Share
## https://sploitus.com/exploit?id=A5CF9841-53D8-59C3-AFE1-956A7226F07E
# KV Cache Side-Channel: Cross-Tenant Timing Oracle

Proof of concept demonstrating that a shared content-hashed KV cache,
as described in disaggregated LLM inference architectures (Mooncake,
Perplexity KV Messenger, DeepSeek 3FS), leaks across tenants via latency
observation.

Companion to: [The Pivot Maze](https://karthikarunapuram8-dot.github.io/the-pivot-maze/) and [The Agent Attack Periodic Table](https://karthikarunapuram8-dot.github.io/agent-attack-periodic-table/) (atom KVL).

## What this is

A single-file Python simulator. No GPUs. No dependencies outside the
standard library. Tested on Windows and macOS.

The attack mechanism reproduces on any real deployment that uses
cross-tenant content-hashed caching without per-tenant partitioning.

## What this is not

A reproduction on production inference infrastructure. That requires
vLLM + Mooncake (or DistServe), real GPUs, and an RDMA fabric.

## Run

```
python poc.py
```

Runs three scenarios back to back: default (vulnerable), per-tenant
partitioned (mitigated), HMAC-keyed hash (mitigated).

Useful flags:

- `--mode vulnerable | partitioned | keyed | compare`
- `--probes N` (default 3)

## Sample output

Default scenario, single probe per candidate:

```
#   candidate                                                  lat_ms  verdict  note
1   You are a customer support agent. Answer politely.         1501.7  miss
2   You are a coding assistant. Write Python.                  1501.4  miss
3   You are an internal assistant for Globex Corp finance...   1502.0  miss
4   You are an internal assistant for Northwind Industries...     0.5  CACHED  >> ATTACK SUCCESS: target prompt reconstructed via timing oracle.
```

The cached candidate returns three orders of magnitude faster than every
distractor. The classifier is a single threshold check. The attacker
reconstructs the target with high confidence in a single probe per
candidate.

## What the attack proves

Content-hashed KV cache shared across tenants is not an optimization.
It is a side channel. If you can submit a request and measure latency,
you can confirm whether any other tenant has used a candidate prompt.

For sensitive system prompts (internal HR policy, regulated workflow
templates, IP-bearing few-shot examples, customer data baked into a
prompt), this is a trust-boundary failure that no transport-layer
mitigation closes.

## The two mitigations the simulator demonstrates

1. **Per-tenant partitioning.** Include tenant ID in the cache key.
   Eliminates cross-tenant reuse and the side channel with it.
2. **HMAC-keyed content hashes.** Hash with a per-tenant secret. Cache
   keys become unpredictable from public inputs. Cross-tenant reuse is
   still impossible because the keys never collide.

Run `python poc.py --mode partitioned` and `--mode keyed` to verify
both kill the attack.

## What changes on a real Mooncake or Perplexity KV Messenger deployment

- Hit/miss gap is even larger. Real prefill on long prompts is seconds.
- Attacker has more candidates and can parallelise.
- Cross-node hot-block replication increases probe points.
- Tiered store latency is a multi-class signal. HBM, DRAM, SSD, and miss
  are all separable. Attacker can infer not just whether content is
  cached but how recently it was touched.

What stays the same: content-hashed caching across tenants is a trust
boundary, and the two mitigations above kill the attack.

## License

MIT.