In the last years, a series of side channels have been discovered on CPUs. These side channels have been used in powerful attacks, e.g., on cryptographic implementations, or as building blocks in transient-execution attacks such as Spectre or Meltdown. However, in many cases, discovering side channels is still a tedious manual process.
In this paper, we present Osiris, a fuzzing-based framework to automatically discover microarchitectural side channels. Based on a machine-readable specification of a CPU's ISA, Osiris generates instruction-sequence triples and automatically tests whether they form a timing-based side channel. Furthermore, Osiris evaluates their usability as a side channel in transient-execution attacks, i.e., as the microarchitectural encoding for attacks like Spectre. In total, we discover four novel timing-based side channels on Intel and AMD CPUs. Based on these side channels, we demonstrate exploitation in three case studies. We show that our microarchitectural KASLR break using non-temporal loads, FlushConflict, even works on the new Intel Ice Lake and Comet Lake microarchitectures. We present a cross-core cross-VM covert channel that is not relying on the memory subsystem and transmits up to 1 kbit/s. We demonstrate this channel on the AWS cloud, showing that it is stealthy and noise resistant. Finally, we demonstrate Stream+Reload, a covert channel for transient-execution attacks that, on average, allows leaking 7.83 bytes within a transient window, improving state-of-the-art attacks that only leak up to 3 bytes.
History
Preferred Citation
Daniel Weber, Ahmad Ibrahim, Hamed Nemati, Michael Schwarz and Christian Rossow. Osiris: Automated Discovery of Microarchitectural Side Channels. In: Usenix Security Symposium (USENIX-Security). 2021.
Primary Research Area
Threat Detection and Defenses
Name of Conference
Usenix Security Symposium (USENIX-Security)
Legacy Posted Date
2021-06-07
Open Access Type
Green
BibTeX
@inproceedings{cispa_all_3431,
title = "Osiris: Automated Discovery of Microarchitectural Side Channels",
author = "Weber, Daniel and Ibrahim, Ahmad and Nemati, Hamed and Schwarz, Michael and Rossow, Christian",
booktitle="{Usenix Security Symposium (USENIX-Security)}",
year="2021",
}