A New Side-Channel Vulnerability on Modern Computers by Exploiting Electromagnetic Emanations from the Power Management Unit

This paper presents a new micro-architectural vulnerability on the power management units of modern computers which creates an electromagnetic-based side-channel. The key observations that enable us to discover this sidechannel are: 1) in an effort to manage and minimize power consumption, modern microprocessors have a number of possible operating modes (power states) in which various sub-systems of the processor are powered down, 2) for some of the transitions between power states, the processor also changes the operating mode of the voltage regulator module (VRM) that supplies power to the affected sub-system, and 3) the electromagnetic (EM) emanations from the VRM are heavily dependent on its operating mode. As a result, these state-dependent EM emanations create a side-channel which can potentially reveal sensitive information about the current state of the processor and, more importantly, the programs currently being executed. To demonstrate the feasibility of exploiting this vulnerability, we create a covert channel by utilizing the changes in the processor's power states. We show how such a covert channel can be leveraged to exfiltrate sensitive information from a secured and completely isolated (air-gapped) laptop system by placing a compact, inexpensive receiver in proximity to that system. To further show the severity of this attack, we also demonstrate how such a covert channel can be established when the target and the receiver are several meters away from each other, including scenarios where the receiver and the target are separated by a wall. Compared to the state-of-the-art, the proposed covert channel has >3x higher bit-rate. Finally, to demonstrate that this new vulnerability is not limited to being used as a covert channel, we demonstrate how it can be used for attacks such as keystroke logging.

[1]  Milos Prvulovic,et al.  One&Done: A Single-Decryption EM-Based Attack on OpenSSL's Constant-Time Blinded RSA , 2018, USENIX Security Symposium.

[2]  Hua Liu,et al.  Watch Me, but Don't Touch Me! Contactless Control Flow Monitoring via Electromagnetic Emanations , 2017, CCS.

[3]  Selçuk Köse,et al.  Converter-Gating: A Power Efficient and Secure On-Chip Power Delivery System , 2014, IEEE Journal on Emerging and Selected Topics in Circuits and Systems.

[4]  David Brumley,et al.  Remote timing attacks are practical , 2003, Comput. Networks.

[5]  Nael B. Abu-Ghazaleh,et al.  Understanding and Mitigating Covert Channels Through Branch Predictors , 2016, ACM Trans. Archit. Code Optim..

[6]  Zhenyu Wu,et al.  Whispers in the Hyper-space: High-speed Covert Channel Attacks in the Cloud , 2012, USENIX Security Symposium.

[7]  Nitesh Saxena,et al.  Acoustic Eavesdropping Attacks on Constrained Wireless Device Pairing , 2013, IEEE Transactions on Information Forensics and Security.

[8]  Paolo Ienne,et al.  A first step towards automatic application of power analysis countermeasures , 2011, 2011 48th ACM/EDAC/IEEE Design Automation Conference (DAC).

[9]  Yunhao Liu,et al.  Context-free Attacks Using Keyboard Acoustic Emanations , 2014, CCS.

[10]  Eric Cole,et al.  Advanced Persistent Threat: Understanding the Danger and How to Protect Your Organization , 2012 .

[11]  Sanu Mathew,et al.  Improved power side channel attack resistance of a 128-bit AES engine with random fast voltage dithering , 2017, ESSCIRC 2017 - 43rd IEEE European Solid State Circuits Conference.

[12]  Mordechai Guri,et al.  GSMem: Data Exfiltration from Air-Gapped Computers over GSM Frequencies , 2015, USENIX Security Symposium.

[13]  Yuval Yarom,et al.  ECDSA Key Extraction from Mobile Devices via Nonintrusive Physical Side Channels , 2016, IACR Cryptol. ePrint Arch..

[14]  Scott Shenker,et al.  Scheduling for reduced CPU energy , 1994, OSDI '94.

[15]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[16]  Gernot Heiser,et al.  Last-Level Cache Side-Channel Attacks are Practical , 2015, 2015 IEEE Symposium on Security and Privacy.

