Computer Architecture Today

Informing the broad computing community about current activities, advances and future directions in computer architecture.

Architecture and Hardware Security Research at USENIX Security Symposium 2022

by Dmitry Ponomarev on Nov 8, 2022 | Architecture and Hardware Security Research at USENIX Security Symposium 2022

Microarchitectural and hardware security remained a very active research area in 2022. Top computer architecture conferences each had multiple sessions dedicated to security (4 sessions at ISCA’22, and 3 sessions each at MICRO’22, HPCA’22 and ASPLOS’22).  However, this blog post is dedicated to microarchitecture and hardware security papers that appeared in the 2022 USENIX Security Symposium, one of the top security conferences.  The symposium took place in Boston in August 2022, it had three submission deadlines during the year and a record 256 papers have been accepted. This large technical program includes numerous papers that are of direct interest to the computer architecture community. This blog post  summarizes these contributions. 

Side-channel attacks continued to receive a significant amount of attention.  While previous transient execution attacks mostly focused on Intel processors, AMD prefetch attacks paper demonstrated that timing and power-based side channel attacks are also possible on AMD processors, particularly on their prefetch units.  In fact, the authors demonstrated that prefetch instructions leak even more information on AMD processors compared to Intel. The key observation behind these attacks is that the timing of the prefetch instructions targeting kernel addresses depends on the level of the page table where the page walk process aborts. In addition, since the timing of the prefetch instructions also relies on the TLB state, this attack can leak information on whether the kernel currently uses a targeted kernel page.

Hiding in Plain Sight presented a novel attack against systems that use physical side-channels for control flow monitoring of programs.  The authors presented a method for crafting functional malware without triggering the detector. Hertzbleed showed how to turn power side-channel attacks into timing attacks on modern x86-based systems that can be performed without access to power measurement infrastructure. The key observation is that under certain circumstances, DVFS-induced CPU frequency adjustments depend on the current power consumption and are data-dependent. Furthermore, these adjustments can be observed without special privileges by a remote attacker. Binoculars described a new side-channel attack that exploits the observation that contention for the use of shared resources between page walker loads and regular memory operations can cause significant delays in the program execution time originating from a single dynamic instruction. The authors further showed that this contention through address dependence applies to high-order address bits, lower-order address bits, and also to intra-cache line address bits and across address spaces, enabling low-noise attacks.

Branch History Injection introduced a new primitive to build cross-privilege branch target injection attacks on systems deploying isolation-based hardware defenses such as Intel eIBRS and ARM CSV2. The key observation is that the isolation offered by these defenses  is not extended to other branch predictor structures thus still making attacks possible. Furthermore, the authors analyzed the impact  of also isolating the branch history and showed that, without a collision-free design, practical same-predictor-mode attacks are still possible even in this case. TLB;DR presented TLB desynchronization as a new approach for reverse-engineering TLB behavior from software. This approach allows reconstructing features such as replacement policies and handling of PCIDs on commodity Intel processors. The authors then showed how these new insights can be turned into faster, more efficient and finer-granularity attacks on both L1 and L2 TLBs.

ReZone addressed the limitation of TrustZone-assisted TEE systems in that the trusted OS has unrestricted access to both secure and normal world memory. Specifically, attackers can leverage a chain of exploits to hijack the trusted OS and gain full control of the system, targeting the rich execution environment itself, trusted applications and/or secure monitor. Rezone partitions a monolithic trusted environment into multiple sandboxed domains named zones. The goal is to restrict the memory access privileges of the code running inside a zone, preventing it from arbitrarily accessing memory allocated for the normal world,  other zones, and  the secure monitor.

Composable Cachelets described a new partitioned last-level cache architecture, where isolated cache sections (cachelets) are allocated to secure enclaves to make caches an integral part of a TEE system and stop side-channel attacks. Cache partitioning is performed by both ways and sets, partitioning decisions are tied to enclave operations, and cachelets can be dynamically combined to create larger partitions for performance reasons.  A small size of individual cachelets supports scalability, which is an important factor in cloud computing environments. Importantly, the authors also introduced a formal security model based on operational semantics of caches and memory systems. 

Don’t Mesh Around studied side-channel attacks on mesh interconnect in server-class Intel processors, and also considered possible mitigation strategies against such attacks.  The authors reverse-engineered the lane scheduling and priority arbitration policies of the mesh interconnect to understand conditions under which contention-based attacks are possible. They then demonstrated the feasibility of side-channel attacks that leak secret keys using this contention. Finally, they proposed a scheduler-based mitigation exploiting the observation that the placement of victims and attackers across the cores can significantly impact the channel effectiveness. 

LightEnclave considered the use of Intel MPK (Memory Protection Keys) to support efficient intra-enclave isolation in SGX-based systems. While MPK partitions the address space into multiple memory domains, the trust models between MPK and SGX are incompatible by design. The proposed solution is based on extensions to existing SGX hardware to incorporate MPK securely and allow multiple light-enclaves to be isolated within one SGX enclave. SecSMT presented a comprehensive analysis of SMT processors in terms of their vulnerabilities to contention-based side-channel attacks. The authors also discussed a set of unified mitigation strategies  that can be deployed to address this information leakage.

Double Trouble considered attacks on non-inclusive caches in a system equipped with domain-specific accelerators. The authors developed a novel approach for accelerators to find cache eviction sets, and leverage precise double-sided control over cache lines to expose undocumented behavior in non-inclusive cache hierarchies. The accelerator can efficiently evict shared targets with tiny eviction sets, refuting the common assumption that eviction sets must be as large as the cache associativity. 

Half-Double presented a variation of Rowhammer attacks that target rows beyond immediate neighbors of the victim row. In particular, the errors in a victim row can be generated by combining a few accesses to a row neighboring the victim with many accesses to a row adjacent to the neighbor. Cumulatively, this causes sufficient disturbance in the victim row to induce bit flips.  Retbleed demonstrated a new Spectre-style attack that leaks arbitrary kernel memory on fully patched Intel and AMD systems, questioning the efficacy of defenses such as retpoline. Unlike previous return-based Spectre attacks, RETBLEED exploits return instructions to gain arbitrary kernel-level speculative code execution by targeting the BTB instead of the RSB. 

ÆPIC Leak described a new exploit that leaks stale data from CPU microarchitecture without relying on side channels. Specifically, the authors discovered that the memory-mapped registers of the local Advanced Programmable Interrupt Controller (APIC) are not properly initialized. As a result, architecturally reading these registers returns stale data from the CPU microarchitecture and allows to read any data transferred between the L2 cache and the last-level cache. This discovery leads to an end-to-end attack extracting AES-NI, RSA, and even the Intel SGX attestation keys from enclaves within a few seconds.

While the format of this blog only allowed us to overview one security conference (due to the sheer number of relevant papers), other security conferences also had interesting contributions. 2022 has not disappointed in terms of volume and quality of new ideas in this area, we are looking forward to more in 2023! 

About the author: Dmitry Ponomarev is a Professor and Associate Chair in the Department of Computer Science at Binghamton University. His research interests are in computer architecture and security.

Disclaimer: These posts are written by individual contributors to share their thoughts on the Computer Architecture Today blog for the benefit of the community. Any views or opinions represented in this blog are personal, belong solely to the blog author and do not represent those of ACM SIGARCH or its parent organization, ACM.