CISPA
Browse
cispa_all_3747.pdf (978.16 kB)

Branch Different - Spectre Attacks on Apple Silicon

Download (978.16 kB)
conference contribution
posted on 2023-11-29, 18:22 authored by Lorenz Hetterich, Michael SchwarzMichael Schwarz
Since the disclosure of Spectre, extensive research has been conducted on both new attacks, attack variants, and mitigations. However, most research focuses on x86 CPUs, with only very few insights on ARM CPUs, despite their huge market share. In this paper, we focus on the ARMv8-based Apple CPUs and demonstrate a reliable Spectre attack. For this, we solve several challenges specific to Apple CPUs and their operating system. We systematically evaluate alternative high-resolution timing primitives, as timers used for microarchitectural attacks on other ARM CPUs are unavailable. As cache-maintenance instructions are ineffective, we demonstrate a reliable eviction-set generation from an unprivileged application. Based on these building blocks, we demonstrate a fast Evict+Reload cross-core covert channel, and a Spectre-PHT attack leaking more than 1500 B/s on an iPhone. Without mitigations for all Spectre variants and the rising market share of ARM CPUs, we stress that more research on ARM CPUs is required.

History

Preferred Citation

Lorenz Hetterich and Michael Schwarz. Branch Different - Spectre Attacks on Apple Silicon. In: GI International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA). 2022.

Primary Research Area

  • Threat Detection and Defenses

Name of Conference

GI International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA)

Legacy Posted Date

2022-08-12

Open Access Type

  • Green

BibTeX

@inproceedings{cispa_all_3747, title = "Branch Different - Spectre Attacks on Apple Silicon", author = "Hetterich, Lorenz and Schwarz, Michael", booktitle="{GI International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA)}", year="2022", }

Usage metrics

    Categories

    No categories selected

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC