Eviction Notice: Reviving and Advancing Page Cache Attacks
Sudheendra Raghav Neela
Network and Distributed System Security (NDSS) Symposium 2026 · Day 1 · Microarchitectural Security
Page cache side-channel attacks on Linux were considered mitigated since 2019 and impractical since 2023. This talk revives them and makes them **six orders of magnitude faster** than prior work. Researcher **Sudheendra Raghav Neela** from TU Graz systematically identifies four attack primitives -- **reload**, **monitor**, **flush**, and **evict** -- and combines them into five powerful attack techniques that remain fully functional on modern Linux kernels. The most significant discovery is a deterministic, unprivileged method to **flush pages from cache** using the `fadvise` syscall with the `POSIX_FADV_DONTNEED` flag, which transforms page cache attacks from slow, noisy eviction-based approaches into precise, microsecond-resolution operations.
AI review
A masterclass in side-channel research that revives page cache attacks thought dead since 2019, making them six orders of magnitude faster through a devastatingly simple flush primitive (fadvise DONTNEED) that has been in the Linux kernel for 20+ years. Five attack techniques demonstrated with practical exploits including 800ns authentication prompt detection, 96.7% keystroke timing, and cross-container monitoring. All five techniques remain unmitigated. Full reproducible artifact on GitHub.