
Attack Directories, Not Caches: Side-Channel Attacks in a Non-Inclusive World [pdf] - mettamage
http://iacoma.cs.uiuc.edu/iacoma-papers/ssp19.pdf
======
mettamage
The part on how they reverse engineered the cache directory is especially
interesting.

Consider this, they build an eviction algorithm [1] that just worked. And by
varying it on different threads you basically get to understand (a) it is
inclusive for private and shared cache lines and (b) the cache replacement
policies (private gets kicked out first).

I find it quite cool since eviction algorithms are normally used for evict +
reload attacks, but no! They can also be used for reverse engineering cache
behaviors in CPUs :D

[1] an eviction algorithm is an algorithm designed to kick out all the other
entries in the cache (of a particular cache set that is).

------
mettamage
I also had some funny shower thoughts about this. I think reverse engineering
in general plays an interesting part in the philosophy of science.

To what extent is something science when only one private company knows about
it and the public (i.e. security researchers) need to reverse engineer it? One
could say that it is like a 'simulated nature' that needs to yet reveal its
secrets.

In that sense I feel that reverse engineering stuff like this is a more high
fidelity type of form than simulation since there are some real world
stakes/incentives on the line. At least, as far as the philosophy of science
is confirmed.

Another thing was that I was quite surprised _how much_ the reverse
engineering effort just looked like a standard experiment that
psychologists/medicine would use as well. I mean it almost literally is:
control group, experimental group, hypothesis pans out, let's go on to
experiment 2, and it's the same song over again.

I wanted to point these things out still because I like interdisciplinary
comments and have the hope they could achieve something interesting.

~~~
DoctorOetker
I have often thought exactly what you describe, even more I think in an
alternate history this would actually be close to the "intellectual property"
policy: it is not the governments role to enforce intellectual policy, while
it is the role of science to try and understand all phenomena natural or man-
made. It would be legal for private entities (individuals or companies) to
_try_ to keep a business secret, but it would not be illegal for others to
investigate, reverse-engineer and reproduce (even commercially) what others
have done. Since scientific discovery into the public domain would be rewarded
by the public, it would still be feasible for private _individuals_ to
maintain a business secret for as long as no one reverse engineers it. But it
would de facto result in organizations being unable to profit from business
secrets (since any member of the organization could publish the company secret
to the public for a reward without facing consequences). This should prevent
monopolies from arising, and encourages smaller companies and open
collaboration.

------
karavelov
"We found that the above conditions do not hold in some AMD processors.
Consequently, our attack does not work on these AMD processors."

~~~
mettamage
Yea, the generalization section leads a lot left to be desired. I feel the
constraints of the attack make it hard to generalize it.

