ABSTRACT
In this paper, we propose a novel class of speculative attacks, called Timed Speculative Attacks (TSA), that does not depend on the state changes in the cache memory. Instead, it makes use of the timing differences that occur due to store-to-load forwarding. We propose two attack strategies - Fill-and-Forward utilizing correctly speculated loads, and Fill-and-Misdirect using mis-speculated load instructions. While Fill-and-Forward exploits the shared store buffers in a multi-threaded CPU core, the Fill-and-Misdirect approach exploits the influence of rolled back mis-speculated loads on subsequent instructions. As case studies, we demonstrate a covert channel using Fill-and-Forward and key recovery attacks on OpenSSL AES and Romulus-N Authenticated Encryption with Associated Data scheme using Fill-and-Misdirect approach. Finally, we show that TSA is able to subvert popular cache-based countermeasures for transient attacks.
- G. Abraham et al. 2018. Spectrum : Classifying, Replicating and Mitigating Spectre Attacks on a Speculating RISC-V Microarchitecture.Google Scholar
- S. Ainsworth et al. 2020. MuonTrap: Preventing Cross-Domain Spectre-Like Attacks by Capturing Speculative State. In ISCA, 2020.Google Scholar
- K. Barber et al. 2019. SpecShield: Shielding Speculative Data from Microarchitectural Covert Channels. In PACT, 2019.Google ScholarCross Ref
- K. Basu et al. 2020. A Theoretical Study of Hardware Performance Counters-Based Malware Detection. IEEE Trans. Inf. Forensics Secur., 2020 (2020).Google ScholarDigital Library
- A. Bhattacharyya et al. 2019. SMoTherSpectre: Exploiting Speculative Execution through Port Contention. In ACM SIGSAC, CCS, 2019.Google Scholar
- J. V. Bulck et al. 2020. LVI: Hijacking Transient Execution through Microarchitectural Load Value Injection. In IEEE S&P 2020.Google Scholar
- C. Canella et al. 2019. Fallout: Leaking Data on Meltdown-resistant CPUs. In ACM SIGSAC, CCS, 2019.Google Scholar
- J. Fustos et al. 2019. SpectreGuard: An Efficient Data-centric Defense Mechanism against Spectre Attacks. In DAC, 2019.Google ScholarDigital Library
- Qian Ge et al. 2018. A Survey of Micro-architectural Timing Attacks and Countermeasures on Contemporary Hardware. JCE (2018).Google Scholar
- C. Guo et al. 2021. Romulus Specification v1.3.Google Scholar
- Saad Islam et al. 2019. SPOILER: Speculative Load Hazards Boost Rowhammer and Cache Attacks. In USENIX Security 2019.Google Scholar
- Khaled N. K. et al. 2019. SafeSpec: Banishing the Spectre of a Meltdown with Leakage-Free Speculation (DAC, 2019).Google Scholar
- Abdul Kadir et al. 2019. Retpoline Technique for Mitigating Spectre Attack. In ICEEE, 2019.Google Scholar
- G. Saileshwar et al. 2019. CleanupSpec: An "Undo" Approach to Safe Speculation. In MICRO, 2019.Google ScholarDigital Library
- M. Schwarz et al. 2019. ZombieLoad: Cross-Privilege-Boundary Data Sampling. In ACM SIGSAC, CCS, 2019.Google Scholar
- M. Schwarz et al. 2020. ConTExT: A Generic Approach for Mitigating Spectre. In NDSS, 2020.Google ScholarCross Ref
- S. van Schaik et al. 2019. RIDL: Rogue In-Flight Data Load. In IEEE Symposium on Security and Privacy, SP, 2019.Google Scholar
- O. Weisse et al. 2019. NDA: Preventing Speculative Execution Attacks at Their Source. In MICRO, 2019.Google ScholarDigital Library
- M. Yan et al. 2018. InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy. In MICRO, 2018.Google ScholarDigital Library
Index Terms
- Timed speculative attacks exploiting store-to-load forwarding bypassing cache-based countermeasures
Recommendations
Are Timing-Based Side-Channel Attacks Feasible in Shared, Modern Computing Hardware?
This article describes how there exist various vulnerabilities in computing hardware that adversaries can exploit to mount attacks against the users of such hardware. Microarchitectural attacks, the result of these vulnerabilities, take advantage of ...
Speculative Load Forwarding Attack on Modern Processors
ICCAD '22: Proceedings of the 41st IEEE/ACM International Conference on Computer-Aided DesignModern processors deliver high performance by utilizing advanced features such as out-of-order execution, branch prediction, speculative execution, and sophisticated buffer management. Unfortunately, these techniques have introduced diverse ...
Micro-architectural Cache Side-Channel Attacks and Countermeasures
ASPDAC '21: Proceedings of the 26th Asia and South Pacific Design Automation ConferenceCentral Processing Unit (CPU) is considered as the brain of a computer. If the CPU has vulnerabilities, the security of software running on it is difficult to be guaranteed. In recent years, various micro-architectural cache side-channel attacks on the ...
Comments