Flush+Flush: A Fast and Stealthy Cache Attack

  • Daniel GrussEmail author
  • Clémentine Maurice
  • Klaus Wagner
  • Stefan Mangard
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9721)


Research on cache attacks has shown that CPU caches leak significant information. Proposed detection mechanisms assume that all cache attacks cause more cache hits and cache misses than benign applications and use hardware performance counters for detection.

In this article, we show that this assumption does not hold by developing a novel attack technique: the Flush+Flush attack. The Flush+Flush attack only relies on the execution time of the flush instruction, which depends on whether data is cached or not. Flush+Flush does not make any memory accesses, contrary to any other cache attack. Thus, it causes no cache misses at all and the number of cache hits is reduced to a minimum due to the constant cache flushes. Therefore, Flush+Flush attacks are stealthy, i.e., the spy process cannot be detected based on cache hits and misses, or state-of-the-art detection mechanisms. The Flush+Flush attack runs in a higher frequency and thus is faster than any existing cache attack. With 496 KB/s in a cross-core covert channel it is 6.7 times faster than any previously published cache covert channel.



We would like to thank Mathias Payer, Anders Fogh, and our anonymous reviewers for their valuable comments and suggestions.

Open image in new window Supported by the EU Horizon 2020 programme under GA No. 644052 (HECTOR), the EU FP7 programme under GA No. 610436 (MATTHEW), the Austrian Research Promotion Agency (FFG) and Styrian Business Promotion Agency (SFG) under GA No. 836628 (SeCoS), and Cryptacus COST Action IC1403.


