Addressing the challenge of constructing Last-Level Cache (LLC) eviction sets under Intel’s slice-based cache architecture—where physical address hashing is opaque—we propose an efficient eviction-set generation method. Our approach integrates side-channel race analysis, hash-function reverse engineering, and low-overhead timing measurements. Key contributions include: (1) the first microarchitectural race-based technique for rapid cache slice identification; (2) a hybrid scheme combining inverse modeling and extrapolation of known hash functions to improve physical-to-slice mapping accuracy; and (3) the first formal model of nonlinear hash behavior, enabling eviction-set propagation across page boundaries. Evaluated on Intel Core i7-9850H and i9-10900K processors, our method constructs full LLC eviction sets in just 0.7 s and 1.6 s, respectively—accelerating the state-of-the-art by 9× and 10×. This substantially enhances the practicality of cache-side-channel attacks and defenses.

An essential step for mounting cache attacks is finding eviction sets, collections of memory locations that contend on cache space. On Intel processors, one of the main challenges for identifying contending addresses is the sliced cache design, where the processor hashes the physical address to determine where in the cache a memory location is stored. While past works have demonstrated that the hash function can be reversed, they also showed that it depends on physical address bits that the adversary does not know. In this work, we make three main contributions to the art of finding eviction sets. We first exploit microarchitectural races to compare memory access times and identify the cache slice to which an address maps. We then use the known hash function to both reduce the error rate in our slice identification method and to reduce the work by extrapolating slice mappings to untested memory addresses. Finally, we show how to propagate information on eviction sets across different page offsets for the hitherto unexplored case of non-linear hash functions. Our contributions allow for entire LLC eviction set generation in 0.7 seconds on the Intel i7-9850H and 1.6 seconds on the i9-10900K, both using non-linear functions. This represents a significant improvement compared to state-of-the-art techniques taking 9x and 10x longer, respectively.