A technical paper titled “(M)WAIT for It: Bridging the Gap between Microarchitectural and Architectural Side Channels” was published by researchers at CISPA Helmholtz Center for Information Security.
Abstract:
“In the last years, there has been a rapid increase in microarchitectural attacks, exploiting side effects of various parts of the CPU. Most of them have in common that they rely on timing differences, requiring a high-resolution timer to make microarchitectural states visible to an attacker. In this paper, we present a new primitive that converts microarchitectural states into architectural states without relying on time measurements. We exploit the unprivileged idle-loop optimization instructions umonitor and umwait introduced with the new Intel microarchitectures (Tremont and Alder Lake). Although not documented, these instructions provide architectural feedback about the transient usage of a specified memory region. In three case studies, we show the versatility of our primitive. First, with Spectral, we present a way of enabling transient-execution attacks to leak bits architecturally with up to 200 kbit/s without requiring any timer. Second, we show traditional side-channel attacks without relying on a timer. Finally, we demonstrate that when augmented with a coarse-grained timer, we can also mount interrupt-timing attacks, allowing us to, e.g., detect which website a user opens. Our case studies highlight that the boundary between architecture and microarchitecture becomes more and more blurry, leading to new attack variants and complicating effective countermeasures.”
Find the technical paper here. January 2023 (last modified). Related GitHub material is here.
Zhang, Ruiyi, Taehyun Kim, Daniel Weber, and Michael Schwarz. “(M) WAIT for It: Bridging the Gap between Microarchitectural and Architectural Side Channels.” In USENIX Security. 2023.
Leave a Reply