Side-Channel Attacks and Mitigations on Modern Computer Systems
Abstract:
Microarchitectural security problems in modern computer systems are becoming a more significant concern, as they can lead to side channels that can break the most restrictive isolation, e.g., the trusted execution environment (TEE) and untrusted zone, and then compromise the system confidentiality. Left unstudied, these issues have far-reaching harmful effects on computer systems.
We start with the disclosure of a novel hardware component on Intel processors' frontend, named Loop Stream Detector (LSD). We find LSD will also trigger speculative execution. Based on this feature, we propose GadgetSpinner, a novel transient attack, that enables the attacker process to read arbitrary data from another process. Using GadgetSpinner, we successfully break the SGX isolation and extract the weight value of the CNN model from the SGX DNN library.
In the next part, we move on to the security limitations of data prefetching, located in the backend of modern processors. To understand the security risk brought by prefetchers, we comprehensively reverse-engineered two prefetchers on Intel processors, i.e., the IP-stride prefetcher and the extended prediction table (XPT) prefetcher, and analyzed their security implications. Leveraging these two prefetchers' features, we then designed two side-channel attacks, AfterImage and PrefetchX. AfterImage demonstrates how the IP-stride prefetcher contention can leak control flow across different privilege domains (processes, kernel, and SGX), thus compromising confidential computing systems. By priming and probing the XPT prefetcher, PrefetchX then shows how the attacker can track the victim's page access pattern even from a separate core and leak the RSA private key from the MbedTLS library.
In the third part, to effectively safeguard systems against PMU-based side-channel attacks, we propose a novel Trusted Execution Environment (TEE) architecture that obfuscates microarchitectural events while incurring minimal performance overhead. We have implemented this innovative TEE architecture on the Kirin 960 SoC, an ARM-based SoC widely used in millions of mobile devices.
In summary, we (1) develop benchmarks to analyze Intel processor's frontend behavior and demonstrate the potential side-channel threats, (2) establish the end-to-end prefetcher-based side-channel attacks exploration framework on different hardware platforms, (3) design a comprehensive side-channel analysis tool to detect potential leakage on the hardware, and (4) build a TEE that can effectively mitigate PMU-based side-channel attacks and prototype this TEE on today's Arm platform.