(M)WAIT for It: Bridging the Gap between Microarchitectural and Architectural Side Channels

Zhang, Ruiyi and Kim, Taehyun and Weber, Daniel and Schwarz, Michael
(2023) (M)WAIT for It: Bridging the Gap between Microarchitectural and Architectural Side Channels.
In: USENIX Security.
Conference: USENIX-Security Usenix Security Symposium

[img] Text
mwait_sec23.pdf - Published Version
Download (346kB)

Abstract

In the last years, there has been a rapid increase in microarchitectural attacks, exploiting side effects of various parts of the CPU. Most of them have in common that they rely on timing differences, requiring a high-resolution timer to make microarchitectural states visible to an attacker. In this paper, we present a new primitive that converts microarchitectural states into architectural states without relying on time measurements. We exploit the unprivileged idle-loop optimization instructions umonitor and umwait introduced with the new Intel microarchitectures (Tremont and Alder Lake). Although not documented, these instructions provide architectural feedback about the transient usage of a specified memory region. In three case studies, we show the versatility of our primitive. First, with Spectral, we present a way of enabling transient-execution attacks to leak bits architecturally with up to 200 kbit/s without requiring any timer. Second, we show traditional side-channel attacks without relying on a timer. Finally, we demonstrate that when augmented with a coarse-grained timer, we can also mount interrupt-timing attacks, allowing us to, e.g., detect which website a user opens. Our case studies highlight that the boundary between architecture and microarchitecture becomes more and more blurry, leading to new attack variants and complicating effective countermeasures.

Item Type: Conference or Workshop Item (A Paper) (Paper)
Divisions: Michael Schwarz (MS)
Conference: USENIX-Security Usenix Security Symposium
Depositing User: Michael Schwarz
Date Deposited: 05 Sep 2022 12:56
Last Modified: 03 Jan 2023 12:09
Primary Research Area: NRA3: Threat Detection and Defenses
URI: https://publications.cispa.saarland/id/eprint/3769

Actions

Actions (login required)

View Item View Item
CISPA is powered by EPrints 3 which is developed by the School of Electronics and Computer Science at the University of Southampton. More information and software credits.