Skip to main content
SpringerLink
Log in
Book cover

International Conference on Smart Card Research and Advanced Applications

CARDIS 2019: Smart Card Research and Advanced Applications pp 159–175Cite as

CCCiCC: A Cross-Core Cache-Independent Covert Channel on AMD Family 15h CPUs

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11833))

Abstract

Spectre and similar microarchitectural attacks have recently caused a major paradigm shift in hardware and software development to restrict attacker-controlled speculative execution and microarchitectural sampling. So far, research has focused on cache interaction, instruction scheduling, microarchitectural sampling and speculative side effects, whereas instruction decoding research has been notably absent. We disclose two cross-core covert channels on multiple AMD processor generations (Family 15h) spanning from Bulldozer to Excavator with partial applicability to Zen.

In this work, cross-core instruction decoding and synchronization interactions are explored as a source of information leakage on these processors to yield multiple cache-independent covert channels in a non-SMT environment. In contrast to other attacks, we do not rely on memory interaction nor on speculative execution. None of the existing mitigations in the Linux kernel and processor microcode against transient execution attacks have any measurable effect on the CCCiCC covert channels. To the best of our knowledge, this is not fixable with a microcode update since any updated instruction would also become usable for signaling.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. Acıiçmez, O., Seifert, J.P.: Cheap hardware parallelism implies cheap security. In: Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC 2007), pp. 80–91. IEEE (2007)

    Google Scholar 

  2. AMD: Software Optimization Guide for AMD Family 15h Processors (2014). https://www.amd.com/system/files/TechDocs/47414_15h_sw_opt_guide.pdf

  3. Bhattacharyya, A., et al.: SMoTherSpectre: exploiting speculative execution through port contention. arXiv preprint arXiv:1903.01843 (2019)

  4. Cabrera Aldaya, A., Brumley, B.B., ul Hassan, S., Pereida García, C., Tuveri, N.: Port Contention for Fun and Profit. Cryptology ePrint Archive, Report 2018/1060 (2018). https://eprint.iacr.org/2018/1060

  5. Canella, C., et al.: A systematic evaluation of transient execution attacks and defenses. arXiv preprint arXiv:1811.05441 (2018)

  6. Evtyushkin, D., Ponomarev, D.: Covert channels through random number generator: mechanisms, capacity estimation and mitigations. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 843–857. ACM (2016)

    Google Scholar 

  7. Fog, A.: Instruction tables: lists of instruction latencies, throughputs and micro-operation breakdowns for Intel, AMD and VIA CPUs (2018). https://www.agner.org/optimize/instruction_tables.pdf

  8. Fogh, A.: Covert Shotgun: automatically finding SMT covert channels (2016). https://cyber.wtf/2016/09/27/covert-shotgun/

  9. Ge, Q., Yarom, Y., Cock, D., Heiser, G.: A survey of microarchitectural timing attacks and countermeasures on contemporary hardware. J. Cryptogr. Eng. 8(1), 1–27 (2018)

    Article  Google Scholar 

  10. Gras, B., Razavi, K., Bos, H., Giuffrida, C.: Translation leak-aside buffer: defeating cache side-channel protections with TLB attacks. In: 27th USENIX Security Symposium, SEC 2018, pp. 955–972. USENIX Association, Berkeley (2018)

    Google Scholar 

  11. Horn, J.: Speculative execution, variant 4: speculative store bypass (2018). https://bugs.chromium.org/p/project-zero/issues/detail?id=1528

  12. Kocher, P., et al.: Spectre attacks: exploiting speculative execution. arXiv preprint arXiv:1801.01203 (2018)

  13. Kocher, P.C.: Timing attacks on implementations of diffie-hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_9

    Chapter  Google Scholar 

  14. Lipp, M., et al.: Meltdown: reading kernel memory from user space. In: 27th USENIX Security Symposium, pp. 973–990 (2018)

    Google Scholar 

  15. Mcilroy, R., Sevcik, J., Tebbi, T., Titzer, B.L., Verwaest, T.: Spectre is here to stay: an analysis of side-channels and speculative execution. arXiv preprint arXiv:1902.05178 (2019)

  16. Nussbaum, S.: AMD trinity APU. In: 2012 IEEE Hot Chips 24 Symposium (HCS), pp. 1–40. IEEE (2012)

    Google Scholar 

  17. Paoloni, G.: How to benchmark code execution times on Intel IA-32 and IA-64 instruction set architectures. Intel Corporation, p. 123 (2010)

    Google Scholar 

  18. Percival, C.: Cache Missing for Fun and Profit (2005)

    Google Scholar 

  19. Schwarz, M., Schwarzl, M., Lipp, M., Masters, J., Gruss, D.: NetSpectre: read arbitrary memory over network. In: Sako, K., Schneider, S., Ryan, P.Y.A. (eds.) ESORICS 2019. LNCS, vol. 11735, pp. 279–299. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-29959-0_14

    Chapter  Google Scholar 

  20. Shimpi, A.L.: Intel’s Sandy Bridge Architecture Exposed (2010). https://www.anandtech.com/print/3922/intels-sandy-bridge-architecture-exposed

  21. Stecklina, J., Prescher, T.: LazyFP: leaking FPU register state using microarchitectural side-channels. arXiv preprint arXiv:1806.07480 (2018)

  22. Tsunoo, Y.: Crypt-analysis of block ciphers implemented on computers with cache. In: Proceedings ISITA2002, October 2002

    Google Scholar 

  23. Tsunoo, Y., Saito, T., Suzaki, T., Shigeri, M., Miyauchi, H.: Cryptanalysis of DES implemented on computers with cache. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 62–76. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45238-6_6

    Chapter  Google Scholar 

  24. Wang, Z., Lee, R.B.: Covert and side channels due to processor architecture. In: Proceedings of the 22nd Annual Computer Security Applications Conference, ACSAC 2006, pp. 473–482. IEEE Computer Society, Washington (2006)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Bonn-Rhein-Sieg University of Applied Sciences, Sankt Augustin, Germany

    Carl-Daniel Hailfinger & Kerstin Lemke-Rust

  2. Horst-Görtz Institute, Ruhr University Bochum, Bochum, Germany

    Carl-Daniel Hailfinger

  3. Max Planck Institute for Cyber Security and Privacy, Bochum, Germany

    Christof Paar

Authors
  1. Carl-Daniel Hailfinger
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Kerstin Lemke-Rust
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Christof Paar
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Carl-Daniel Hailfinger .

Editor information

Editors and Affiliations

  1. CryptoExperts, Paris, France

    Sonia Belaïd

  2. Ruhr-Universität Bochum, Bochum, Germany

    Tim Güneysu

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Hailfinger, CD., Lemke-Rust, K., Paar, C. (2020). CCCiCC: A Cross-Core Cache-Independent Covert Channel on AMD Family 15h CPUs. In: Belaïd, S., Güneysu, T. (eds) Smart Card Research and Advanced Applications. CARDIS 2019. Lecture Notes in Computer Science(), vol 11833. Springer, Cham. https://doi.org/10.1007/978-3-030-42068-0_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-42068-0_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-42067-3

  • Online ISBN: 978-3-030-42068-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation