Abstract
In recent years, modern CPUs have been suffering from Meltdown-type attacks. These attacks are delivered by exploiting transient execution created by a faulting load operation. A secret value is encoded into the cache by transient instructions, which in turn is deduced from a microarchitectural covert channel such as Flush+Reload. Recent studies on these attacks mainly focus on finding new vulnerable microarchitectural structures, while lacking interest in how many transient instructions can be executed in the transient execution. If attackers know the exact attack capacity, i.e., the maximum number of instructions available within a transient execution window, they will be able to maximize information leakage by executing additional transient instructions. In order to devise security solutions against Meltdown-type attacks, it is of crucial importance to measure and evaluate the attack capacity. In this paper, we quantitatively analyze the attack capacity in terms of the number of \(\mu \)ops, the latency of transient instructions, and the size of the Reorder Buffer (ROB). Specifically, we present our method in detail that measures the capacity by reconstructing the original implementations of Meltdown-type attacks. We analyze the attack capacity by conducting experiments with various CPU models and identify several elements that affect the capacity. Based on our findings, we propose two methods that reinforce the Meltdown-type attacks.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Bulck, J.V., et al.: Foreshadow: extracting the keys to the intel SGX kingdom with transient out-of-order execution. In: 27th USENIX Security Symposium (USENIX Security 18), pp. 991–1008. USENIX Association, Baltimore, MD (2018)
Canella, C., et al.: A systematic evaluation of transient execution attacks and defenses. In: 28th USENIX Security Symposium (USENIX Security 19), pp. 249–266. USENIX Association, Santa Clara, CA (2019)
Canella, C., et al.: Fallout: leaking data on meltdown-resistant cpus, pp. 769–784. In: CCS 2019, Association for Computing Machinery, New York, NY, USA (2019)
Kiriansky, V., Waldspurger, C.A.: Speculative buffer overflows: Attacks and defenses. CoRR abs/1807.03757 (2018). http://arxiv.org/abs/1807.03757
Kocher, P., et al.: Spectre attacks: exploiting speculative execution. In: 2019 IEEE Symposium on Security and Privacy (SP), pp. 1–19 (2019)
Koruyeh, E.M., Khasawneh, K.N., Song, C., Abu-Ghazaleh, N.: Spectre returns! speculation attacks using the return stack buffer. In: 12th USENIX Workshop on Offensive Technologies (WOOT 18). USENIX Association, Baltimore, MD (2018)
Lipp, M., et al.: Meltdown: reading kernel memory from user space. In: 27th USENIX Security Symposium (USENIX Security 18), pp. 973–990. USENIX Association, Baltimore, MD (2018)
Maisuradze, G., Rossow, C.: Ret2spec: speculative execution using return stack buffers. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 2109–2122. CCS 2018, Association for Computing Machinery, New York, NY, USA (2018)
van Schaik, S., et al.: Ridl: rogue in-flight data load. In: 2019 IEEE Symposium on Security and Privacy (SP), pp. 88–105 (2019)
Schwarz, M., et al.: Zombieload: cross-privilege-boundary data sampling. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 753–768. CCS 2019, Association for Computing Machinery, New York, NY, USA (2019)
Stecklina, J., Prescher, T.: Lazyfp: Leaking FPU register state using microarchitectural side-channels. CoRR abs/1806.07480 (2018). http://arxiv.org/abs/1806.07480
Weisse, O., et al.: Foreshadow-NG: Breaking the Virtual Memory Abstraction with Transient Out-of-Order Execution. Technical report (2018)
Yarom, Y., Falkner, K.: Flush+reload: a high resolution, low noise, l3 cache side-channel attack. In: 23rd USENIX Security Symposium (USENIX Security 14), pp. 719–732. USENIX Association, San Diego, CA (2014)
Acknowledgments
This work was supported by an Institute of Information & communications Technology Planning & Evaluation (IITP) grant funded by the Korean government (MSIT) (No. 2019-0-00533, Research on CPU vulnerability detection and validation).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Lee, S., Kim, T., Shin, Y. (2021). Quantitative Analysis on Attack Capacity in Meltdown-Type Attacks. In: Kim, H. (eds) Information Security Applications. WISA 2021. Lecture Notes in Computer Science(), vol 13009. Springer, Cham. https://doi.org/10.1007/978-3-030-89432-0_18
Download citation
DOI: https://doi.org/10.1007/978-3-030-89432-0_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-89431-3
Online ISBN: 978-3-030-89432-0
eBook Packages: Computer ScienceComputer Science (R0)