Translation leak-aside buffer: Defeating cache side-channel protections with TLB attacks

Ben Gras, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida

Research output: Chapter in Book / Report / Conference proceedingConference contributionAcademicpeer-review

Abstract

To stop side channel attacks on CPU caches that have allowed attackers to leak secret information and break basic security mechanisms, the security community has developed a variety of powerful defenses that effectively isolate the security domains. Of course, other shared hardware resources exist, but the assumption is that unlike cache side channels, any channel offered by these resources is insufficiently reliable and too coarse-grained to leak general-purpose information. This is no longer true. In this paper, we revisit this assumption and show for the first time that hardware translation lookaside buffers (TLBs) can be abused to leak fine-grained information about a victim's activity even when CPU cache activity is guarded by state-of-the-art cache side-channel protections, such as CAT and TSX. However, exploiting the TLB channel is challenging, due to unknown addressing functions inside the TLB and the attacker's limited monitoring capabilities which, at best, cover only the victim's coarse-grained data accesses. To address the former, we reverse engineer the previously unknown addressing function in recent Intel processors. To address the latter, we devise a machine learning strategy that exploits high-resolution temporal features about a victim's memory activity. Our prototype implementation, TLBleed, can leak a 256-bit EdDSA secret key from a single capture after 17 seconds of computation time with a 98% success rate, even in presence of state-of-the-art cache isolation. Similarly, using a single capture, TLBleed reconstructs 92% of RSA keys from an implementation that is hardened against FLUSH+RELOAD attacks.

Original languageEnglish
Title of host publicationProceedings of the 27th USENIX Security Symposium
PublisherUSENIX Association
Pages955-972
Number of pages18
ISBN (Electronic)9781939133045
Publication statusPublished - Aug 2018
Event27th USENIX Security Symposium - Baltimore, United States
Duration: 15 Aug 201817 Aug 2018

Conference

Conference27th USENIX Security Symposium
CountryUnited States
CityBaltimore
Period15/08/1817/08/18

Fingerprint Dive into the research topics of 'Translation leak-aside buffer: Defeating cache side-channel protections with TLB attacks'. Together they form a unique fingerprint.

  • Cite this

    Gras, B., Razavi, K., Bos, H., & Giuffrida, C. (2018). Translation leak-aside buffer: Defeating cache side-channel protections with TLB attacks. In Proceedings of the 27th USENIX Security Symposium (pp. 955-972). USENIX Association.