So there's a recent PHP package that has been written to protect against cache timing attacks, which can be seen here .
My question is... just how exploitable are cache timing attacks?
My overall impression is that they're extremely difficult to exploit and attempting to protect against them is rather like using a 1MB two-prime RSA key instead of a 2KB two-prime RSA key to protect against factorization - that it is unnecessary and impractical
An important article from last month on ZDNet shows that cache timing attacks can be very exploitable.
Researchers at Vrije University in Amsterdam announced a new side-channel attack on Intel CPUs called NetCAT. From the article on ZDNet:
Named NetCAT, this is a vulnerability in all Intel chips that support the Data-Direct I/O Technology (Intel DDIO) and Remote Direct Memory Access (RDMA) features.
When these two features are enabled, academics have shown that they can launch an attack on remote, networked computers, and infer certain types of data that is being processed inside the CPU's cache.
To emphasize: the attacker does not need physical access to the device.
VUSec academics have shown that sending carefully crafted network packets to a DDIO-capable CPU allows an attacker to keep an eye on what else is being processed in the CPU.
In short, NetCAT allows keylogging, and the attacker can even predict the words that will be typed from an SSH session.
