Cross-Core Interrupt Detection: Exploiting User and Virtualized IPIs

Research output: Chapter in Book/Report/Conference proceeding β€Ί Conference paper β€Ί peer-review

Abstract

Interrupts are a fundamental for inter-process and cross-core communication in modern systems. Controlling these communication mechanisms historically requires switches into the kernel or hypervisor, incurring high performance costs. To alleviate these costs, Intel introduced new hardware mechanisms to send inter-processor interrupts (IPIs) from user space without switching into the kernel, and from virtual machines without switching into the hypervisor. However, it is unclear whether this direct, unsupervised interaction between unprivileged (or virtualized) workloads and the underlying hardware introduces a significant change in the attack surface.

In this paper, we present the IPI side channel, a novel side-channel attack exploiting the recently introduced user interrupts and IPI virtualization features on Intel Sapphire Rapids and the upcoming Intel Arrow Lake processors. The IPI side channel is the first cross-core interrupt detection side channel, allowing an attacker to monitor interrupts delivered to any physical core of the same processor. Our attack is based on precise measurements of the hardware delivery time of interrupts from user space and virtual machines. More specifically, we exploit that interrupts are delivered through a cross-core bus, leading to timing variations on the attacker’s local IPIs. We present multiple case studies to compare the IPI side channel with the state of the art: First, we present an unprivileged cross-core covert channel with a native true capacity of 434.7 kbit/s (𝑛=100, ΟƒΛ‰ΟƒΛ‰ π‘₯ =0.03) and a cross-VM capacity of 3.45 kbit/s (𝑛=100, ΟƒΛ‰ΟƒΛ‰ =0.01). Second, we demonstrate a native inter-keystroke timing attack with an F1F1​ score of 97.9 % . Third, we present an open-world website fingerprinting attack on the top 100 websites, achieving an F1F1​ score of 89.0 % in a native scenario and an F1F1​ score of 71.0 % in a cross-VM (thin client) scenario. Further- more, we discuss the broader context of the IPI side channels and categorize interrupt side channels and mitigations.
Original languageEnglish
Title of host publicationACM Conference on Computer and Communications Security (CCS) 2024
DOIs
Publication statusPublished - 14 Oct 2024
EventACM Conference on Computer and Communications Security: CCS 2024 - Salt Lake City, United States
Duration: 14 Oct 2024 β†’ 18 Oct 2024

Conference

ConferenceACM Conference on Computer and Communications Security
Abbreviated titleCCS ’24
Country/TerritoryUnited States
CitySalt Lake City
Period14/10/24 β†’ 18/10/24

Keywords

  • side-channel attack
  • user interrupts
  • IPI virtualization
  • interrupt detection
  • Website fingerprinting

Fields of Expertise

  • Information, Communication & Computing

Fingerprint

Dive into the research topics of 'Cross-Core Interrupt Detection: Exploiting User and Virtualized IPIs'. Together they form a unique fingerprint.

Cite this