Cryptography is sometimes described as an ongoing contest between cryptographers, who design secret coding techniques, and cryptanalysts who break secret techniques. Cryptography assumes communication, yet communication in the presence of adversaries.
Several varieties of an adversarial attack known as a “cache attack” or “side-channel attack” have arisen that try to exploit the memory or memory cache coupled with a computer's central processing unit (CPU). CPUs have become so fast that they often have to wait on the much slower random access memory (RAM). To reduce this differential, some chipmakers put fast cache memory on CPU chips. The cache memory provides fast access to commonly used data elements.
However, because multiple processes use and even compete for the memory cache during a given period, an adversary can exploit inter-process leakage via the various states of this memory cache. Leakage comes mostly in the form of exposed memory access patterns that can be used to dismantle cryptographic primitives through cryptanalysis. The cryptographic primitives usually use data-dependent tables, and because of this, unprivileged processes can gain access—via the common cache—to aspects of more privileged processes that may be running in parallel on the same processor. Partitioning techniques, such as protection, “sandboxing,” virtualization, etc., do not necessarily protect against such side-channel attacks.
Since such memory caches forms a shared resource used by multiple processes, each process affects the cache and can be affected by it in turn. The actual data itself that is stored in the cache is typically protected by virtual memory mechanisms, but memory access patterns of processes using the cache and other metadata about the contents of the cache are not fully protected from a persistent adversary.
Conventionally, security solutions that create a flood of decoy memory accesses or constantly shuffle memory contents require processing time and overhead, and sometimes additional cost in memory size. Sometimes too, conventional solutions use randomization techniques that depend on the same cryptographic primitives that need to be protected. Still other protections tend to require significant hardware support in the processor or memory.