Abstract
Spectre and similar microarchitectural attacks have recently caused a major paradigm shift in hardware and software development to restrict attacker-controlled speculative execution and microarchitectural sampling. So far, research has focused on cache interaction, instruction scheduling, microarchitectural sampling and speculative side effects, whereas instruction decoding research has been notably absent. We disclose two cross-core covert channels on multiple AMD processor generations (Family 15h) spanning from Bulldozer to Excavator with partial applicability to Zen.
In this work, cross-core instruction decoding and synchronization interactions are explored as a source of information leakage on these processors to yield multiple cache-independent covert channels in a non-SMT environment. In contrast to other attacks, we do not rely on memory interaction nor on speculative execution. None of the existing mitigations in the Linux kernel and processor microcode against transient execution attacks have any measurable effect on the CCCiCC covert channels. To the best of our knowledge, this is not fixable with a microcode update since any updated instruction would also become usable for signaling.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Acıiçmez, O., Seifert, J.P.: Cheap hardware parallelism implies cheap security. In: Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC 2007), pp. 80–91. IEEE (2007)
AMD: Software Optimization Guide for AMD Family 15h Processors (2014). https://www.amd.com/system/files/TechDocs/47414_15h_sw_opt_guide.pdf
Bhattacharyya, A., et al.: SMoTherSpectre: exploiting speculative execution through port contention. arXiv preprint arXiv:1903.01843 (2019)
Cabrera Aldaya, A., Brumley, B.B., ul Hassan, S., Pereida García, C., Tuveri, N.: Port Contention for Fun and Profit. Cryptology ePrint Archive, Report 2018/1060 (2018). https://eprint.iacr.org/2018/1060
Canella, C., et al.: A systematic evaluation of transient execution attacks and defenses. arXiv preprint arXiv:1811.05441 (2018)
Evtyushkin, D., Ponomarev, D.: Covert channels through random number generator: mechanisms, capacity estimation and mitigations. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 843–857. ACM (2016)
Fog, A.: Instruction tables: lists of instruction latencies, throughputs and micro-operation breakdowns for Intel, AMD and VIA CPUs (2018). https://www.agner.org/optimize/instruction_tables.pdf
Fogh, A.: Covert Shotgun: automatically finding SMT covert channels (2016). https://cyber.wtf/2016/09/27/covert-shotgun/
Ge, Q., Yarom, Y., Cock, D., Heiser, G.: A survey of microarchitectural timing attacks and countermeasures on contemporary hardware. J. Cryptogr. Eng. 8(1), 1–27 (2018)
Gras, B., Razavi, K., Bos, H., Giuffrida, C.: Translation leak-aside buffer: defeating cache side-channel protections with TLB attacks. In: 27th USENIX Security Symposium, SEC 2018, pp. 955–972. USENIX Association, Berkeley (2018)
Horn, J.: Speculative execution, variant 4: speculative store bypass (2018). https://bugs.chromium.org/p/project-zero/issues/detail?id=1528
Kocher, P., et al.: Spectre attacks: exploiting speculative execution. arXiv preprint arXiv:1801.01203 (2018)
Kocher, P.C.: Timing attacks on implementations of diffie-hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_9
Lipp, M., et al.: Meltdown: reading kernel memory from user space. In: 27th USENIX Security Symposium, pp. 973–990 (2018)
Mcilroy, R., Sevcik, J., Tebbi, T., Titzer, B.L., Verwaest, T.: Spectre is here to stay: an analysis of side-channels and speculative execution. arXiv preprint arXiv:1902.05178 (2019)
Nussbaum, S.: AMD trinity APU. In: 2012 IEEE Hot Chips 24 Symposium (HCS), pp. 1–40. IEEE (2012)
Paoloni, G.: How to benchmark code execution times on Intel IA-32 and IA-64 instruction set architectures. Intel Corporation, p. 123 (2010)
Percival, C.: Cache Missing for Fun and Profit (2005)
Schwarz, M., Schwarzl, M., Lipp, M., Masters, J., Gruss, D.: NetSpectre: read arbitrary memory over network. In: Sako, K., Schneider, S., Ryan, P.Y.A. (eds.) ESORICS 2019. LNCS, vol. 11735, pp. 279–299. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-29959-0_14
Shimpi, A.L.: Intel’s Sandy Bridge Architecture Exposed (2010). https://www.anandtech.com/print/3922/intels-sandy-bridge-architecture-exposed
Stecklina, J., Prescher, T.: LazyFP: leaking FPU register state using microarchitectural side-channels. arXiv preprint arXiv:1806.07480 (2018)
Tsunoo, Y.: Crypt-analysis of block ciphers implemented on computers with cache. In: Proceedings ISITA2002, October 2002
Tsunoo, Y., Saito, T., Suzaki, T., Shigeri, M., Miyauchi, H.: Cryptanalysis of DES implemented on computers with cache. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 62–76. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45238-6_6
Wang, Z., Lee, R.B.: Covert and side channels due to processor architecture. In: Proceedings of the 22nd Annual Computer Security Applications Conference, ACSAC 2006, pp. 473–482. IEEE Computer Society, Washington (2006)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Hailfinger, CD., Lemke-Rust, K., Paar, C. (2020). CCCiCC: A Cross-Core Cache-Independent Covert Channel on AMD Family 15h CPUs. In: Belaïd, S., Güneysu, T. (eds) Smart Card Research and Advanced Applications. CARDIS 2019. Lecture Notes in Computer Science(), vol 11833. Springer, Cham. https://doi.org/10.1007/978-3-030-42068-0_10
Download citation
DOI: https://doi.org/10.1007/978-3-030-42068-0_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-42067-3
Online ISBN: 978-3-030-42068-0
eBook Packages: Computer ScienceComputer Science (R0)