AVX-TSCHA: Leaking information through AVX extensions in commercial processors
Modern x86 processors support an AVX instruction set to boost performance. However, this extension set may also cause security issues. We discovered that there are vulnerable properties in the implementation of the masked load/store instructions. First, these instructions can suppress exceptions cau...
Gespeichert in:
Veröffentlicht in: | Computers & security 2023-11, Vol.134, p.103437, Article 103437 |
---|---|
Hauptverfasser: | , , |
Format: | Artikel |
Sprache: | eng |
Schlagworte: | |
Online-Zugang: | Volltext |
Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
Zusammenfassung: | Modern x86 processors support an AVX instruction set to boost performance. However, this extension set may also cause security issues. We discovered that there are vulnerable properties in the implementation of the masked load/store instructions. First, these instructions can suppress exceptions caused by invalid or inaccessible memory access. Second, the execution time of these instructions leaks the current state of the page mappings, permissions, and TLB states.
Based on this, we present a novel AVX timing side-channel attack that can defeat address space layout randomization. We demonstrate the significance of our side-channel attack by showing User and Kernel ASLR breaks on the recent Intel and AMD processors in various environments, including cloud computing systems (Amazon AWS, Google GCP, and Microsoft Azure), an SGX enclave (a fine-grained ASLR break), and major OSes (Linux, Windows, and macOS). Our attack can identify the Linux kernel's base address in 0.29 ms as well as those of loaded kernel modules in 2.24 ms, with a near-zero error rate. We further demonstrate that our attack can be used to infer user behavior, such as mouse movements and data transmissions over the network. Our evaluation results on multiple mobile, desktop, and server processors (a total of 26 Intel and AMD CPUs) show that 1) the AVX timing side-channel works on the vast majority of Intel processors (from the Sandy Bridge microarchitecture) as well as AMD processors (from the Zen microarchitecture onward) and 2) our KASLR breaks are very fast and reliable. To the best of our knowledge, our attack is the first to demonstrate a KASLR break on both the recent Intel Alder Lake and AMD Zen 3 CPUs. We highlight that more robust isolation or fine-grained randomization should be adopted to mitigate our presented attacks successfully. |
---|---|
ISSN: | 0167-4048 1872-6208 |
DOI: | 10.1016/j.cose.2023.103437 |