IChannels: Exploiting Current Management Mechanisms to Create Covert Channels in Modern Processors

To operate efficiently across a wide range of workloads with varying power requirements, a modern processor applies different current management mechanisms, which briefly throttle instruction execution while they adjust voltage and frequency to accommodate for power-hungry instructions (PHIs) in the instruction stream. Doing so 1) reduces the power consumption of non-PHI instructions in typical workloads and 2) optimizes system voltage regulators’ cost and area for the common use case while limiting current consumption when executing PHIs.However, these mechanisms may compromise a system’s confidentiality guarantees. In particular, we observe that multilevel side-effects of throttling mechanisms, due to PHI-related current management mechanisms, can be detected by two different software contexts (i.e., sender and receiver) running on 1) the same hardware thread, 2) co-located Simultaneous Multi-Threading (SMT) threads, and 3) different physical cores.Based on these new observations on current management mechanisms, we develop a new set of covert channels, IChannels, and demonstrate them in real modern Intel processors (which span more than 70% of the entire client and server processor market). Our analysis shows that IChannels provides more than 24× the channel capacity of state-of-the-art power management covert channels. We propose practical and effective mitigations to each covert channel in IChannels by leveraging the insights we gain through a rigorous characterization of real systems.

[1]  Michael L. Scott,et al.  IskiOS: Lightweight Defense Against Kernel-Level Code-Reuse Attacks , 2019, ArXiv.

[2]  Mark Horowitz,et al.  Energy dissipation in general purpose microprocessors , 1996, IEEE J. Solid State Circuits.

[3]  Dean M. Tullsen,et al.  Simultaneous multithreading: Maximizing on-chip parallelism , 1995, Proceedings 22nd Annual International Symposium on Computer Architecture.

[4]  Onur Mutlu,et al.  Revisiting RowHammer: An Experimental Analysis of Modern DRAM Devices and Mitigation Techniques , 2020, 2020 ACM/IEEE 47th Annual International Symposium on Computer Architecture (ISCA).

[5]  Teja Singh,et al.  3.2 Zen: A next-generation high-performance ×86 core , 2017, 2017 IEEE International Solid-State Circuits Conference (ISSCC).

[6]  Kay Römer,et al.  Hello from the Other Side: SSH over Robust Cache Covert Channels in the Cloud , 2017, NDSS.

[7]  Todd M. Austin,et al.  Regaining lost cycles with HotCalls: A fast interface for SGX secure enclaves , 2017, 2017 ACM/IEEE 44th Annual International Symposium on Computer Architecture (ISCA).

[8]  P. Andry,et al.  Characterization of micro-bump C4 interconnects for Si-carrier SOP applications , 2006, 56th Electronic Components and Technology Conference 2006.

[9]  Michael D. Smith,et al.  Voltage Smoothing: Characterizing and Mitigating Voltage Noise in Production Processors via Software-Guided Thread Scheduling , 2010, 2010 43rd Annual IEEE/ACM International Symposium on Microarchitecture.

[10]  Margaret Martonosi,et al.  Dynamic thermal management for high-performance microprocessors , 2001, Proceedings HPCA Seventh International Symposium on High-Performance Computer Architecture.

[11]  Ashish Khanna,et al.  Broadwell: A family of IA 14nm processors , 2015, 2015 Symposium on VLSI Circuits (VLSI Circuits).

[12]  Valerio Schiavoni,et al.  Security, Performance and Energy Trade-Offs of Hardware-Assisted Memory Protection Mechanisms , 2018, 2018 IEEE 37th Symposium on Reliable Distributed Systems (SRDS).

[13]  Ran Ginosar,et al.  Compiler-Directed Power Management for Superscalars , 2014, ACM Trans. Archit. Code Optim..

[14]  Corey Gough,et al.  CPU Power Management , 2015 .

[15]  Meeta Sharma Gupta,et al.  Voltage emergency prediction: Using signatures to reduce operating margins , 2009, 2009 IEEE 15th International Symposium on High Performance Computer Architecture.

[16]  Jakub Szefer,et al.  C3APSULe: Cross-FPGA Covert-Channel Attacks through Power Supply Unit Leakage , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[17]  Marcelo Yuffe,et al.  4.1 14nm 6th-generation Core processor SoC with low power consumption and improved performance , 2016, 2016 IEEE International Solid-State Circuits Conference (ISSCC).

[18]  Sean White,et al.  ‘Zeppelin’: An SoC for multichip architectures , 2018, 2018 IEEE International Solid - State Circuits Conference - (ISSCC).

