Probing Cache: Techniques, Attacks, and Defenses

• Probing cache is a method that analyzes cache subsystems by examining internal states and dynamic behavior for both performance tuning and security assessment.
• It employs techniques such as hash-based linear probing and side-channel attack strategies (e.g., Prime+Probe and Prime+Retouch) to expose hidden cache parameters.
• Research in this area informs performance optimization, drives system characterization, and assists in designing countermeasures against cache-induced information leakage.

Probing cache encompasses a broad set of methodologies and attack/analysis strategies that exploit, measure, or characterize the internal state and dynamic behavior of cache subsystems in computing environments. Across system software, hardware, and network layers, cache probing serves as both a diagnostic and adversarial technique—uncovering system parameters, optimizing content delivery, or exposing sensitive information via side-channels.

1. Hash-Based Linear Probing and Its Cache Efficiency

Linear probing is a collision resolution algorithm for hash tables in which, upon encountering an occupied slot, one searches sequentially for the next empty slot. This method leverages spatial locality: since keys are stored in contiguous memory locations, sequential probes often fall within the same cache lines, maximizing data reuse and minimizing cache misses.

Let α denote the table's load factor (occupied fraction), the expected probe count for successful search is approximated as: $$E[\text{probes}] \approx \frac{1}{2}(1 + \frac{1}{1 - \alpha})$$ This property makes linear probing particularly cache-friendly, provided the probe sequences remain short [0612055].

Earlier analyses presupposed access to a truly random hash function, which is infeasible in practice. The key theoretical advancement is that k-wise independence in hashing suffices for linear probing to maintain constant-time expected operations. Specifically, with only pairwise independence, the expected cost may rise to logarithmic time—$\mathcal{O}(\log n)$—due to clustering. However, 5-wise independence guarantees constant expected probe counts, regardless of table size.

This insight bridges theory and practice, enabling cache-efficient hash tables that are simultaneously time and space efficient, provided that a hash function with sufficient independence is used. Domains benefiting from this include in-memory databases, key–value stores, cache-conscious indexing structures, and embedded systems.

2. Security Analysis and Information Probing in Cache Replacement Policies

Cache probing is heavily studied in the context of side-channel attacks and information leakage. Caches, modeled as deterministic Mealy machines, can absorb program-dependent “secret” information through execution traces (information absorption) and subsequently leak information through adaptive probing strategies (information extraction) (Cañones et al., 2017).

• Information Absorption quantifies the number of distinct cache states a victim program can reach, parameterized by its memory “footprint.”
• Information Extraction models an adversary who interacts with the cache, issuing a probe sequence and inferring knowledge by observing hit/miss patterns.

For replacement policies like LRU, FIFO, and PLRU:

• LRU yields maximal absorption and moderate to strong isolation depending on associativity.
• FIFO’s lack of hit-induced reordering can make state reasoning easier for attackers.
• PLRU, with its binary tree structure, admits a larger set of accessible states and potentially more leakage due to its nonconsecutive placement.

An associated algorithm analyzes these Mealy machines, determining optimal probing strategies to partition reachable cache states and thus tightly upper-bound the potential leakage. This methodology improves static analysis tools (e.g., CacheAudit) by allowing precise quantification of worst-case side-channel exposure for cryptographic code.

3. Cache Probing as an Attack Technique: Advanced Profiling and Side-Channels

Direct cache probing underpins several classes of microarchitectural attacks. Notable examples include:

• Prime+Probe, Flush+Reload, and RELOAD+REFRESH Attacks: Standard Prime+Probe involves priming cache sets and timing accesses to observe evictions, revealing victim access patterns. RELOAD+REFRESH refines this by manipulating the cache replacement policy to identify victim accesses without causing observable evictions or cache misses on the victim side, reducing detectability (Briongos et al., 2019). The attacker exploits deterministic aspects of Intel’s “Quad-Age LRU” policies, monitoring ages and refreshing order.
• Prime+Retouch: This technique exploits metadata in the cache replacement policy (Tree-PLRU) to infer victim behavior without evictions, even defeating prefetching and locking defenses (Lee et al., 23 Feb 2024). By carefully retouching the eviction candidate, the attacker learns indirectly whether the victim accessed a sensitive cache line, as shown effective on both Intel and Apple M1 platforms.
• Page Cache Attacks: Hardware-agnostic probing of the OS page cache enables attackers to ascertain residency of shared disk-backed pages, with spatial resolution of one page (4 KB) and sub-millisecond timing, potentially across CPU/machine boundaries (Gruss et al., 2019). Operating system syscalls (mincore, QueryWorkingSetEx) are key probing APIs, and the method enables both local and remote covert channels.

