nach oben

Erschienen in:

2020 | OriginalPaper | Buchkapitel

CCCiCC: A Cross-Core Cache-Independent Covert Channel on AMD Family 15h CPUs

verfasst von : Carl-Daniel Hailfinger, Kerstin Lemke-Rust, Christof Paar

Erschienen in: Smart Card Research and Advanced Applications

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Spectre and similar microarchitectural attacks have recently caused a major paradigm shift in hardware and software development to restrict attacker-controlled speculative execution and microarchitectural sampling. So far, research has focused on cache interaction, instruction scheduling, microarchitectural sampling and speculative side effects, whereas instruction decoding research has been notably absent. We disclose two cross-core covert channels on multiple AMD processor generations (Family 15h) spanning from Bulldozer to Excavator with partial applicability to Zen.

In this work, cross-core instruction decoding and synchronization interactions are explored as a source of information leakage on these processors to yield multiple cache-independent covert channels in a non-SMT environment. In contrast to other attacks, we do not rely on memory interaction nor on speculative execution. None of the existing mitigations in the Linux kernel and processor microcode against transient execution attacks have any measurable effect on the CCCiCC covert channels. To the best of our knowledge, this is not fixable with a microcode update since any updated instruction would also become usable for signaling.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel A Bit-Level Approach to Side Channel Based Disassembling

Nächstes Kapitel Design Considerations for EM Pulse Fault Injection

Acıiçmez, O., Seifert, J.P.: Cheap hardware parallelism implies cheap security. In: Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC 2007), pp. 80–91. IEEE (2007)

AMD: Software Optimization Guide for AMD Family 15h Processors (2014). https://www.amd.com/system/files/TechDocs/47414_15h_sw_opt_guide.pdf

Bhattacharyya, A., et al.: SMoTherSpectre: exploiting speculative execution through port contention. arXiv preprint arXiv:1903.01843 (2019)

Cabrera Aldaya, A., Brumley, B.B., ul Hassan, S., Pereida García, C., Tuveri, N.: Port Contention for Fun and Profit. Cryptology ePrint Archive, Report 2018/1060 (2018). https://eprint.iacr.org/2018/1060

Canella, C., et al.: A systematic evaluation of transient execution attacks and defenses. arXiv preprint arXiv:1811.05441 (2018)

Evtyushkin, D., Ponomarev, D.: Covert channels through random number generator: mechanisms, capacity estimation and mitigations. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 843–857. ACM (2016)

Fog, A.: Instruction tables: lists of instruction latencies, throughputs and micro-operation breakdowns for Intel, AMD and VIA CPUs (2018). https://www.agner.org/optimize/instruction_tables.pdf

Fogh, A.: Covert Shotgun: automatically finding SMT covert channels (2016). https://cyber.wtf/2016/09/27/covert-shotgun/

Ge, Q., Yarom, Y., Cock, D., Heiser, G.: A survey of microarchitectural timing attacks and countermeasures on contemporary hardware. J. Cryptogr. Eng. 8(1), 1–27 (2018)CrossRef

10.

Gras, B., Razavi, K., Bos, H., Giuffrida, C.: Translation leak-aside buffer: defeating cache side-channel protections with TLB attacks. In: 27th USENIX Security Symposium, SEC 2018, pp. 955–972. USENIX Association, Berkeley (2018)

11.

Horn, J.: Speculative execution, variant 4: speculative store bypass (2018). https://bugs.chromium.org/p/project-zero/issues/detail?id=1528

12.

Kocher, P., et al.: Spectre attacks: exploiting speculative execution. arXiv preprint arXiv:1801.01203 (2018)

13.

Kocher, P.C.: Timing attacks on implementations of diffie-hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_9CrossRef

14.

Lipp, M., et al.: Meltdown: reading kernel memory from user space. In: 27th USENIX Security Symposium, pp. 973–990 (2018)

15.

Mcilroy, R., Sevcik, J., Tebbi, T., Titzer, B.L., Verwaest, T.: Spectre is here to stay: an analysis of side-channels and speculative execution. arXiv preprint arXiv:1902.05178 (2019)

16.

Nussbaum, S.: AMD trinity APU. In: 2012 IEEE Hot Chips 24 Symposium (HCS), pp. 1–40. IEEE (2012)

17.

Paoloni, G.: How to benchmark code execution times on Intel IA-32 and IA-64 instruction set architectures. Intel Corporation, p. 123 (2010)

18.

Percival, C.: Cache Missing for Fun and Profit (2005)

19.

Schwarz, M., Schwarzl, M., Lipp, M., Masters, J., Gruss, D.: NetSpectre: read arbitrary memory over network. In: Sako, K., Schneider, S., Ryan, P.Y.A. (eds.) ESORICS 2019. LNCS, vol. 11735, pp. 279–299. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-29959-0_14CrossRef

20.

Shimpi, A.L.: Intel’s Sandy Bridge Architecture Exposed (2010). https://www.anandtech.com/print/3922/intels-sandy-bridge-architecture-exposed

21.

Stecklina, J., Prescher, T.: LazyFP: leaking FPU register state using microarchitectural side-channels. arXiv preprint arXiv:1806.07480 (2018)

22.

Tsunoo, Y.: Crypt-analysis of block ciphers implemented on computers with cache. In: Proceedings ISITA2002, October 2002

23.

Tsunoo, Y., Saito, T., Suzaki, T., Shigeri, M., Miyauchi, H.: Cryptanalysis of DES implemented on computers with cache. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 62–76. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45238-6_6CrossRef

24.

Wang, Z., Lee, R.B.: Covert and side channels due to processor architecture. In: Proceedings of the 22nd Annual Computer Security Applications Conference, ACSAC 2006, pp. 473–482. IEEE Computer Society, Washington (2006)

Titel: CCCiCC: A Cross-Core Cache-Independent Covert Channel on AMD Family 15h CPUs
verfasst von: Carl-Daniel Hailfinger
Kerstin Lemke-Rust
Christof Paar
Verlag: Springer International Publishing
Buch: Smart Card Research and Advanced Applications
Print ISBN: 978-3-030-42067-3

Electronic ISBN: 978-3-030-42068-0

Copyright-Jahr: 2020
DOI: https://doi.org/10.1007/978-3-030-42068-0_10

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"