13 Side Channel Attacks

Microarchitecture Side-Channel Attacks

Fundamentals of Transient Execution

• Definition: Security vulnerabilities that exploit processor performance enhancements (speculation and multithreading) to access and leak secret data are known as microarchitecture side-channel attacks or transient execution attacks.
• Mechanism: These attacks operate similarly to prime-probe cache attacks, but the spy process specifically controls the execution of instruction sequences between the prime and probe phases.
• Bypass Capabilities: Speculation enables instructions to access restricted data by bypassing standard security enforcement mechanisms, including:
  • Software bounds checks
  • Virtual memory protection
  • Virtual machine (VM) isolation
  • Hardware isolation (trusted execution environments or enclaves)
• Footprint Generation: Transiently executed instructions modify the state of a hardware performance mechanism (such as a cache) before the processor cancels them.

The amplification of these transient execution vulnerabilities heavily relies on how modern processors manage multiple execution threads simultaneously.

Impact of Simultaneous Multithreading (SMT)

• Pipeline Sharing: SMT allows a spy process to share the processor pipeline directly with the victim process.
• High-Bandwidth Side Channels: The spy utilizes multiple shared caching structures (e.g., first-level caches and branch target buffers) to establish a high-bandwidth side channel.
• Rapid Probing: Parallel execution ensures the spy can probe the side channel to retrieve leaked information before standard processor activity (e.g., cache refills) overwrites the hardware state.

To exploit these shared structures, attackers employ specific code sequences that force the processor to speculatively leak data, a process perfectly illustrated by the Meltdown vulnerability.

Attack Execution Flow: The Meltdown Example

• Objective: Read arbitrary memory addresses utilized by the operating system kernel by circumventing virtual memory protections.
• Phase 1: Prime
  • Allocate an array ($use{r}_{m}emory$).
  • Flush all elements of this array from the processor’s first-level cache.
• Phase 2: Speculate and Leak
  • Trigger an exception, such as dividing by zero.
  • Execute subsequent instructions speculatively before the hardware resolves the exception:
    • Load a value from an unauthorized kernel memory address: $Value=kerne{l}_{a}rray[Address]$.
    • Mask the read value to extract a specific bit (e.g., the least significant bit) and multiply by 256 to calculate an index: Index = (Value \mathbin{&} 1) \times 256.
    • Access the primed array at the calculated index: $Value=use{r}_{m}emory[Index]$.
  • The processor cancels these instructions when the exception reaches the head of the reorder buffer (ROB), preventing architectural state changes but leaving the cache state permanently modified.
• Phase 3: Probe
  • The spy process times the access to elements of $use{r}_{m}emory$.
  • A fast load time (cache hit) at element 0 indicates the secret bit was 0.
  • A fast load time at element 256 indicates the secret bit was 1.

While Meltdown directly targets kernel memory using exceptions, the underlying methodology of exploiting speculation applies to a broader class of attacks.

General Structure of Microarchitecture Attacks

• Execution Pattern: A spy process leverages speculation to execute, but not commit, instructions that access secret data.
• State Modification: The secret data acts as an index or operand that alters a hardware performance mechanism (e.g., caches, BTBs, or memory disambiguation logic).
• Targeted Speculation: Attacks (such as Spectre) invoke the OS or victim process via standard software interfaces, supplying specific inputs designed to force the victim’s code to speculatively access and leak data.

Mitigating these highly effective attack structures requires coordinated interventions at both the software and hardware levels.

Defenses and Mitigations

• Software and Compiler Defenses
  • Fence Instructions: Recompiling code to insert fences that strictly disallow speculative execution until specific conditions resolve.
  • Speculative Load Hardening: Introducing a data dependency between an instruction that exploits speculation and a load that potentially leaks secret data.
  • Drawbacks: These software mitigations rely on source code recompilation and introduce a steep performance-security trade-off.
• Hardware and Microarchitectural Defenses
  • Resource Isolation: Disabling SMT entirely prevents spy processes from observing shared structures concurrently with victim processes.
  • Cache Partitioning: Isolating the cache space used by different processes to eliminate prime-probe tracking.
  • Pipeline Modifications: Delaying the use of sensitive data under speculation or engineering mechanisms to reverse the impact of mis-speculated instructions on hardware performance structures.
• The ISA Abstraction Gap
  • Current Instruction Set Architectures (ISAs) define functional behavior strictly in a timing-independent manner.
  • Correctly implemented ISAs remain physically vulnerable because timing behaviors interact with correct execution in undefined ways.
  • Future architecture requires new abstractions and tools to formally model and analyze how timing behavior interacts with security and privacy.