[17]  Stefan Mangard,et al.  KeyDrown: Eliminating Software-Based Keystroke Timing Side-Channel Attacks , 2018, NDSS.

[18]  Adi Shamir,et al.  RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis , 2014, CRYPTO.

[19]  Chih-Wen Liu,et al.  A Novel Phase-Shedding Control Scheme for Improved Light Load Efficiency of Multiphase Interleaved DC–DC Converters , 2013, IEEE Transactions on Power Electronics.

[20]  Arie Yeredor,et al.  IDEA: Intrusion Detection through Electromagnetic-Signal Analysis for Critical Embedded and Cyber-Physical Systems , 2019, IEEE Transactions on Dependable and Secure Computing.

[21]  Wenyuan Xu,et al.  WattsUpDoc: Power Side Channels to Nonintrusively Discover Untargeted Malware on Embedded Medical Devices , 2013, HealthTech.

[22]  Dmitry V. Ponomarev,et al.  Covert Channels through Random Number Generator: Mechanisms, Capacity Estimation and Mitigations , 2016, CCS.

[23]  Milos Prvulovic,et al.  Syndrome: Spectral analysis for anomaly detection on medical IoT and embedded devices , 2018, 2018 IEEE International Symposium on Hardware Oriented Security and Trust (HOST).

[24]  Srdjan Capkun,et al.  Thermal Covert Channels on Multi-core Platforms , 2015, USENIX Security Symposium.

[25]  Chidhambaranathan Rajamanikkam,et al.  Catching the Flu: Emerging threats from a third party power management unit , 2016, 2016 53nd ACM/EDAC/IEEE Design Automation Conference (DAC).

[26]  Yossef Oren,et al.  How to Phone Home with Someone Else's Phone: Information Exfiltration Using Intentional Sound Noise on Gyroscopic Sensors , 2016, WOOT.

[27]  Jean-Pierre Seifert,et al.  On the power of simple branch prediction analysis , 2007, ASIACCS '07.

[28]  Milos Prvulovic,et al.  REMOTE: Robust External Malware Detection Framework by Using Electromagnetic Signals , 2020, IEEE Transactions on Computers.

[29]  Yang Su,et al.  USB Snooping Made Easy: Crosstalk Leakage Attacks on USB Hubs , 2017, USENIX Security Symposium.

[30]  Milos Doroslovacki,et al.  DFS covert channels on multi-core platforms , 2017, 2017 IFIP/IEEE International Conference on Very Large Scale Integration (VLSI-SoC).

[31]  Mordechai Guri,et al.  AirHopper: Bridging the air-gap between isolated networks and mobile phones using radio frequencies , 2014, 2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE).

[32]  Angelos D. Keromytis,et al.  The Spy in the Sandbox: Practical Cache Attacks in JavaScript and their Implications , 2015, CCS.

[33]  Selçuk Köse,et al.  POWERT Channels: A Novel Class of Covert CommunicationExploiting Power Management Vulnerabilities , 2019, 2019 IEEE International Symposium on High Performance Computer Architecture (HPCA).

[34]  Xiangyu Liu,et al.  When Good Becomes Evil: Keystroke Inference with Smartwatch , 2015, CCS.

[35]  T. Salthouse Perceptual, cognitive, and motoric aspects of transcription typing. , 1986, Psychological bulletin.

[36]  John V. Monaco SoK: Keylogging Side Channels , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[37]  Daniel Genkin,et al.  Get your hands off my laptop: physical side-channel key-extraction attacks on PCs , 2015, Journal of Cryptographic Engineering.

[38]  Monodeep Kar,et al.  Reducing Power Side-Channel Information Leakage of AES Engines Using Fully Integrated Inductive Voltage Regulator , 2018, IEEE Journal of Solid-State Circuits.

[39]  Wei Wang,et al.  Keystroke Recognition Using WiFi Signals , 2015, MobiCom.

[40]  Wenyao Xu,et al.  My Smartphone Knows What You Print: Exploring Smartphone-based Side-channel Attacks Against 3D Printers , 2016, CCS.

