AMD Prefetch Attacks through Power and Time

Moritz Lipp; Daniel Gruss; Michael Schwarz

AMD Prefetch Attacks through Power and Time

Moritz Lipp, Daniel Gruss, Michael Schwarz

Institut für Angewandte Informationsverarbeitung und Kommunikationstechnologie (7050)

Publikation: Beitrag in Buch/Bericht/Konferenzband › Beitrag in einem Konferenzband › Begutachtung

Abstract

Modern operating systems fundamentally rely on the strict isolation of user applications from the kernel. This isolation is enforced by the hardware. On Intel CPUs, this isolation has been shown to be imperfect, for instance, with the prefetch side-channel. With Meltdown, it was even completely circumvented. Both the prefetch side channel and Meltdown have been mitigated with the same software patch on Intel. As AMD is believed to be not vulnerable to these attacks, this software patch is not active by default on AMD CPUs. In this paper, we show that the isolation on AMD CPUs suffers from the same type of side-channel leakage. We discover timing and power variations of the prefetch instruction that can be observed from unprivileged user space. In contrast to previous work on prefetch attacks on Intel, we show that the prefetch instruction on AMD leaks even more information. We demonstrate the significance of this side channel with multiple case studies in real-world scenarios. We demonstrate the first microarchitectural break of (fine-grained) KASLR on AMD CPUs. We monitor kernel activity, e.g., if audio is played over Bluetooth, and establish a covert channel. Finally, we even leak kernel memory with 52.85 B/s with simple Spectre gadgets in the Linux kernel. We show that stronger page table isolation should be activated on AMD CPUs by default to mitigate our presented attacks successfully.

Originalsprache	englisch
Titel	Proceedings of the 31st USENIX Security Symposium, Security 2022
Herausgeber (Verlag)	USENIX Association
Seiten	643-660
Seitenumfang	18
ISBN (elektronisch)	9781939133311
Publikationsstatus	Veröffentlicht - 2022
Veranstaltung	31st USENIX Security Symposium: USENIX Security 2022 - Boston, USA / Vereinigte Staaten Dauer: 10 Aug. 2022 → 12 Aug. 2022 Konferenznummer: 31

Konferenz

Konferenz	31st USENIX Security Symposium
Kurztitel	USENIX '22
Land/Gebiet	USA / Vereinigte Staaten
Ort	Boston
Zeitraum	10/08/22 → 12/08/22

ASJC Scopus subject areas

Computernetzwerke und -kommunikation
Information systems
Sicherheit, Risiko, Zuverlässigkeit und Qualität

Andere Dateien und Links

Verknüpfung zur Publikation in Scopus

Dieses zitieren

@inproceedings{7ba61adf9f21409d93742c1839b95ea8,

title = "AMD Prefetch Attacks through Power and Time",

abstract = "Modern operating systems fundamentally rely on the strict isolation of user applications from the kernel. This isolation is enforced by the hardware. On Intel CPUs, this isolation has been shown to be imperfect, for instance, with the prefetch side-channel. With Meltdown, it was even completely circumvented. Both the prefetch side channel and Meltdown have been mitigated with the same software patch on Intel. As AMD is believed to be not vulnerable to these attacks, this software patch is not active by default on AMD CPUs. In this paper, we show that the isolation on AMD CPUs suffers from the same type of side-channel leakage. We discover timing and power variations of the prefetch instruction that can be observed from unprivileged user space. In contrast to previous work on prefetch attacks on Intel, we show that the prefetch instruction on AMD leaks even more information. We demonstrate the significance of this side channel with multiple case studies in real-world scenarios. We demonstrate the first microarchitectural break of (fine-grained) KASLR on AMD CPUs. We monitor kernel activity, e.g., if audio is played over Bluetooth, and establish a covert channel. Finally, we even leak kernel memory with 52.85 B/s with simple Spectre gadgets in the Linux kernel. We show that stronger page table isolation should be activated on AMD CPUs by default to mitigate our presented attacks successfully.",

