In this work, we explore the applicability of cache occupancy attacks and the implications of secured cache design rationales on such attacks. In particular, we show that one of the well-known cache randomization schemes, MIRAGE, touted to be resilient against eviction-based attacks, amplifies the chances of cache occupancy attack, making it more vulnerable compared to contemporary designs. We leverage MIRAGE's global eviction property to demonstrate covert channel with byte-level granularity, with far less cache occupancy requirement (just $10\%$ of LLC) than other schemes. For instance, ScatterCache (a randomisation scheme with lesser security guarantees than MIRAGE) and generic set-associative caches require $40\%$ and $30\%$ cache occupancy, respectively, to exhibit covert communication. Furthermore, we extend our attack vectors to include side-channel, template-based fingerprinting of workloads in a cross-core setting. We demonstrate the potency of such fingerprinting on both inhouse LLC simulator as well as on SPEC2017 workloads on gem5. Finally, we pinpoint implementation inconsistencies in MIRAGE's publicly available gem5 artifact which motivates a re-evaluation of the performance statistics of MIRAGE with respect to ScatterCache and baseline set-associative cache. We find MIRAGE, in reality, performs worse than what is previously reported in literature, a concern that should be addressed in successor generations of secured caches.

翻译：本研究探索了缓存占用攻击的适用性以及安全缓存设计理念对此类攻击的影响机制。我们特别表明，知名的缓存随机化方案MIRAGE（号称能抵御基于驱逐的攻击）实际上放大了缓存占用攻击的成功概率，使其比当代设计更易受攻击。通过利用MIRAGE的全局驱逐特性，我们实现了字节级粒度的隐蔽信道，仅需占用最后一级缓存的10%即可达到其他方案所需的效果。例如，安全保证低于MIRAGE的随机化方案ScatterCache和通用组相联缓存分别需要40%和30%的缓存占用才能实现隐蔽通信。此外，我们将攻击向量扩展至跨核场景下基于侧信道的模板化工作负载指纹识别。通过在内部LLC模拟器和gem5上的SPEC2017工作负载验证，我们展示了该指纹识别技术的有效性。最后，我们指出MIRAGE公开gem5实现中的不一致性问题，这促使我们需要重新评估MIRAGE相对于ScatterCache和基线组相联缓存的性能统计指标。研究发现，MIRAGE的实际性能劣于文献此前报道的结果，这一关键问题应在后续安全缓存架构设计中得到妥善解决。