cispa_all_3431.pdf (586.8 kB)

Osiris: Automated Discovery of Microarchitectural Side Channels

Download (586.8 kB)
conference contribution
posted on 2023-11-29, 18:16 authored by Daniel WeberDaniel Weber, Ahmad Ibrahim, Hamed Nemati, Michael SchwarzMichael Schwarz, Christian RossowChristian Rossow
In the last years, a series of side channels have been discovered on CPUs. These side channels have been used in powerful attacks, e.g., on cryptographic implementations, or as building blocks in transient-execution attacks such as Spectre or Meltdown. However, in many cases, discovering side channels is still a tedious manual process. In this paper, we present Osiris, a fuzzing-based framework to automatically discover microarchitectural side channels. Based on a machine-readable specification of a CPU's ISA, Osiris generates instruction-sequence triples and automatically tests whether they form a timing-based side channel. Furthermore, Osiris evaluates their usability as a side channel in transient-execution attacks, i.e., as the microarchitectural encoding for attacks like Spectre. In total, we discover four novel timing-based side channels on Intel and AMD CPUs. Based on these side channels, we demonstrate exploitation in three case studies. We show that our microarchitectural KASLR break using non-temporal loads, FlushConflict, even works on the new Intel Ice Lake and Comet Lake microarchitectures. We present a cross-core cross-VM covert channel that is not relying on the memory subsystem and transmits up to 1 kbit/s. We demonstrate this channel on the AWS cloud, showing that it is stealthy and noise resistant. Finally, we demonstrate Stream+Reload, a covert channel for transient-execution attacks that, on average, allows leaking 7.83 bytes within a transient window, improving state-of-the-art attacks that only leak up to 3 bytes.


Preferred Citation

Daniel Weber, Ahmad Ibrahim, Hamed Nemati, Michael Schwarz and Christian Rossow. Osiris: Automated Discovery of Microarchitectural Side Channels. In: Usenix Security Symposium (USENIX-Security). 2021.

Primary Research Area

  • Threat Detection and Defenses

Name of Conference

Usenix Security Symposium (USENIX-Security)

Legacy Posted Date


Open Access Type

  • Green


@inproceedings{cispa_all_3431, title = "Osiris: Automated Discovery of Microarchitectural Side Channels", author = "Weber, Daniel and Ibrahim, Ahmad and Nemati, Hamed and Schwarz, Michael and Rossow, Christian", booktitle="{Usenix Security Symposium (USENIX-Security)}", year="2021", }

Usage metrics


    No categories selected


    Ref. manager