Chapter 38

Using Memory to Cheat

We tend to think of memory as a passive bucket. You put data in, you take data out.

But memory is State. And state leaves footprints.

The most dangerous footprint is Time.

Time Is Information

As we saw in Chapter 10, a Cache Hit takes 1-4 cycles. A Cache Miss takes 100+ cycles.

If I can measure how long it takes you to access a piece of data, I can tell if you have accessed it recently.

I don't need to read your memory. I just need to hold a stopwatch.

Physics Lens: Cache state persists even after execution. Latency reveals history.
Experiment:
1. The Victim: Click "Run Speculative Code". The CPU secretly accesses an index (based on a value you can't see).
2. The Attack: Determining the secret. Click "0", then "1", then "2"...
3. The Leak: Most will be SLOW (Miss). One will be FAST (Hit). The fast one is the secret. You stole it.

Speculation Leaves Footprints

This is the mechanism behind vulnerabilities like Spectre.

Even when the CPU "undoes" a speculative branch (because the guess was wrong), it does not undo the changes to the Cache.

The data brought into the cache remains there. It is a ghost of a future that never happened. But the ghost is real, and we can measure it.

Hypotheses
Is this a bug in Intel/AMD chips?

No. It is a fundamental consequence of Optimization. If you want a fast CPU, you want caches. If you want caches, you want things accessed recently to be faster. That speed difference is Information. You cannot have one without the other.

Can we just "Clear the Cache" on every context switch?

We could, and some security patches do exactly that (flushing buffers). But the performance cost is catastrophic (sometimes 30% slower). We are trading Speed for Security.

How does the Browser stop this?

Browsers like Chrome intentionally reduced the precision of performance.now(). If your stopwatch is too blurry, you cannot distinguish between a Cache Hit (3 cycles) and a Cache Miss (100 cycles). They blinded the attacker.

Security is not broken. Abstractions are.

This is not a bug in the chip. It is the cost of performance.

If we want shared caches, speculative execution, and high speed, we must accept that state leaks.

But if memory can be used to cheat correctness, it can also be used to cheat speed.

It is time to talk about Arithmetic Intensity.

« Ch37: When Learning Breaks | Ch39: Arithmetic Intensity »