AMD Prefetch Attacks through Power and Time

Moritz Lipp, Daniel Gruss, Michael Schwarz

Research output: Chapter in Book/Report/Conference proceedingConference paperpeer-review

Abstract

Modern operating systems fundamentally rely on the strict isolation of user applications from the kernel. This isolation is enforced by the hardware. On Intel CPUs, this isolation has been shown to be imperfect, for instance, with the prefetch side-channel. With Meltdown, it was even completely circumvented. Both the prefetch side channel and Meltdown have been mitigated with the same software patch on Intel. As AMD is believed to be not vulnerable to these attacks, this software patch is not active by default on AMD CPUs. In this paper, we show that the isolation on AMD CPUs suffers from the same type of side-channel leakage. We discover timing and power variations of the prefetch instruction that can be observed from unprivileged user space. In contrast to previous work on prefetch attacks on Intel, we show that the prefetch instruction on AMD leaks even more information. We demonstrate the significance of this side channel with multiple case studies in real-world scenarios. We demonstrate the first microarchitectural break of (fine-grained) KASLR on AMD CPUs. We monitor kernel activity, e.g., if audio is played over Bluetooth, and establish a covert channel. Finally, we even leak kernel memory with 52.85 B/s with simple Spectre gadgets in the Linux kernel. We show that stronger page table isolation should be activated on AMD CPUs by default to mitigate our presented attacks successfully.

Original languageEnglish
Title of host publicationProceedings of the 31st USENIX Security Symposium, Security 2022
PublisherUSENIX Association
Pages643-660
Number of pages18
ISBN (Electronic)9781939133311
Publication statusPublished - 2022
Event31st USENIX Security Symposium: USENIX Security 2022 - Boston, United States
Duration: 10 Aug 202212 Aug 2022
Conference number: 31

Conference

Conference31st USENIX Security Symposium
Abbreviated titleUSENIX '22
Country/TerritoryUnited States
CityBoston
Period10/08/2212/08/22

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Information Systems
  • Safety, Risk, Reliability and Quality

Fingerprint

Dive into the research topics of 'AMD Prefetch Attacks through Power and Time'. Together they form a unique fingerprint.

Cite this