Abstract
Translation Lookaside Buffers, or TLBs, play a vital role in recent microarchitectural attacks. However, unlike CPU caches, we know very little about the exact operation of these essential microarchitectural components. In this paper, we introduce TLB desynchronization as a novel technique for reverse engineering TLB behavior from software. Unlike previous efforts that rely on timing or performance counters, our technique relies on fundamental properties of TLBs, enabling precise and fine-grained experiments. We use desynchronization to shed new light on TLB behavior, examining previously undocumented features such as replacement policies and handling of PCIDs on commodity Intel processors. We also show that such knowledge allows for more and better attacks. Our results reveal a novel replacement policy on the L2 TLB of modern Intel CPUs as well as behavior indicative of a PCID cache. We use our new insights to design adversarial access patterns that massage the TLB state into evicting a target entry in the minimum number of steps, then examine their impact on several classes of prior TLB-based attacks. Our findings enable practical side channels à la TLBleed over L2, with much finer spatial discrimination and at a sampling rate comparable to L1, as well as an even finer-grained variant that targets both levels. We also show substantial speed gains for other classes of attacks that rely on TLB eviction.
Original language | English |
---|---|
Title of host publication | Proceedings of the 31st USENIX Security Symposium, Security 2022 |
Publisher | USENIX Association |
Pages | 989-1006 |
Number of pages | 18 |
ISBN (Electronic) | 9781939133311 |
Publication status | Published - 10 Aug 2022 |
Event | 31st USENIX Security Symposium, Security 2022 - Boston, United States Duration: 10 Aug 2022 → 12 Aug 2022 |
Conference
Conference | 31st USENIX Security Symposium, Security 2022 |
---|---|
Country/Territory | United States |
City | Boston |
Period | 10/08/22 → 12/08/22 |
Bibliographical note
Funding Information:We thank our shepherd, Michael Schwarz, and the anonymous reviewers for their comments. We also thank Ben Gras for helping with the TLBleed covert channel implementation. This work was supported by the EU's Horizon 2020 research and innovation programme under grant agreement No. 825377 (UNICORE), Intel Corporation through the Side Channel Vulnerability ISRA, and NWO through projects “TROPICS”, “Theseus”, and “Intersect”.
Publisher Copyright:
© USENIX Security Symposium, Security 2022.All rights reserved.