Codentium

On the topic of low-level programming.

Introduction

The ASLR^Cache (AnC) attack is an EVICT+TIME side-channel attack on the MMU that relies on the fact that page table look-ups by the MMU are stored in the last-level cache (LLC) in order to speed up future translations. By flushing parts of the LLC and timing the page table lookup, AnC can identify which parts of the LLC store page tables. During the implementation of the native version we found that evicting the LLC and flushing the TLB is not sufficient on most modern CPU architectures. Next to the TLB to cache virtual address translations, most MMUs also have either a page table cache or a translation cache to cache the intermediate page table entries. Since the information on the size of the TLB and the LCC is already available, the AnC attack can also be used to reverse engineer the properties of the page table caches that are of interest to attackers, like their internal architecure and size.

With anc, we have demonstrated that numerous x86-64, ARMv7-A and ARMv8-A microarchitectures are affected by the AnC attack. Furthermore, with revanc we have been able to detect the existence of page table caches and the amount of entries that they contain on these microarchitectures.