Modern CPUs use a variety of undocumented microarchitectural hash functions to efficiently distribute data within microarchitectural structures such as caches. A well-known function is the cache slice function that distributes cache lines to the slices of the last-level cache. Knowing these functions improves microarchitectural attacks, such as Prime+Probe or Rowhammer, drastically. However, while several such linear functions have been reverse-engineered, there is no generic or automated approach for reverse-engineering non-linear functions, which have become common with modern CPUs.
In this paper, we introduce a novel generic approach for automatically reverse-engineering a wide range of microarchitectural hash functions. Our approach combines techniques initially used for logic-gate minimization and from computer algebra to infer the hash functions based on input-output pairs observed via side channels. With our framework, we infer 3 previously-unknown non-linear hash functions on both AMD and Intel CPUs, including the new Alder Lake hybrid-CPU architecture. We verify our approach by reproducing known hash functions and evaluating side-channel attacks that rely on these functions, resulting in success rates above 97.65%. We stress the need to design such functions with both performance and security in mind and discuss alternative designs that can be used in future CPUs.
History
Preferred Citation
Lukas Gerlach, Simon Schwarz, Nicolas Faroß and Michael Schwarz. Efficient and Generic Microarchitectural Hash-Function Recovery. In: DISC International Symposium on Distributed Computing (DISC). 2024.
Primary Research Area
Algorithmic Foundations and Cryptography
Name of Conference
DISC International Symposium on Distributed Computing (DISC)
Legacy Posted Date
2023-07-14
Open Access Type
Green
BibTeX
@inproceedings{cispa_all_3983,
title = "Efficient and Generic Microarchitectural Hash-Function Recovery",
author = "Gerlach, Lukas and Schwarz, Simon and Faroß, Nicolas and Schwarz, Michael",
booktitle="{DISC International Symposium on Distributed Computing (DISC)}",
year="2024",
}