[41]  Arie Yeredor,et al.  Dictionary attacks using keyboard acoustic emanations , 2006, CCS '06.

[42]  Milos Prvulovic,et al.  Experimental Demonstration of Electromagnetic Information Leakage From Modern Processor-Memory Systems , 2014, IEEE Transactions on Electromagnetic Compatibility.

[43]  Gorka Irazoqui Apecechea,et al.  S$A: A Shared Cache Attack That Works across Cores and Defies VM Sandboxing -- and Its Application to AES , 2015, 2015 IEEE Symposium on Security and Privacy.

[44]  Daniel Genkin,et al.  Stealing Keys from PCs Using a Radio: Cheap Electromagnetic Attacks on Windowed Exponentiation , 2015, CHES.

[45]  Stefan Mangard,et al.  Cache Template Attacks: Automating Attacks on Inclusive Last-Level Caches , 2015, USENIX Security Symposium.

[46]  Catherine H. Gebotys,et al.  EM Analysis of Rijndael and ECC on a Wireless Java-Based PDA , 2005, CHES.

[47]  Antti Oulasvirta,et al.  How We Type: Movement Strategies and Performance in Everyday Typing , 2016, CHI.

[48]  Wenyuan Xu,et al.  On Code Execution Tracking via Power Side-Channel , 2016, CCS.

[49]  Harold Joseph Highland,et al.  Electromagnetic radiation revisited , 1986, Computers & security.

[50]  Sanu Mathew,et al.  Blindsight: Blinding EM Side-Channel Leakage using Built-In Fully Integrated Inductive Voltage Regulator , 2018, ArXiv.

[51]  Yingtao Jiang,et al.  Improving the efficiency of thermal covert channels in multi-/many-core systems , 2018, 2018 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[52]  Pepe Vila,et al.  Loophole: Timing Attacks on Shared Event Loops in Chrome , 2017, USENIX Security Symposium.

[53]  Dakshi Agrawal,et al.  The EM Side-Channel(s) , 2002, CHES.

[54]  Milos Doroslovacki,et al.  Are Coherence Protocol States Vulnerable to Information Leakage? , 2018, 2018 IEEE International Symposium on High Performance Computer Architecture (HPCA).

[55]  Rakesh Agrawal,et al.  Keyboard acoustic emanations , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[56]  Thomas F. Wenisch,et al.  Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution , 2018, USENIX Security Symposium.

[57]  Stefan Mangard,et al.  ARMageddon: Cache Attacks on Mobile Devices , 2015, USENIX Security Symposium.

[58]  Michael Hamburg,et al.  Spectre Attacks: Exploiting Speculative Execution , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[59]  Youngkook Ahn,et al.  A Multiphase Buck Converter With a Rotating Phase-Shedding Scheme For Efficient Light-Load Control , 2014, IEEE Journal of Solid-State Circuits.

[60]  Wenyuan Xu,et al.  Current Events: Identifying Webpages by Tapping the Electrical Outlet , 2013, ESORICS.

[61]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[62]  Martin Vuagnoux,et al.  Compromising Electromagnetic Emanations of Wired and Wireless Keyboards , 2009, USENIX Security Symposium.

[63]  David Naccache,et al.  Temperature Attacks , 2009, IEEE Security & Privacy.

[64]  Nael B. Abu-Ghazaleh,et al.  BranchScope: A New Side-Channel Attack on Directional Branch Predictor , 2018, ASPLOS.

[65]  Mordechai Guri,et al.  USBee: Air-gap covert-channel via electromagnetic emission from USB , 2016, 2016 14th Annual Conference on Privacy, Security and Trust (PST).

[66]  Milos Prvulovic,et al.  A Method for Finding Frequency-Modulated and Amplitude-Modulated Electromagnetic Emanations in Computer Systems , 2017, IEEE Transactions on Electromagnetic Compatibility.

[67]  Santosh Ghosh,et al.  ASNI: Attenuated Signature Noise Injection for Low-Overhead Power Side-Channel Attack Immunity , 2018, IEEE Transactions on Circuits and Systems I: Regular Papers.