[19]  Avi Mendelson,et al.  Fine-Grain Power Breakdown of Modern Out-of-Order Cores and Its Implications on Skylake-Based Systems , 2016, ACM Trans. Archit. Code Optim..

[20]  Selçuk Köse,et al.  POWERT Channels: A Novel Class of Covert CommunicationExploiting Power Management Vulnerabilities , 2019, 2019 IEEE International Symposium on High Performance Computer Architecture (HPCA).

[21]  Simha Sethumadhavan,et al.  Blacklist Core: Machine-Learning Based Dynamic Operating-Performance-Point Blacklisting for Mitigating Power-Management Security Attacks , 2018, ISLPED.

[22]  A.V. Peterchev,et al.  Load-Line Regulation With Estimated Load-Current Feedforward: Application to Microprocessor Voltage Regulators , 2006, IEEE Transactions on Power Electronics.

[23]  Andrew B. Kahng,et al.  TAP: token-based adaptive power gating , 2012, ISLPED '12.

[24]  Chidhambaranathan Rajamanikkam,et al.  Catching the Flu: Emerging threats from a third party power management unit , 2016, 2016 53nd ACM/EDAC/IEEE Design Automation Conference (DAC).

[25]  Efraim Rotem,et al.  Inside 6th gen Intel® Core™: New microarchitecture code named skylake , 2016, 2016 IEEE Hot Chips 28 Symposium (HCS).

[26]  Cristiano Giuffrida,et al.  TRRespass: Exploiting the Many Sides of Target Row Refresh , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[27]  Magdy A. Bayoumi,et al.  An effective staggered-phase damping technique for suppressing power-gating resonance noise during mode transition , 2009, 2009 10th International Symposium on Quality Electronic Design.

[28]  Avi Mendelson,et al.  A Comprehensive Evaluation of Power Delivery Schemes for Modern Microprocessors , 2019, 20th International Symposium on Quality Electronic Design (ISQED).

[29]  Christian Piguet,et al.  Low-power CMOS circuits - technology, logic design and CAD tools , 2005 .

[30]  Zhenyu Wu,et al.  Whispers in the Hyper-Space: High-Bandwidth and Reliable Covert Channel Attacks Inside the Cloud , 2015, IEEE/ACM Transactions on Networking.

[31]  Mordechai Guri,et al.  PowerHammer: Exfiltrating Data From Air-Gapped Computers Through Power Lines , 2018, IEEE Transactions on Information Forensics and Security.

[32]  Efraim Rotem,et al.  Power and thermal constraints of modern system-on-a-chip computer , 2013, 19th International Workshop on Thermal Investigations of ICs and Systems (THERMINIC).

[33]  Hubert Ritzdorf Analyzing Covert Channels on Mobile Devices , 2012 .

[34]  Margaret Martonosi,et al.  Control techniques to eliminate voltage emergencies in high performance processors , 2003, The Ninth International Symposium on High-Performance Computer Architecture, 2003. HPCA-9 2003. Proceedings..

[35]  Kevin J. Nowka,et al.  Power gating with multiple sleep modes , 2006, 7th International Symposium on Quality Electronic Design (ISQED'06).

[36]  Fabrice Paillet,et al.  FIVR — Fully integrated voltage regulators on 4th generation Intel® Core™ SoCs , 2014, 2014 IEEE Applied Power Electronics Conference and Exposition - APEC 2014.

[37]  Varghese George,et al.  Power management of the third generation intel core micro architecture formerly codenamed ivy bridge , 2012, 2012 IEEE Hot Chips 24 Symposium (HCS).

[38]  Karthick Rajamani,et al.  Thermal response to DVFS: analysis with an Intel Pentium M , 2007, Proceedings of the 2007 international symposium on Low power electronics and design (ISLPED '07).

[39]  F.C. Lee,et al.  A novel input-side current sensing method to achieve AVP for future VRs , 2005, Twentieth Annual IEEE Applied Power Electronics Conference and Exposition, 2005. APEC 2005..

[40]  Ümit Y. Ogras,et al.  Predictive dynamic thermal and power management for heterogeneous mobile platforms , 2015, 2015 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[41]  Nam Sung Kim,et al.  Low-Cost Per-Core Voltage Domain Support for Power-Constrained High-Performance Processors , 2014, IEEE Transactions on Very Large Scale Integration (VLSI) Systems.

[42]  Baki Berkay Yilmaz,et al.  A New Side-Channel Vulnerability on Modern Computers by Exploiting Electromagnetic Emanations from the Power Management Unit , 2020, 2020 IEEE International Symposium on High Performance Computer Architecture (HPCA).