Advances in automated profiling (e.g., for randomized indexed caches like ScatterCache) have dramatically reduced the number of victim accesses needed to construct eviction sets, revitalizing the threat even for probabilistic and cryptographically keyed cache architectures (Purnal et al., 2019).

4. Probing for System Characterization and Performance Optimization

Cache probing extends beyond security: it is central to the reverse engineering and characterization of hidden memory hierarchies (Cooper et al., 2018). Portable tools generate synthetic pointer-chasing microbenchmarks to derive actual hardware parameters—levels, associative structures, effective capacities, line sizes, and latency—by analyzing timing “step” functions. This is critical for optimization in diverse, opaque computing environments (e.g., cloud, heterogeneous clusters).

The sequence:

• Generate reference memory access patterns of controlled footprint and stride.
• Measure execution time at each size and stride.
• Infer cache boundaries at transition points (plateaus to jumps).
• Use “knockout-and-revival” techniques to accelerate scans.

Fast, accurate extraction of cache properties (within seconds and sub-percent error) enables fine-tuning of runtime systems, compilers, and high-performance codes particularly where “ground truth” hardware documentation is unavailable.

5. Probing Frameworks, Detection, and Countermeasures

Specialized frameworks facilitate systematic cache probing for both attack and defense purposes:

• CacheFX: A simulation-based platform for evaluating cache design security, implementing multiple attacker and victim models, replacement/mapping policies, and quantifying leakage via entropy measures, eviction-set construction complexity, and resistance to cryptographic attacks (Genkin et al., 2022). The framework provides insight into multi-factor trade-offs in secure cache architecture, revealing that even state-of-the-art non-partitioned caches leak via occupancy attacks.
• CacheShield: Probes for side-channel attacks by continuously monitoring last-level cache misses (PAPI_L3_TCM), using change-point detection (CUSUM-based) on the target process only. This approach achieves rapid detection (few milliseconds), low overhead (<5% CPU), and low false-positive rates (Briongos et al., 2017).
• CachePerf: A hybrid hardware sampling tool that employs PMU-based coarse-grained selection and breakpoint-driven fine-grained instrumentation to classify cache misses with high fidelity and low overhead (14% execution, 19% memory for large apps), facilitating detection of myriad classically hard-to-trace bugs (Zhou et al., 2022).

Mitigation strategies (e.g., time-based evictions with dynamic scheduling as in ClepsydraCache (Thoma et al., 2021), or using small victim caches for decoupling eviction observations as in Chameleon Cache (Unterluggauer et al., 2022)) are proposed to disrupt attackers’ ability to reliably probe and infer victim state without imposing significant performance penalties.

6. Broader Implications and Future Directions

Cache probing sits at the nexus of performance optimization, reverse engineering, and security. Enhanced understanding of replacement policy metadata leakage, effectiveness of cache occupancy as a timing channel indicator (Yao et al., 2019), and design of resilient, randomized caches with controlled leakage represent current research frontiers.

Emerging directions include:

• Generalizing cache probing to nontraditional environments (web cache discovery via timing multiplexed requests (Golinelli et al., 23 Jul 2024), cache-aided wireless and hybrid satellite-terrestrial networks exploiting opportunistic probing for throughput optimization (Zhang et al., 2 Sep 2024, Zhang et al., 6 Oct 2025)).
• Hardware mechanisms for live cache state snapshotting in embedded systems (e.g., via introspection interfaces and dedicated kernel modules (Tarapore et al., 2020)).
• Systematic mitigation of replacement-policy metadata channels, especially for enclaved/locked data (highlighted by the resilience of attacks such as Prime+Retouch).

A clear implication is that cache probing will remain a deeply interdisciplinary research concern, requiring ongoing innovations in both defensive system design and adversarial analysis. Contemporary and future architectures must reason holistically about the information-theoretic, performance-oriented, and threat-minimizing consequences of exposing even indirect cache state to software-level probing.