CISPA
Browse
cispa_all_3769.pdf (338.73 kB)

(M)WAIT for It: Bridging the Gap between Microarchitectural and Architectural Side Channels

Download (338.73 kB)
conference contribution
posted on 2023-11-29, 18:24 authored by Ruiyi ZhangRuiyi Zhang, Taehyun Kim, Daniel WeberDaniel Weber, Michael SchwarzMichael Schwarz
In the last years, there has been a rapid increase in microarchitectural attacks, exploiting side effects of various parts of the CPU. Most of them have in common that they rely on timing differences, requiring a high-resolution timer to make microarchitectural states visible to an attacker. In this paper, we present a new primitive that converts microarchitectural states into architectural states without relying on time measurements. We exploit the unprivileged idle-loop optimization instructions umonitor and umwait introduced with the new Intel microarchitectures (Tremont and Alder Lake). Although not documented, these instructions provide architectural feedback about the transient usage of a specified memory region. In three case studies, we show the versatility of our primitive. First, with Spectral, we present a way of enabling transient-execution attacks to leak bits architecturally with up to 200 kbit/s without requiring any timer. Second, we show traditional side-channel attacks without relying on a timer. Finally, we demonstrate that when augmented with a coarse-grained timer, we can also mount interrupt-timing attacks, allowing us to, e.g., detect which website a user opens. Our case studies highlight that the boundary between architecture and microarchitecture becomes more and more blurry, leading to new attack variants and complicating effective countermeasures.

History

Preferred Citation

Ruiyi Zhang, Taehyun Kim, Daniel Weber and Michael Schwarz. (M)WAIT for It: Bridging the Gap between Microarchitectural and Architectural Side Channels. In: Usenix Security Symposium (USENIX-Security). 2023.

Primary Research Area

  • Threat Detection and Defenses

Name of Conference

Usenix Security Symposium (USENIX-Security)

Legacy Posted Date

2022-09-05

Open Access Type

  • Green

BibTeX

@inproceedings{cispa_all_3769, title = "(M)WAIT for It: Bridging the Gap between Microarchitectural and Architectural Side Channels", author = "Zhang, Ruiyi and Kim, Taehyun and Weber, Daniel and Schwarz, Michael", booktitle="{Usenix Security Symposium (USENIX-Security)}", year="2023", }

Usage metrics

    Categories

    No categories selected

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC