(2023) Indirect Meltdown: Building Novel Side-Channel Attacks from Transient Execution Attacks.
![[img]](https://publications.cispa.saarland/style/images/fileicons/text.png) |
Text
masc_esorics23.pdf - Published Version Download (793kB) |
Abstract
The transient-execution attack Meltdown leaks sensitive information by transiently accessing inaccessible data during out-of-order execution. Although Meltdown is fixed in hardware for recent CPU generations, most currently-deployed CPUs have to rely on software mitigations, such as KPTI. Still, Meltdown is considered non-exploitable on current systems. In this paper, we show that adding another layer of indirection to Meltdown transforms a transient-execution attack into a side-channel attack, leaking metadata instead of data. We show that despite software mitigations, attackers can still leak metadata from other security domains by observing the success rate of Meltdown on non-secret data. With LeakIDT, we present the first cache-line granular monitoring of kernel addresses. LeakIDT allows an attacker to obtain cycle-accurate timestamps for attacker-chosen interrupts. We use our attack to get accurate inter-keystroke timings and fingerprint visited websites. While we propose a low-overhead software mitigation to prevent the exploitation of LeakIDT, we emphasize that the side-channel aspect of transient-execution attacks should not be underestimated.
| Item Type: | Conference or Workshop Item (A Paper) (Paper) |
|---|---|
| Divisions: | Michael Schwarz (MS) |
| Conference: | ESORICS European Symposium On Research In Computer Security |
| Depositing User: | Michael Schwarz |
| Date Deposited: | 17 Aug 2023 09:57 |
| Last Modified: | 12 Sep 2023 07:38 |
| Primary Research Area: | NRA3: Threat Detection and Defenses |
| URI: | https://publications.cispa.saarland/id/eprint/4011 |
Actions
Actions (login required)
 |
View Item |