  1. 1.
    Barresi, A., Razavi, K., Payer, M., Gross, T.R.: CAIN: silently breaking ASLR in the cloud. In: WOOT 2015 (2015)Google Scholar
  2. 2.
    Bernstein, D.J.: Cache-timing attacks on AES. Technical report, Department of Mathematics, Statistics, and Computer Science, University of Illinois at Chicago (2005)Google Scholar
  3. 3.
    Bhattacharya, S., Mukhopadhyay, D.: Who watches the watchmen?: Utilizing Performance Monitors for Compromising keys of RSA on Intel Platforms. Cryptology ePrint Archive, Report 2015/621 (2015)Google Scholar
  4. 4.
    Brickell, E., Graunke, G., Neve, M., Seifert, J.P.: Software mitigations to hedge AES against cache-based software side channel vulnerabilities. Cryptology ePrint Archive, Report 2006/052 (2006)Google Scholar
  5. 5.
    Chiappetta, M., Savas, E., Yilmaz, C.: Real time detection of cache-based side-channel attacks using hardware performance counters. Cryptology ePrint Archive, Report 2015/1034 (2015)Google Scholar
  6. 6.
    Demme, J., Maycock, M., Schmitz, J., Tang, A., Waksman, A., Sethumadhavan, S., Stolfo, S.: On the feasibility of online malware detection with performance counters. ACM SIGARCH Comput. Archit. News 41(3), 559–570 (2013)CrossRefGoogle Scholar
  7. 7.
  8. 8.
    Fuchs, A., Lee, R.B.: Disruptive prefetching: impact on side-channel attacks and cache designs. In: Proceedings of the 8th ACM International Systems and Storage Conference (SYSTOR 2015) (2015)Google Scholar
  9. 9.
    Gruss, D., Maurice, C., Mangard, S.: Rowhammer.js: a remote software-induced fault attack in javascript. In: DIMVA 2016 (2016)Google Scholar
  10. 10.
    Gruss, D., Spreitzer, R., Mangard, S.: Cache template attacks: automating attacks on inclusive last-level caches. In: USENIX Security Symposium (2015)Google Scholar
  11. 11.
    Gullasch, D., Bangerter, E., Krenn, S.: Cache games - Bringing access-based cache attacks on AES to practice. In: S&P 2011 (2011)Google Scholar
  12. 12.
    Gülmezoğlu, B., İnci, M.S., Irazoqui, G., Eisenbarth, T., Sunar, B.: A faster and more realistic Flush+Reload attack on AES. In: Mangard, S., Poschmann, A.Y. (eds.) COSADE 2015. LNCS, vol. 9064, pp. 111–126. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  13. 13.
    Herath, N., Fogh, A.: These are Not Your Grand Daddy’s CPU Performance Counters - CPU Hardware Performance Counters for Security. Black Hat 2015 Briefings.
  14. 14.
    Hund, R., Willems, C., Holz, T.: Practical timing side channel attacks against kernel space ASLR. In: 2013 IEEE Symposium on Security and Privacy, pp. 191–205 (2013)Google Scholar
  15. 15.
    Intel: Intel\(\textregistered \) 64 and IA-32 Architectures Software Developer’s Manual, vol. 3 (3A, 3B & 3C): System Programming Guide 253665 (2014)Google Scholar
  16. 16.
    Irazoqui, G., Eisenbarth, T., Sunar, B.: S$A: a shared cache attack that works across cores and defies VM sandboxing - and its application to AES. In: S&P 2015 (2015)Google Scholar
  17. 17.
    Irazoqui, G., Inci, M.S., Eisenbarth, T., Sunar, B.: Know thy neighbor: crypto library detection in cloud. In: Proceedings on Privacy Enhancing Technologies, vol. 1(1), pp. 25–40 (2015)Google Scholar
  18. 18.
    Irazoqui, G., Inci, M.S., Eisenbarth, T., Sunar, B.: Lucky 13 strikes back. In: AsiaCCS 2015 (2015)Google Scholar
  19. 19.
    Kim, T., Peinado, M., Mainar-Ruiz, G.: StealthMem: system-level protection against cache-based side channel attacks in the cloud. In: Proceedings of the 21st USENIX Security Symposium (2012)Google Scholar
  20. 20.
    Kim, Y., Daly, R., Kim, J., Fallin, C., Lee, J.H., Lee, D., Wilkerson, C., Lai, K., Mutlu, O.: Flipping bits in memory without accessing them: an experimental study of DRAM disturbance errors. In: Proceeding of the 41st Annual International Symposium on Computer Architecuture (ISCA 2014) (2014)Google Scholar
  21. 21.
    Kong, J., Acıiçmez, O., Seifert, J.P., Zhou, H.: Hardware-software integrated approaches to defend against software cache-based side channel attacks. In: Proceedings of the 15th International Symposium on High Performance Computer Architecture (HPCA 2009), pp. 393–404 (2009)Google Scholar
  22. 22.
    Lipp, M., Gruss, D., Spreitzer, R., Mangard, S.: Armageddon: Last-level cacheattacks on mobile devices. CoRR abs/1511.04897 (2015)Google Scholar
  23. 23.
    Liu, F., Lee, R.B.: Random fill cache architecture. In: IEEE/ACM International Symposium on Microarchitecture (MICRO 2014), pp. 203–215 (2014)Google Scholar
  24. 24.
    Liu, F., Yarom, Y., Ge, Q., Heiser, G., Lee, R.B.: Last-level cache side-channel attacks are practical. In: S&P 2015 (2015)Google Scholar
