TurboCC: A Practical Frequency-Based Covert Channel With Intel Turbo Boost

Covert channels are communication channels used by attackers to transmit information from a compromised system when the access control policy of the system does not allow doing so. Previous work has shown that CPU frequency scaling can be used as a covert channel to transmit information between otherwise isolated processes. Modern systems either try to save power or try to operate near their power limits in order to maximize performance, so they implement mechanisms to vary the frequency based on load. Existing covert channels based on this approach are either easily thwarted by software countermeasures or only work on completely idle systems. In this paper, we show how the automatic frequency scaling provided by Intel Turbo Boost can be used to construct a covert channel that is both hard to prevent without significant performance impact and can tolerate significant background system load. As Intel Turbo Boost selects the maximum CPU frequency based on the number of active cores, our covert channel modulates information onto the maximum CPU frequency by placing load on multiple additional CPU cores. Our prototype of the covert channel achieves a throughput of up to 61 bit/s on an idle system and up to 43 bit/s on a system with 25% utilization.

[1]  David Dice,et al.  The TURBO Diaries: Application-controlled Frequency Scaling Explained , 2014, USENIX Annual Technical Conference.

[2]  Ruby B. Lee,et al.  New cache designs for thwarting software cache-based side channel attacks , 2007, ISCA '07.

[3]  Ruby B. Lee,et al.  Disruptive prefetching: impact on side-channel attacks and cache designs , 2015, SYSTOR.

[4]  Efraim Rotem,et al.  Inside 6th-Generation Intel Core: New Microarchitecture Code-Named Skylake , 2017, IEEE Micro.

[5]  Srdjan Capkun,et al.  Thermal Covert Channels on Multi-core Platforms , 2015, USENIX Security Symposium.

[6]  Lothar Thiele,et al.  Frequency Scaling As a Security Threat on Multicore Systems , 2018, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[7]  Cesar Pereida García,et al.  Port Contention for Fun and Profit , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[8]  Simha Sethumadhavan,et al.  TimeWarp: Rethinking timekeeping and performance monitoring mechanisms to mitigate side-channel attacks , 2012, 2012 39th Annual International Symposium on Computer Architecture (ISCA).

[9]  Billy Bob Brumley Covert timing channels, caching, and cryptography , 2011 .

[10]  Christian Bienia,et al.  Benchmarking modern multiprocessors , 2011 .

[11]  James Charles,et al.  Evaluation of the Intel® Core™ i7 Turbo Boost feature , 2009, 2009 IEEE International Symposium on Workload Characterization (IISWC).

[12]  I. S. Moskowitz,et al.  Covert channels-here to stay? , 1994, Proceedings of COMPASS'94 - 1994 IEEE 9th Annual Conference on Computer Assurance.

[13]  Wolfgang Schmidt,et al.  A Case Study on Covert Channel Establishment via Software Caches in High-Assurance Computing Systems , 2015, ArXiv.

[14]  Yongji Wang,et al.  C2Detector: a covert channel detection framework in cloud computing , 2014, Secur. Commun. Networks.

[15]  Lilian Bossuet,et al.  DVFS as a Security Failure of TrustZone-enabled Heterogeneous SoC , 2018, 2018 25th IEEE International Conference on Electronics, Circuits and Systems (ICECS).

[16]  Hovav Shacham,et al.  Trusted Browsers for Uncertain Times , 2016, USENIX Security Symposium.

[17]  Milos Doroslovacki,et al.  DFS covert channels on multi-core platforms , 2017, 2017 IFIP/IEEE International Conference on Very Large Scale Integration (VLSI-SoC).

[18]  Colin Percival CACHE MISSING FOR FUN AND PROFIT , 2005 .

[19]  Daniel Gruss,et al.  ZombieLoad: Cross-Privilege-Boundary Data Sampling , 2019, CCS.

[20]  Jie Xu,et al.  An Analysis of the Server Characteristics and Resource Utilization in Google Cloud , 2013, 2013 IEEE International Conference on Cloud Engineering (IC2E).

[21]  Thomas Ilsche,et al.  An Energy Efficiency Feature Survey of the Intel Haswell Processor , 2015, 2015 IEEE International Parallel and Distributed Processing Symposium Workshop.

[22]  Selçuk Köse,et al.  POWERT Channels: A Novel Class of Covert CommunicationExploiting Power Management Vulnerabilities , 2019, 2019 IEEE International Symposium on High Performance Computer Architecture (HPCA).

[23]  Gorka Irazoqui Apecechea,et al.  A Faster and More Realistic Flush+Reload Attack on AES , 2015, COSADE.

[24]  Zhenyu Wu,et al.  Whispers in the Hyper-Space: High-Bandwidth and Reliable Covert Channel Attacks Inside the Cloud , 2015, IEEE/ACM Transactions on Networking.

[25]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[26]  Stefan Mangard,et al.  Fantastic Timers and Where to Find Them: High-Resolution Microarchitectural Attacks in JavaScript , 2017, Financial Cryptography.

[27]  Ruby B. Lee,et al.  Covert and Side Channels Due to Processor Architecture , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[28]  Kay Römer,et al.  Hello from the Other Side: SSH over Robust Cache Covert Channels in the Cloud , 2017, NDSS.

[29]  Seth H. Pugsley,et al.  Memory bandwidth reservation in the cloud to avoid information leakage in the memory controller , 2014, HASP@ISCA.

[30]  Stefan Mangard,et al.  DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks , 2015, USENIX Security Symposium.

[31]  David Naccache,et al.  Communicating Covertly through CPU Monitoring , 2013, IEEE Security & Privacy.