Reverse-Engineering the Address Translation Caches

Abstract

The address translation process and the responsible memory management unit (MMU) in modern CPUs have been the subject of multiple recent microarchitectural side-channel attacks. A precondition to many of these attacks is familiarity with the intimate details of the microarchitectural implementation of the process. However, because vendors do not typically publish extensive information on this, attackers must resort to reverse engineering techniques. Indeed, past works have investigated such techniques, providing insights and novel understanding on the implementation of components used in the address translation process.

In this work, we improve this understanding. We extend the cache desynchronization technique of Tatar et al., and apply it to the page translation caches, which store partial address translation information. We develop automated tooling for investigating five generations of Intel processors, ranging from Haswell to Alder Lake. Our investigations correct mistakes in prior publications, identify a cache level that was missed so far, and discover two hitherto unknown replacement policies. This new understanding of address translation can increase attack precision and facilitate better address-translation-based attacks.