CISPA
Browse

Indirect Meltdown: Building Novel Side-Channel Attacks from Transient Execution Attacks

Download (775.35 kB)
The transient-execution attack Meltdown leaks sensitive information by transiently accessing inaccessible data during out-of-order execution. Although Meltdown is fixed in hardware for recent CPU generations, most currently-deployed CPUs have to rely on software mitigations, such as KPTI. Still, Meltdown is considered non-exploitable on current systems. In this paper, we show that adding another layer of indirection to Meltdown transforms a transient-execution attack into a side-channel attack, leaking metadata instead of data. We show that despite software mitigations, attackers can still leak metadata from other security domains by observing the success rate of Meltdown on non-secret data. With LeakIDT, we present the first cache-line granular monitoring of kernel addresses. LeakIDT allows an attacker to obtain cycle-accurate timestamps for attacker-chosen interrupts. We use our attack to get accurate inter-keystroke timings and fingerprint visited websites. While we propose a low-overhead software mitigation to prevent the exploitation of LeakIDT, we emphasize that the side-channel aspect of transient-execution attacks should not be underestimated.

History

Preferred Citation

Daniel Weber, Fabian Thomas, Lukas Gerlach, Ruiyi Zhang, Michael Schwarz. Indirect Meltdown: Building Novel Side-Channel Attacks from Transient Execution Attacks. In: ESORICS. 2023.

Primary Research Area

  • Trustworthy Information Processing

Name of Conference

European Symposium on Research in Computer Security (ESORICS)

Legacy Posted Date

2023-08-17

Open Access Type

  • Repository

BibTeX

@inproceedings{cispa_all_4011, author = {Daniel Weber AND Fabian Thomas AND Lukas Gerlach AND Ruiyi Zhang AND Michael Schwarz}, title = {Indirect Meltdown: Building Novel Side-Channel Attacks from Transient Execution Attacks}, booktitle = {ESORICS}, year = {2023} }

Usage metrics

    Categories

    No categories selected

    Licence

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC