel, crypto]
raw_sources: []
last_reinforced: 2026-05-10
github_commit: pending
tech_stack:
  language: C/Assembly
  framework: Linux/perf
---

# Cache Side-Channel Attack

## 매 한 줄
> **"매 캐시 access timing 의 secret 를 leak"**. CPU cache 의 shared resource — attacker 가 victim 의 access pattern 을 timing 으로 observe 해서 key/data 를 복원. 2018 Spectre/Meltdown 이후 매 modern CPU 의 systemic threat — 2026 에도 hardware mitigation (Intel CET, ARM MTE) + software (constant-time crypto) 의 combo 가 필수.

## 매 핵심

### 매 attack primitives
- **Flush+Reload**: 매 shared memory (libcrypto) — `clflush` 후 victim run, 다시 access timing 으로 hit/miss 판별. L3 inclusive cache 의 cross-core leak.
- **Prime+Probe**: 매 shared memory 없을 때 — attacker 가 cache set 을 fill, victim run, attacker 의 reload 시 evicted line 의 timing spike.
- **Evict+Time**: 매 victim 의 own execution time 측정 — coarser 매 cache state 무관.
- **Flush+Flush**: 매 `clflush` 의 latency 자체로 hit/miss — quieter 매 PMU detection 회피.

### 매 transient execution (Spectre/Meltdown)
- **Spectre v1**: bounds-check bypass — speculative load of out-of-bounds → cache trace.
- **Spectre v2**: branch target injection — indirect branch poisoning.
- **Meltdown**: kernel memory leak via deferred permission check.
- **MDS/L1TF/RIDL**: microarchitectural buffer leaks.

### 매 응용
1. AES key recovery (T-table lookup leak).
2. RSA key bit recovery (modular exponentiation pattern).
3. Cross-VM leak in cloud (Xen/KVM).
4. Cross-process key extraction (libssl shared library).

## 💻 패턴

### Flush+Reload (skeleton, x86_64)
```c
#include <x86intrin.h>
#include <stdint.h>

static inline uint64_t rdtscp_serialized(void) {
    uint32_t aux;
    _mm_lfence();
    uint64_t t = __rdtscp(&aux);
    _mm_lfence();
    return t;
}

int probe(const void *addr) {
    uint64_t t0 = rdtscp_serialized();
    (void)*(volatile const uint8_t *)addr;
    uint64_t t1 = rdtscp_serialized();
    _mm_clflush(addr);
    return (int)(t1 - t0);   // < ~120 cycles → cached (hit)
}
```

### Prime+Probe set-associative eviction
```c
// Build eviction set for target cache set (LLC)
void prime(uint8_t **set, size_t ways) {
    for (size_t i = 0; i < ways; i++) {
        (void)*(volatile uint8_t *)set[i];
    }
}

int probe_set(uint8_t **set, size_t ways) {
    uint64_t total = 0;
    for (size_t i = 0; i < ways; i++) {
        uint64_t t0 = rdtscp_serialized();
        (void)*(volatile uint8_t *)set[i];
        uint64_t t1 = rdtscp_serialized();
        total += (t1 - t0);
    }
    return total > THRESHOLD;   // victim accessed this set
}
```

### Constant-time AES (defensive)
```c
// 매 T-table lookup 의 X — bitsliced AES 의 use
// libgcrypt / OpenSSL 3.x 의 AES-NI fallback path 의 default
#include <wmmintrin.h>
__m128i aes_round(__m128i state, __m128i rk) {
    return _mm_aesenc_si128(state, rk);  // hardware, no table
}
```

### Spectre v1 mitigation (LFENCE fence)
```c
if (idx < array_len) {
    _mm_lfence();                     // serialize speculation
    uint8_t v = array[idx];
    secret_dependent_load(v);
}
```

### Speculative load hardening (Clang)
```bash
clang -mspeculative-load-hardening -O2 victim.c -o victim
# 매 conditional masking 의 inject — speculative path 의 secret 을 0 으로 mask
```

### Constant-time comparison
```c
int ct_memcmp(const void *a, const void *b, size_t n) {
    const uint8_t *x = a, *y = b;
    uint8_t diff = 0;
    for (size_t i = 0; i < n; i++) diff |= x[i] ^ y[i];
    return diff;   // 매 early-exit 의 X
}
```

### Cache partitioning (Intel CAT)
```bash
# 매 LLC ways 의 isolate — victim domain 의 dedicated partition
pqos -e "llc:1=0x00ff;llc:2=0xff00"
pqos -a "core:1=1;core:2=2"
```

## 매 결정 기준
| 상황 | Approach |
|---|---|
| Crypto library 작성 | Constant-time + AES-NI/VAES intrinsics |
| Cloud multi-tenant | CAT partitioning + SMT off + KPTI |
| Browser (JS sandbox) | Site isolation + COOP/COEP + jittered timers |
| Embedded ARM | MTE + speculative barriers (CSDB) |
| Detection | Intel PMU `MEM_LOAD_RETIRED.L3_MISS` anomaly |

**기본값**: constant-time crypto + KPTI + retpoline/IBRS + browser site isolation.

## 🔗 Graph
- 부모: [[Memory Hierarchy]]
- 변형: [[Spectre]] · [[Rowhammer]]
- Adjacent: [[Speculative Execution]]

## 🤖 LLM 활용
**언제**: red-team threat model 의 enumerate, mitigation review, constant-time code audit.
**언제 X**: 매 actual exploit chain — practical attack 은 매 hardware-specific 의 measurement, LLM 의 hallucinate 가능.

## ❌ 안티패턴
- **Table-based AES in shared lib**: 매 T-table 의 cache footprint 가 key-dependent — Flush+Reload 의 즉시 leak.
- **Branch on secret**: 매 BTB poisoning 의 vector — constant-time control flow 의 use.
- **`memcmp` on secrets**: 매 early-exit timing — `ct_memcmp` 의 substitute.
- **SMT enabled in cloud**: sibling thread 의 L1 share — 매 disable.
- **Trusting `rdtsc` jitter as defense**: 매 attacker 의 amplify 가능 — fundamental fix 가 필요.

## 🧪 검증 / 중복
- Verified (Yarom & Falkner USENIX Security 2014; Kocher et al. 2018; Intel SDM Vol 3 §11).
- 신뢰도 A.

## 🕓 Changelog
| 날짜 | 변경 |
|---|---|
| 2026-05-08 | Phase 1 |
| 2026-05-10 | Manual cleanup — Flush+Reload, Spectre, constant-time mitigation 정리 |