Reverse Engineering the Stream Prefetcher for Profit

Micro-architectural attacks exploit timing channels at different micro-architecture units. Some of the micro-architecture units like cache automatically provide the timing difference (the difference between a hit and a miss). However, there are other units that are not documented, and their influence on the timing difference is not fully understood. One such micro-architecture unit is an L2 hardware prefetcher named Streamer. In this paper, we reverse-engineer the Stream prefetcher, which is commercially available in the Intel machines. We perform a set of experiments and provide our observations and insights. Further, we use these observations to construct a cross-thread covert channel using the Stream prefetcher, with an accuracy of 91.3% and a bandwidth of 54.44 KBps.

[1]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[2]  Balaram Sinharoy,et al.  POWER4 system microarchitecture , 2002, IBM J. Res. Dev..

[3]  Ji-Hoon Jeong,et al.  Unveiling Hardware-based Data Prefetcher, a Hidden Source of Information Leakage , 2018, CCS.

[4]  Gernot Heiser,et al.  Last-Level Cache Side-Channel Attacks are Practical , 2015, 2015 IEEE Symposium on Security and Privacy.

[5]  Jean-Loup Baer,et al.  An effective on-chip preloading scheme to reduce data access penalty , 1991, Proceedings of the 1991 ACM/IEEE Conference on Supercomputing (Supercomputing '91).

[6]  Yuval Yarom,et al.  FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack , 2014, USENIX Security Symposium.

[7]  Stefan Mangard,et al.  Cache Template Attacks: Automating Attacks on Inclusive Last-Level Caches , 2015, USENIX Security Symposium.

[8]  Chester Rebeiro,et al.  A Formal Security Analysis of Even-Odd Sequential Prefetching in Profiled Cache-Timing Attacks , 2016, HASP 2016.

[9]  Patrick Cronin,et al.  A Fetching Tale: Covert Communication with the Hardware Prefetcher , 2019, 2019 IEEE International Symposium on Hardware Oriented Security and Trust (HOST).