Cache side channel attacks have been used to extract users’ sensitive information such as cryptographic keys. In particular, the reuse-based cache side channel attacks exploit the shared code or data between the attacker and the victim, which can steal the secret with high speed and precision. It has threatened not only the host level but also the cloud level severely. Previous defensive measures are either not flexible enough, or cause a high performance or storage overhead. In this work, we present a dynamic first access isolation cache that eliminates reuse-based cache side channel attacks by providing fine grained first access isolation to overcome these problems. First of all, there are $sid$ bits in each cache line to record the access information and prevent the first time cache hit state brought by the victim from being utilized by the attacker while keeping data shared. Second, we use hierarchy security levels and domains to achieve flexible one way isolation between different domains, and the domains can be a group of processes, a single process, or even a fraction of code. Finally, the monitoring-driven dynamic scheduling mechanism can change the level of a domain at run time, which improves the robustness of this new design. The solution works at all the cache levels and defends against attackers running both on local and cloud. Our implementation in the Zsim simulator demonstrates that the performance overhead for standard performance evaluation corporation 2017 is less than 0.1%, and 0.21% for the multi-thread benchmarks. It performs better than the original first time miss design because of the one way isolation in our design. The only hardware modification is the $sid$ bits per cache line, and several security registers per hardware context, which only brings 3.71% storage overhead.

缓存侧信道攻击已被用于提取用户的敏感信息，例如加密密钥。特别地，基于重用的缓存侧通道攻击利用攻击者和受害者之间的共享代码或数据，可以高速、准确地窃取秘密。它不仅威胁到主机层面，也严重威胁到云层面。以前的防御措施要么不够灵活，要么导致高性能或存储开销。在这项工作中，我们提出了一个动态的首次访问隔离缓存，通过提供细粒度的首次访问隔离来克服这些问题，从而消除了基于重用的缓存侧通道攻击。首先，有$秒\mathrm{一世}d$每个缓存行中的位记录访问信息，并防止受害者带来的第一次缓存命中状态被攻击者利用，同时保持数据共享。其次，我们使用层级安全级别和域来实现不同域之间灵活的单向隔离，域可以是一组进程，单个进程，甚至是一小部分代码。最后，监控驱动的动态调度机制可以在运行时更改域的级别，从而提高了这种新设计的鲁棒性。该解决方案适用于所有缓存级别，可抵御在本地和云端运行的攻击者。我们在 Zsim 模拟器中的实施表明，标准性能评估公司 2017 的性能开销小于 0.1%，多线程基准测试的性能开销为 0.21%。由于我们设计中的单向隔离，它比最初的第一次未命中设计表现更好。唯一的硬件修改是$秒\mathrm{一世}d$每个缓存行的位数，每个硬件上下文的几个安全寄存器，这只会带来 3.71% 的存储开销。