(2022) AMD Prefetch Attacks through Power and Time.
|
Text
amd_prefetch_sec22.pdf Download (354kB) | Preview |
Abstract
Modern operating systems fundamentally rely on the strict isolation of user applications from the kernel. This isolation is enforced by the hardware. On Intel CPUs, this isolation has been shown to be imperfect, for instance, with the prefetch side-channel. With Meltdown, it was even completely circumvented. Both the prefetch side channel and Meltdown have been mitigated with the same software patch on Intel. As AMD is believed to be not vulnerable to these attacks, this software patch is not active by default on AMD CPUs. In this paper, we show that the isolation on AMD CPUs suffers from the same type of side-channel leakage. We discover timing and power variations of the prefetch instruction that can be observed from unprivileged user space. In contrast to previous work on prefetch attacks on Intel, we show that the prefetch instruction on AMD leaks even more information. We demonstrate the significance of this side channel with multiple case studies in real-world scenarios. We demonstrate the first microarchitectural break of (fine-grained) KASLR on AMD CPUs. We monitor kernel activity, e.g., if audio is played over Bluetooth, and establish a covert channel. Finally, we even leak kernel memory with 52.85 B/s with simple Spectre gadgets in the Linux kernel. We show that stronger page table isolation should be activated on AMD CPUs by default to mitigate our presented attacks successfully.
Item Type: | Conference or Workshop Item (A Paper) (Paper) |
---|---|
Divisions: | Michael Schwarz (MS) |
Conference: | USENIX-Security Usenix Security Symposium |
Depositing User: | Michael Schwarz |
Date Deposited: | 12 Oct 2021 19:50 |
Last Modified: | 12 Oct 2021 19:50 |
Primary Research Area: | NRA3: Threat Detection and Defenses |
URI: | https://publications.cispa.saarland/id/eprint/3507 |
Actions
Actions (login required)
View Item |