(M)WAIT for It: Bridging the Gap between Microarchitectural and Architectural Side Channels

Zhang, Ruiyi and Kim, Taehyun and Weber, Daniel and Schwarz, Michael
(2023) (M)WAIT for It: Bridging the Gap between Microarchitectural and Architectural Side Channels.
In: USENIX Security.
Conference: USENIX-Security Usenix Security Symposium

[img] Text
mwait_sec23.pdf - Published Version

Download (346kB)


In the last years, there has been a rapid increase in microarchitectural attacks, exploiting side effects of various parts of the CPU. Most of them have in common that they rely on timing differences, requiring a high-resolution timer to make microarchitectural states visible to an attacker. In this paper, we present a new primitive that converts microarchitectural states into architectural states without relying on time measurements. We exploit the unprivileged idle-loop optimization instructions umonitor and umwait introduced with the new Intel microarchitectures (Tremont and Alder Lake). Although not documented, these instructions provide architectural feedback about the transient usage of a specified memory region. In three case studies, we show the versatility of our primitive. First, with Spectral, we present a way of enabling transient-execution attacks to leak bits architecturally with up to 200 kbit/s without requiring any timer. Second, we show traditional side-channel attacks without relying on a timer. Finally, we demonstrate that when augmented with a coarse-grained timer, we can also mount interrupt-timing attacks, allowing us to, e.g., detect which website a user opens. Our case studies highlight that the boundary between architecture and microarchitecture becomes more and more blurry, leading to new attack variants and complicating effective countermeasures.


Actions (login required)

View Item View Item