Last-level cache side-channel attacks have been mostly demonstrated in highly-controlled, quiescent local environments. Hence, it is unclear whether such attacks are feasible in a production cloud environment. In the cloud, side channels are flooded with noise from activities of other tenants and, in Function-as-a-Service (FaaS) workloads, the attacker has a very limited time window to mount the attack. In this paper, we show that such attacks are feasible in practice, although they require new techniques. We present an end-to-end, cross-tenant attack on a vulnerable ECDSA implementation in the public FaaS Google Cloud Run environment. We introduce several new techniques to improve every step of the attack. First, to speed-up the generation of eviction sets, we introduce L2-driven candidate address filtering and a Binary Search-based algorithm for address pruning. Second, to monitor victim memory accesses with high time resolution, we introduce Parallel Probing. Finally, we leverage power spectral density from signal processing to easily identify the victim's target cache set in the frequency domain. Overall, using these mechanisms, we extract a median value of 81% of the secret ECDSA nonce bits from a victim container in 19 seconds on average.

翻译：末级缓存侧信道攻击主要在高控制、静默的本地环境中得到演示。因此，此类攻击在生产云环境中是否可行尚不明确。在云环境中，侧信道被其他租户活动产生的噪声淹没，且对于函数即服务（FaaS）工作负载，攻击者发动攻击的时间窗口非常有限。本文表明，尽管需要新技术，此类攻击在实践中是可行的。我们针对公有FaaS平台Google Cloud Run环境中脆弱的ECDSA实现，提出了一种端到端跨租户攻击。我们引入了多项新技术来改进攻击的每个步骤。首先，为加速驱逐集的生成，我们引入了基于L2驱动的候选地址过滤和基于二分搜索的地址剪枝算法。其次，为以高时间分辨率监控受害者内存访问，我们引入了并行探测技术。最后，我们利用信号处理中的功率谱密度，在频域中轻松识别受害者的目标缓存集。整体上，利用这些机制，我们平均在19秒内从受害者容器中提取了ECDSA秘密nonce比特的中位值达81%。