In cache-based side channel attacks, an attacker infers information about the victim based on the presence, or lack thereof, of one or more cachelines. Determining a cacheline's presence, which we refer to as "reading the signal", typically requires testing the access time of the line using a suitably high precision timer. In this paper we introduce novel gadgets which leverage CPU speculation to enable modification of these signals, before they are read, for a variety of purposes. First, these gadgets enable an attacker to optimize cache-based side channel attacks by evaluating arbitrary logic functions on cacheline signals prior to their measurement. Second, we demonstrate amplification techniques that enable an attacker to read a signal even if no high precision timer is available. Combined, these techniques can be used to improve existing side channel attacks even if timer access is limited. We evaluate the effectiveness of these techniques on a modern x86 CPU and demonstrate that when properly tuned, cache side channel signals can be reliably modified with near 100% accuracy and are able to be read with a timer as coarse as 100ms or more.

翻译：在基于缓存的侧信道攻击中，攻击者根据一个或多个缓存行是否存在来推断受害者的信息。确定缓存行是否存在（我们称之为"读取信号"），通常需要使用高精度定时器测试该行的访问时间。本文引入了几种新型机制，利用CPU推测执行在信号被读取前对其进行修改，以实现多种目的。首先，这些机制使攻击者能够在测量前对缓存行信号执行任意逻辑函数评估，从而优化基于缓存的侧信道攻击。其次，我们展示了放大技术，即使没有高精度定时器，攻击者也能读取信号。两者结合，可在定时器访问受限的情况下改进现有侧信道攻击。我们在现代x86 CPU上评估了这些技术的有效性，实验表明，经过适当调优后，缓存侧信道信号可近乎100%准确率地可靠修改，并且即使使用粗至100毫秒或更长的定时器也能被读取。