I See Dead µops: Leaking Secrets via Intel/AMD Micro-Op Caches
- 1 June 2021
- conference paper
- conference paper
- Published by Institute of Electrical and Electronics Engineers (IEEE)
Abstract
Modern Intel, AMD, and ARM processors translate complex instructions into simpler internal micro-ops that are then cached in a dedicated on-chip structure called the micro-op cache. This work presents an in-depth characterization study of the micro-op cache, reverse-engineering many undocumented features, and further describes attacks that exploit the micro-op cache as a timing channel to transmit secret information. In particular, this paper describes three attacks – (1) a same thread cross-domain attack that leaks secrets across the user-kernel boundary, (2) a cross-SMT thread attack that transmits secrets across two SMT threads via the micro-op cache, and (3) transient execution attacks that have the ability to leak an unauthorized secret accessed along a misspeculated path, even before the transient instruction is dispatched to execution, breaking several existing invisible speculation and fencing-based solutions that mitigate Spectre.Keywords
Funding Information
- Intel Foundation
This publication has 53 references indexed in Scilit:
- Can randomized mapping secure instruction caches from side-channel attacks?Published by Association for Computing Machinery (ACM) ,2015
- On Subnormal Floating Point and Abnormal TimingPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2015
- Last-Level Cache Side-Channel Attacks are PracticalPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2015
- The CHERI capability model: Revisiting RISC in an age of riskPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2014
- Non-monopolizable cachesACM Transactions on Architecture and Code Optimization, 2012
- DieHardPublished by Association for Computing Machinery (ACM) ,2006
- Trace cache: a low latency approach to high bandwidth instruction fetchingPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2002
- Mimicry attacks on host-based intrusion detection systemsPublished by Association for Computing Machinery (ACM) ,2002
- Pipeline gatingACM SIGARCH Computer Architecture News, 1998
- Hardware support for fast capability-based addressingACM SIGOPS Operating Systems Review, 1994