[68]  Ryan Kastner,et al.  Hiding Intermittent Information Leakage with Architectural Support for Blinking , 2018, 2018 ACM/IEEE 45th Annual International Symposium on Computer Architecture (ISCA).

[69]  David Blaauw,et al.  Secure AES engine with a local switched-capacitor current equalizer , 2009, 2009 IEEE International Solid-State Circuits Conference - Digest of Technical Papers.

[70]  Haider Adnan Khan,et al.  EMMA: Hardware/Software Attestation Framework for Embedded Systems Using Electromagnetic Signals , 2019, MICRO.

[71]  Thomas P. Hayes,et al.  Screaming Channels: When Electromagnetic Side Channels Meet Radio Transceivers , 2018, CCS.

[72]  Marco A. Antoniades,et al.  Sensing CPU Voltage Noise Through Electromagnetic Emanations , 2018, IEEE Computer Architecture Letters.

[73]  Alessandro Orso,et al.  Zero-overhead profiling via EM emanations , 2016, ISSTA.

[74]  Milos Prvulovic,et al.  A Practical Methodology for Measuring the Side-Channel Signal Available to the Attacker for Instruction-Level Events , 2014, 2014 47th Annual IEEE/ACM International Symposium on Microarchitecture.

[75]  Salvatore J. Stolfo,et al.  CLKSCREW: Exposing the Perils of Security-Oblivious Energy Management , 2017, USENIX Security Symposium.

[76]  Milos Prvulovic,et al.  EDDIE: EM-based detection of deviations in program execution , 2017, 2017 ACM/IEEE 44th Annual International Symposium on Computer Architecture (ISCA).

[77]  Michael Hanspach,et al.  On Covert Acoustical Mesh Networks in Air , 2014, J. Commun..

[78]  Srinivas Devadas,et al.  DAWG: A Defense Against Cache Timing Attacks in Speculative Execution Processors , 2018, 2018 51st Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[79]  Nael B. Abu-Ghazaleh,et al.  Rendered Insecure: GPU Side Channel Attacks are Practical , 2018, CCS.

[80]  Manfred Pinkal,et al.  Acoustic Side-Channel Attacks on Printers , 2010, USENIX Security Symposium.

[81]  Srikanth V. Krishnamurthy,et al.  Unveiling your keystrokes: A Cache-based Side-channel Attack on Graphics Libraries , 2019, NDSS.

[82]  Selçuk Köse,et al.  A New Class of Covert Channels Exploiting Power Management Vulnerabilities , 2018, IEEE Computer Architecture Letters.

[83]  Michael Hamburg,et al.  Meltdown: Reading Kernel Memory from User Space , 2018, USENIX Security Symposium.

[84]  Milos Prvulovic,et al.  FASE: Finding Amplitude-modulated Side-channel Emanations , 2015, 2015 ACM/IEEE 42nd Annual International Symposium on Computer Architecture (ISCA).

[85]  Stefan Mangard,et al.  DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks , 2015, USENIX Security Symposium.

[86]  Herbert Bos,et al.  Translation Leak-aside Buffer: Defeating Cache Side-channel Protections with TLB Attacks , 2018, USENIX Security Symposium.

[87]  Yossef Oren,et al.  Sensorless, Permissionless Information Exfiltration with Wi-Fi Micro-Jamming , 2018, WOOT @ USENIX Security Symposium.

[88]  Patrick Traynor,et al.  (sp)iPhone: decoding vibrations from nearby keyboards using mobile phone accelerometers , 2011, CCS '11.

[89]  Nael B. Abu-Ghazaleh,et al.  Spectre Returns! Speculation Attacks Using the Return Stack Buffer , 2018, IEEE Design & Test.

[90]  F.C. Lee,et al.  Light-Load Efficiency Improvement for Buck Voltage Regulators , 2009, IEEE Transactions on Power Electronics.

[91]  Milos Prvulovic,et al.  Spectral profiling: Observer-effect-free profiling by monitoring EM emanations , 2016, 2016 49th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[92]  Yuval Yarom,et al.  FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack , 2014, USENIX Security Symposium.