  25. 25. 2.6.26-rc1 short-form changelog, May 2008.
  26. 26.
    Malone, C., Zahran, M., Karri, R.: Are hardware performance counters a cost effective way for integrity checking of programs. In: Proceedings of the Sixth ACM Workshop on Scalable Trusted Computing (2011)Google Scholar
  27. 27.
    Maurice, C., Le Scouarnec, N., Neumann, C., Heen, O., Francillon, A.: Reverse engineering intel complex addressing using performance counters. In: RAID (2015)Google Scholar
  28. 28.
    Maurice, C., Neumann, C., Heen, O., Francillon, A.: C5: cross-cores cache covert channel. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 46–64. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  29. 29.
    Oren, Y., Kemerlis, V.P., Sethumadhavan, S., Keromytis, A.D.: The spy in the sandbox: practical cache attacks in JavaScript and their implications. In: CCS 2015 (2015)Google Scholar
  30. 30.
    Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: the case of AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  31. 31.
    Payer, M.: HexPADS: a platform to detect “Stealth” attacks. In: Caballero, J., et al. (eds.) ESSoS 2016. LNCS, vol. 9639, pp. 138–154. Springer, Heidelberg (2016). doi: 10.1007/978-3-319-30806-7_9 CrossRefGoogle Scholar
  32. 32.
    Percival, C.: Cache missing for fun and profit. In: Proceedings of BSDCan (2005)Google Scholar
  33. 33.
    Qureshi, M.K., Jaleel, A., Patt, Y.N., Steely, S.C., Emer, J.: Adaptive insertion policies for high performance caching. ACM SIGARCH Comput. Archit. News 35(2), 381–391 (2007)CrossRefGoogle Scholar
  34. 34.
    Raj, H., Nathuji, R., Singh, A., England, P.: Resource management for isolation enhanced cloud services. In: Proceedings of the 1st ACM Cloud Computing Security Workshop (CCSW 2009), pp. 77–84 (2009)Google Scholar
  35. 35.
    Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: CCS 2009 (2009)Google Scholar
  36. 36.
    Seaborn, M., Dullien, T.: Exploiting the DRAM rowhammer bug to gain kernel privileges. In: Black Hat (2015)Google Scholar
  37. 37.
    Spreitzer, R., Plos, T.: Cache-access pattern attack on disaligned AES T-tables. In: Prouff, E. (ed.) COSADE 2013. LNCS, vol. 7864, pp. 200–214. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  38. 38.
    Tannous, A., Trostle, J.T., Hassan, M., McLaughlin, S.E., Jaeger, T.: New side channels targeted at passwords. In: ACSAC, pp. 45–54 (2008)Google Scholar
  39. 39.
    Tromer, E., Osvik, D.A., Shamir, A.: Efficient cache attacks on AES, and countermeasures. J. Cryptology 23(1), 37–71 (2010)MathSciNetCrossRefzbMATHGoogle Scholar
  40. 40.
    Uhsadel, L., Georges, A., Verbauwhede, I.: Exploiting hardware performance counters. In: 5th Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC 2008) (2008)Google Scholar
  41. 41.
    Wang, Z., Lee, R.B.: New cache designs for thwarting software cache-based side channel attacks. ACM SIGARCH Comput. Archit. News 35(2), 494 (2007)CrossRefGoogle Scholar
  42. 42.
    Wang, Z., Lee, R.B.: A novel cache architecture with enhanced performance and security. In: IEEE/ACM International Symposium on Microarchitecture (MICRO 2008), pp. 83–93 (2008)Google Scholar
  43. 43.
    Willems, C., Hund, R., Fobian, A., Felsch, D., Holz, T., Vasudevan, A.: Down to the bare metal: using processor features for binary analysis. In: ACSAC 2012 (2012)Google Scholar
  44. 44.
    Xia, Y., Liu, Y., Chen, H., Zang, B.: CFIMon: detecting violation of control flow integrity using performance counters. In: DSN 2012 (2012)Google Scholar
  45. 45.
    Yarom, Y., Falkner, K.: Flush+Reload: a high resolution, low noise, L3 cache side-channel attack. In: USENIX Security Symposium (2014)Google Scholar
  46. 46.
    Zhang, K., Wang, X.: Peeping tom in the neighborhood: keystroke eavesdropping on multi-user systems. In: USENIX Security Symposium (2009)Google Scholar
  47. 47.
    Zhang, Y., Juels, A., Oprea, A., Reiter, M.K.: HomeAlone: co-residency detection in the cloud via side-channel analysis. In: S&P 2011 (2011)Google Scholar
  48. 48.
    Zhang, Y., Juels, A., Reiter, M.K., Ristenpart, T.: Cross-tenant side-channel attacks in PaaS clouds. In: CCS 2014 (2014)Google Scholar
  49. 49.
    Zhang, Y., Reiter, M.: Düppel: retrofitting commodity operating systems to mitigate cache side channels in the cloud. In: CCS 2013 (2013)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Daniel Gruss
    • 1
    Email author
  • Clémentine Maurice
    • 1
  • Klaus Wagner
    • 1
  • Stefan Mangard
    • 1
  1. 1.Graz University of TechnologyGrazAustria

Personalised recommendations