author = "Moritz Lipp and Daniel Gruss and Michael Schwarz",

note = "Funding Information: We would like to thank our anonymous reviewers and in particular our shepherd, Anil Kurmus, for their feedback that helped improve this paper. This project has received funding from the European Research Council (ERC) under the European Union{\textquoteright}s Horizon 2020 research and innovation program (grant agreement No 681402). Additional funding was provided by a generous gift from Intel. Any opinions, findings, and conclusions or recommendations expressed in this paper are those of the authors and do not necessarily reflect the views of the funding parties. Funding Information: We would like to thank our anonymous reviewers and in particular our shepherd, Anil Kurmus, for their feedback that helped improve this paper. This project has received funding from the European Research Council (ERC) under the European Union's Horizon 2020 research and innovation program (grant agreement No 681402). Additional funding was provided by a generous gift from Intel. Any opinions, findings, and conclusions or recommendations expressed in this paper are those of the authors and do not necessarily reflect the views of the funding parties. Publisher Copyright: {\textcopyright} USENIX Security Symposium, Security 2022.All rights reserved.; 31st USENIX Security Symposium : USENIX Security 2022, USENIX '22 ; Conference date: 10-08-2022 Through 12-08-2022",

year = "2022",

language = "English",

pages = "643--660",

booktitle = "Proceedings of the 31st USENIX Security Symposium, Security 2022",

publisher = "USENIX Association",

address = "United States",

}

TY - GEN

T1 - AMD Prefetch Attacks through Power and Time

AU - Lipp, Moritz

AU - Gruss, Daniel

AU - Schwarz, Michael

N1 - Conference code: 31

PY - 2022

Y1 - 2022

N2 - Modern operating systems fundamentally rely on the strict isolation of user applications from the kernel. This isolation is enforced by the hardware. On Intel CPUs, this isolation has been shown to be imperfect, for instance, with the prefetch side-channel. With Meltdown, it was even completely circumvented. Both the prefetch side channel and Meltdown have been mitigated with the same software patch on Intel. As AMD is believed to be not vulnerable to these attacks, this software patch is not active by default on AMD CPUs. In this paper, we show that the isolation on AMD CPUs suffers from the same type of side-channel leakage. We discover timing and power variations of the prefetch instruction that can be observed from unprivileged user space. In contrast to previous work on prefetch attacks on Intel, we show that the prefetch instruction on AMD leaks even more information. We demonstrate the significance of this side channel with multiple case studies in real-world scenarios. We demonstrate the first microarchitectural break of (fine-grained) KASLR on AMD CPUs. We monitor kernel activity, e.g., if audio is played over Bluetooth, and establish a covert channel. Finally, we even leak kernel memory with 52.85 B/s with simple Spectre gadgets in the Linux kernel. We show that stronger page table isolation should be activated on AMD CPUs by default to mitigate our presented attacks successfully.

AB - Modern operating systems fundamentally rely on the strict isolation of user applications from the kernel. This isolation is enforced by the hardware. On Intel CPUs, this isolation has been shown to be imperfect, for instance, with the prefetch side-channel. With Meltdown, it was even completely circumvented. Both the prefetch side channel and Meltdown have been mitigated with the same software patch on Intel. As AMD is believed to be not vulnerable to these attacks, this software patch is not active by default on AMD CPUs. In this paper, we show that the isolation on AMD CPUs suffers from the same type of side-channel leakage. We discover timing and power variations of the prefetch instruction that can be observed from unprivileged user space. In contrast to previous work on prefetch attacks on Intel, we show that the prefetch instruction on AMD leaks even more information. We demonstrate the significance of this side channel with multiple case studies in real-world scenarios. We demonstrate the first microarchitectural break of (fine-grained) KASLR on AMD CPUs. We monitor kernel activity, e.g., if audio is played over Bluetooth, and establish a covert channel. Finally, we even leak kernel memory with 52.85 B/s with simple Spectre gadgets in the Linux kernel. We show that stronger page table isolation should be activated on AMD CPUs by default to mitigate our presented attacks successfully.

UR - http://www.scopus.com/inward/record.url?scp=85122121592&partnerID=8YFLogxK

M3 - Conference paper

AN - SCOPUS:85122121592

SP - 643

EP - 660

BT - Proceedings of the 31st USENIX Security Symposium, Security 2022

PB - USENIX Association

T2 - 31st USENIX Security Symposium

Y2 - 10 August 2022 through 12 August 2022

ER -

AMD Prefetch Attacks through Power and Time

Abstract

Konferenz

ASJC Scopus subject areas

Andere Dateien und Links

Fingerprint

Dieses zitieren