Malicious management unit: Why stopping cache attacks in software is harder than you think

Stephan Van Schaik, Cristiano Giuffrida, Herbert Bos, Kaveh Razavi

Research output: Chapter in Book / Report / Conference proceedingConference contributionAcademicpeer-review


Cache attacks have increasingly gained momentum in the security community. In such attacks, attacker-controlled code sharing the cache with a designated victim can leak confidential data by timing the execution of cache-accessing operations. Much recent work has focused on defenses that enforce cache access isolation between mutually distrusting software components. In such a landscape, many software-based defenses have been popularized, given their appealing portability and scalability guarantees. All such defenses prevent attacker-controlled CPU instructions from accessing a cache partition dedicated to a different security domain. In this paper, we present a new class of attacks (indirect cache attacks), which can bypass all the existing software-based defenses. In such attacks, rather than accessing the cache directly, attacker-controlled code lures an external, trusted component into indirectly accessing the cache partition of the victim and mount a confused-deputy side-channel attack. To demonstrate the viability of these attacks, we focus on the MMU, demonstrating that indirect cache attacks based on translation operations performed by the MMU are practical and can be used to bypass all the existing software-based defenses. Our results show that the isolation enforced by existing defense techniques is imperfect and that generalizing such techniques to mitigate arbitrary cache attacks is much more challenging than previously assumed.

Original languageEnglish
Title of host publicationProceedings of the 27th USENIX Security Symposium
PublisherUSENIX Association
Number of pages18
ISBN (Electronic)9781939133045
Publication statusPublished - 2018
Event27th USENIX Security Symposium - Baltimore, United States
Duration: 15 Aug 201817 Aug 2018


Conference27th USENIX Security Symposium
Country/TerritoryUnited States


Dive into the research topics of 'Malicious management unit: Why stopping cache attacks in software is harder than you think'. Together they form a unique fingerprint.

Cite this