The Avatar Cache: Enabling On-Demand Security with Morphable Cache Architecture

The sharing of the last-level cache (LLC) among multiple cores makes it vulnerable to cross-core conflict- and occupancy-based attacks. Despite extensive prior work, modern processors still employ non-secure set-associative LLCs. Existing secure LLC designs broadly fall into two categories: (i) randomized and (ii) partitioned. The state-of-the-art randomized design, Mirage, mitigates conflict-based attacks but incurs significant area overhead (20% additional storage) and design complexity. Partitioned LLCs mitigate both conflict- and occupancy-based attacks, but often suffer from large performance overheads (on average over 5% and up to 49%), require OS support in set-based schemes, or face scalability issues in way-based schemes. These factors pose major obstacles to the industrial adoption of secure LLCs. This paper asks whether strong LLC security can be achieved with minimal changes to a conventional set-associative LLC, enabling security only when needed while preserving low performance, power, and area overheads. We propose Avatar, a secure and morphable LLC that supports three modes: non-secure (Avatar-N), randomized secure (Avatar-R), and partitioned secure (Avatar-P), and can switch dynamically between them. Avatar closely resembles a conventional set-associative LLC, facilitating industrial adoption. Avatar-R introduces extra invalid entries and leverages high associativity to provide a strong security guarantee with little capacity loss, achieving only one set-associative eviction per $10^{30}$ years, while incurring 1.5% storage overhead, a 2.7% increase in static power, and a 0.2% slowdown over a 16~MB baseline. Avatar-P mitigates both conflict- and occupancy-based attacks with only a 3% performance overhead, substantially outperforming prior way-based partitioned LLCs. When security is unnecessary, Avatar switches to Avatar-N to maximize performance and energy efficiency.

💡 Research Summary

The paper addresses the long‑standing vulnerability of shared last‑level caches (LLCs) in multicore processors to both conflict‑based and occupancy‑based side‑channel attacks. Existing defenses fall into two categories: randomized caches (e.g., Mirage, Maya) that hide set conflicts but incur substantial area overhead (≈20 % extra storage), added design complexity, and do not protect against occupancy attacks; and partitioned caches (e.g., way‑guard, BCE, SassCache) that isolate cores but suffer from high performance penalties (average >5 %, up to 49 %), require OS support, and scale poorly with associativity. The authors ask whether strong LLC security can be achieved with only minimal modifications to a conventional set‑associative cache, enabling security only when needed while preserving low overheads.

To answer this, they propose Avatar, a morphable LLC substrate that can operate in three mutually exclusive modes:

1. Avatar‑N (Non‑secure mode) – behaves exactly like a traditional set‑associative LLC, delivering maximum performance and energy efficiency when security is unnecessary.

2. Avatar‑R (Randomized secure mode) – transforms the cache into a skewed‑associative design with two “skews”. Each skew uses a block‑cipher‑based randomization function to map addresses to sets, and a fraction of the ways are permanently marked as invalid entries. Because the cache is highly associative (e.g., 128 ways per skew, totalling 256 ways), the capacity loss due to these invalid entries is negligible (≈1.5 % storage overhead). This design eliminates set‑conflict evictions; the authors calculate an expected set‑associative eviction only once every 10³⁰ years, far stronger than Mirage’s 10¹⁷‑year guarantee. Performance impact is a mere 0.2 % slowdown, static power rises by 2.7 %, and no pointer‑based tag‑data indirection is required, dramatically simplifying implementation.

3. Avatar‑P (Partitioned secure mode) – disables the skews and uses the full associativity as a way‑based partitioned cache. With 256 ways (derived from a 16‑way baseline expanded to 256 ways via high associativity), the cache can support up to 256 isolated security domains without OS‑level page‑coloring. This provides protection against both conflict‑based and occupancy‑based attacks with only a 3 % average performance overhead, far better than prior way‑based schemes that often exceed 5 % and can reach 49 %.

Dynamic mode switching is controlled via Model‑Specific Register (MSR) bits, a mechanism already present in many processors for configuring microarchitectural features. A mode change triggers a full cache flush, preventing any residual state from leaking across modes and eliminating new attack vectors such as flush‑latency DoS attacks. The switch incurs negligible runtime cost because it reuses the existing cache controller logic with only a small additional state machine.

The authors evaluate Avatar on an 8‑core, 16 MB, 16‑way baseline LLC using cycle‑accurate simulations. Results show:

• Storage overhead – 1.5 % for Avatar‑R, essentially zero for Avatar‑P (the extra ways are already present in the high‑associativity design).
• Power – static power increase of 2.7 % (R) and ≈3 % (P); dynamic power scales linearly with the number of active ways.
• Performance – 0.2 % slowdown for Avatar‑R, 3 % slowdown for Avatar‑P, compared with the baseline non‑secure cache. These numbers are dramatically lower than Mirage (≈17 % power, 20 % area) and prior partitioned designs (average >5 % slowdown, up to 49 %).
• Security – Avatar‑R offers a stronger guarantee against set‑conflict attacks than Mirage (10³⁰‑year vs. 10¹⁷‑year). Avatar‑P eliminates occupancy‑based leakage by fully isolating ways per security domain.

The paper also discusses implementation complexity. Because Avatar retains the conventional tag‑array and data‑array layout, it avoids the pointer‑based indirection that Mirage and Maya require. Only a modest addition of “invalid‑entry management” logic and the MSR‑controlled mode selector are needed, making the design amenable to integration into existing processor pipelines with minimal RTL changes.

In conclusion, Avatar demonstrates that a practical, low‑overhead, and highly configurable LLC can provide on‑demand security. By leveraging high associativity, it achieves strong randomization without the storage penalty of Mirage and enables scalable way‑based partitioning without OS‑heavy page‑coloring. The three‑mode morphable architecture allows systems to switch between high‑performance non‑secure operation and two distinct secure configurations, matching the security requirements of diverse workloads while keeping area, power, and performance impacts well within acceptable limits for commercial deployment.