## https://sploitus.com/exploit?id=A5CF9841-53D8-59C3-AFE1-956A7226F07E
# KV Cache Side-Channel: Cross-Tenant Timing Oracle
Proof of concept demonstrating that a shared content-hashed KV cache,
as described in disaggregated LLM inference architectures (Mooncake,
Perplexity KV Messenger, DeepSeek 3FS), leaks across tenants via latency
observation.
Companion to: [The Pivot Maze](https://karthikarunapuram8-dot.github.io/the-pivot-maze/) and [The Agent Attack Periodic Table](https://karthikarunapuram8-dot.github.io/agent-attack-periodic-table/) (atom KVL).
## What this is
A single-file Python simulator. No GPUs. No dependencies outside the
standard library. Tested on Windows and macOS.
The attack mechanism reproduces on any real deployment that uses
cross-tenant content-hashed caching without per-tenant partitioning.
## What this is not
A reproduction on production inference infrastructure. That requires
vLLM + Mooncake (or DistServe), real GPUs, and an RDMA fabric.
## Run
```
python poc.py
```
Runs three scenarios back to back: default (vulnerable), per-tenant
partitioned (mitigated), HMAC-keyed hash (mitigated).
Useful flags:
- `--mode vulnerable | partitioned | keyed | compare`
- `--probes N` (default 3)
## Sample output
Default scenario, single probe per candidate:
```
# candidate lat_ms verdict note
1 You are a customer support agent. Answer politely. 1501.7 miss
2 You are a coding assistant. Write Python. 1501.4 miss
3 You are an internal assistant for Globex Corp finance... 1502.0 miss
4 You are an internal assistant for Northwind Industries... 0.5 CACHED >> ATTACK SUCCESS: target prompt reconstructed via timing oracle.
```
The cached candidate returns three orders of magnitude faster than every
distractor. The classifier is a single threshold check. The attacker
reconstructs the target with high confidence in a single probe per
candidate.
## What the attack proves
Content-hashed KV cache shared across tenants is not an optimization.
It is a side channel. If you can submit a request and measure latency,
you can confirm whether any other tenant has used a candidate prompt.
For sensitive system prompts (internal HR policy, regulated workflow
templates, IP-bearing few-shot examples, customer data baked into a
prompt), this is a trust-boundary failure that no transport-layer
mitigation closes.
## The two mitigations the simulator demonstrates
1. **Per-tenant partitioning.** Include tenant ID in the cache key.
Eliminates cross-tenant reuse and the side channel with it.
2. **HMAC-keyed content hashes.** Hash with a per-tenant secret. Cache
keys become unpredictable from public inputs. Cross-tenant reuse is
still impossible because the keys never collide.
Run `python poc.py --mode partitioned` and `--mode keyed` to verify
both kill the attack.
## What changes on a real Mooncake or Perplexity KV Messenger deployment
- Hit/miss gap is even larger. Real prefill on long prompts is seconds.
- Attacker has more candidates and can parallelise.
- Cross-node hot-block replication increases probe points.
- Tiered store latency is a multi-class signal. HBM, DRAM, SSD, and miss
are all separable. Attacker can infer not just whether content is
cached but how recently it was touched.
What stays the same: content-hashed caching across tenants is a trust
boundary, and the two mitigations above kill the attack.
## License
MIT.