Eviction Notice: Reviving and Advancing Page Cache Attacks

Page cache attacks are hardware-agnostic and can have a high temporal and spatial resolution. With mitigations deployed since 2019, only Evict+Reload-style timing measurements remain, but suffer from a very low temporal resolution and a high impact on system performance due to eviction.

In this paper, we show that the problem of page cache attacks is significantly larger than anticipated. We first present a new systematic approach to page cache attacks based on four primitives: flush, reload, evict, and monitor. From these primitives, we derive five generic attack techniques on the page cache: Flush+Monitor, Flush+Reload, Flush+Flush, Evict+Monitor, and Evict+Reload. We show mechanisms for all primitives that operate on fully up-to-date Linux kernels, bypassing existing mitigations. We demonstrate the practicality of our revived page cache attacks in three scenarios, showing that we advance the state of the art by orders of magnitude in terms of spatial and temporal attack resolution: First, the channel capacity with our fastest attack (Flush+Monitor) achieves an average capacity of 37.7 kB/s in a cross-process covert channel. Second, for low-frequency attacks, we demonstrate inter-keystroke timing and event detection attacks across processes, with a spatial resolution of 4 kB and a temporal resolution of 0.8 μs, improving the state of the art by 6 orders of magnitude. Third, in a website-fingerprinting attack, we achieve an F1 score of 90.54 % in a top 100 closed-world scenario. We conclude that further mitigations are necessary against the page cache side channel.