Osiris: Automated Discovery of Microarchitectural Side Channels

Weber, Daniel and Ibrahim, Ahmad and Nemati, Hamed and Schwarz, Michael and Rossow, Christian
(2021) Osiris: Automated Discovery of Microarchitectural Side Channels.
In: 30th USENIX Security Symposium (USENIX Security '21), 11-13 August, 2021.
Conference: USENIX-Security Usenix Security Symposium
(In Press)

[img]
Preview
 Text
main.pdf - Accepted Version
Download (600kB) | Preview
[img]
Preview
 Text
osiris.pdf - Published Version
Download (796kB) | Preview

Abstract

In the last years, a series of side channels have been discovered on CPUs. These side channels have been used in powerful attacks, e.g., on cryptographic implementations, or as building blocks in transient-execution attacks such as Spectre or Meltdown. However, in many cases, discovering side channels is still a tedious manual process. In this paper, we present Osiris, a fuzzing-based framework to automatically discover microarchitectural side channels. Based on a machine-readable specification of a CPU's ISA, Osiris generates instruction-sequence triples and automatically tests whether they form a timing-based side channel. Furthermore, Osiris evaluates their usability as a side channel in transient-execution attacks, i.e., as the microarchitectural encoding for attacks like Spectre. In total, we discover four novel timing-based side channels on Intel and AMD CPUs. Based on these side channels, we demonstrate exploitation in three case studies. We show that our microarchitectural KASLR break using non-temporal loads, FlushConflict, even works on the new Intel Ice Lake and Comet Lake microarchitectures. We present a cross-core cross-VM covert channel that is not relying on the memory subsystem and transmits up to 1 kbit/s. We demonstrate this channel on the AWS cloud, showing that it is stealthy and noise resistant. Finally, we demonstrate Stream+Reload, a covert channel for transient-execution attacks that, on average, allows leaking 7.83 bytes within a transient window, improving state-of-the-art attacks that only leak up to 3 bytes.

Item Type: Conference or Workshop Item (A Paper) (Paper)
Divisions: Christian Rossow (System Security Group, SysSec)
Michael Schwarz (MS)
Conference: USENIX-Security Usenix Security Symposium
Depositing User: Daniel Weber
Date Deposited: 07 Jun 2021 11:56
Last Modified: 17 Aug 2021 07:50
Primary Research Area: NRA3: Threat Detection and Defenses
URI: https://publications.cispa.saarland/id/eprint/3431

Actions

Actions (login required)

View Item View Item
CISPA is powered by EPrints 3 which is developed by the School of Electronics and Computer Science at the University of Southampton. More information and software credits.