RevAnC

Abstract

Recent hardware-based attacks that compromise systems with Rowhammer or bypass address-space layout randomization rely on how the processor's memory management unit (MMU) interacts with page tables. These attacks often need to reload page tables repeatedly in order to observe changes in the target system's behavior. To speed up the MMU's page table lookups, modern processors make use of multiple levels of caches such as translation lookaside buffers (TLBs), special-purpose page table caches and even general data caches. A successful attack needs to flush these caches reliably before accessing page tables. To flush these caches from an unprivileged process, the attacker needs to create specialized memory access patterns based on the internal architecture and size of these caches as well as how they interact with each other. While information about TLBs and data caches are often reported in processor manuals released by the vendors, there is typically little or no information about the properties of page table caches on different processors. In this paper, we describe RevAnC, an open-source framework for reverse engineering internal architecture, size and the behavior these page table caches by retrofitting a recently proposed EVICT+TIME attack on the MMU. RevAnC can automatically reverse engineer page table caches on new architectures while providing a convenient interface for flushing these caches on 23 different microarchitectures that we evaluated from Intel, ARM and AMD.