[43]  Salvatore J. Stolfo,et al.  CLKSCREW: Exposing the Perils of Security-Oblivious Energy Management , 2017, USENIX Security Symposium.

[44]  Martin Schwarzl,et al.  NetSpectre: Read Arbitrary Memory over Network , 2018, ESORICS.

[45]  Michael Hamburg,et al.  Meltdown: Reading Kernel Memory from User Space , 2018, USENIX Security Symposium.

[46]  Gu-Yeon Wei,et al.  Reducing power loss, cost and complexity of soc power delivery using integrated 3-level voltage regulators , 2013 .

[47]  Kevin G. Stawiasz,et al.  5.2 Distributed system of digitally controlled microregulators enabling per-core DVFS for the POWER8TM microprocessor , 2014, 2014 IEEE International Solid-State Circuits Conference Digest of Technical Papers (ISSCC).

[48]  William Jalby,et al.  Evaluation of CPU frequency transition latency , 2014, Computer Science - Research and Development.

[49]  Wei Chen,et al.  SkyLake-SP: A 14nm 28-Core xeon® processor , 2018, 2018 IEEE International Solid - State Circuits Conference - (ISSCC).

[50]  Wei Zhang,et al.  SGXlinger: A New Side-Channel Attack Vector Based on Interrupt Latency Against Enclave Execution , 2018, 2018 IEEE 36th International Conference on Computer Design (ICCD).

[51]  Mathias Gottschlag,et al.  TurboCC: A Practical Frequency-Based Covert Channel With Intel Turbo Boost , 2020, ArXiv.

[52]  Ruby B. Lee,et al.  Covert and Side Channels Due to Processor Architecture , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[53]  Kevin Skadron,et al.  Architecture implications of pads as a scarce resource , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[54]  Song Huang,et al.  Measurement and characterization of Haswell power and energy consumption , 2015, E2SC '15.

[55]  Onur Mutlu,et al.  RowHammer: A Retrospective , 2019, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[56]  Stéphan Jourdan,et al.  Haswell: The Fourth-Generation Intel Core Processor , 2014, IEEE Micro.

[57]  Andrew B. Kahng,et al.  Many-Core Token-Based Adaptive Power Gating , 2013, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[58]  Shay Gueron,et al.  A Memory Encryption Engine Suitable for General Purpose Processors , 2016, IACR Cryptol. ePrint Arch..

[59]  Chris Fallin,et al.  Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[60]  Yuval Yarom,et al.  RAMBleed: Reading Bits in Memory Without Accessing Them , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[61]  Patrik Larsson,et al.  di/dt Noise in CMOS Integrated Circuits , 1997 .

[62]  Michael Hamburg,et al.  Spectre Attacks: Exploiting Speculative Execution , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[63]  William J. Bowhill,et al.  Power management in the Intel Xeon E5 v3 , 2015, 2015 IEEE/ACM International Symposium on Low Power Electronics and Design (ISLPED).

[64]  Alon Naveh,et al.  Power management architecture of the 2nd generation Intel® Core microarchitecture, formerly codenamed Sandy Bridge , 2011, IEEE Hot Chips Symposium.

[65]  John Paul Shen,et al.  Best of both latency and throughput , 2004, IEEE International Conference on Computer Design: VLSI in Computers and Processors, 2004. ICCD 2004. Proceedings..

[66]  Avi Mendelson,et al.  FlexWatts: A Power- and Workload-Aware Hybrid Power Delivery Network for Energy-Efficient Microprocessors , 2020, 2020 53rd Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[67]  Avi Mendelson,et al.  Power Management of Modern Processors , 2018 .

[68]  Pradip Bose,et al.  Microarchitectural techniques for power gating of execution units , 2004, Proceedings of the 2004 International Symposium on Low Power Electronics and Design (IEEE Cat. No.04TH8758).

[69]  James Tschanz,et al.  Postsilicon Voltage Guard-Band Reduction in a 22 nm Graphics Execution Core Using Adaptive Voltage Scaling and Dynamic Power Gating , 2017, IEEE Journal of Solid-State Circuits.

[70]  Efraim Rotem,et al.  Power-Management Architecture of the Intel Microarchitecture Code-Named Sandy Bridge , 2012, IEEE Micro.

[71]  Jonathan K. Millen,et al.  Covert Channel Capacity , 1987, 1987 IEEE Symposium on Security and Privacy.

[72]  Stefan Mangard,et al.  DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks , 2015, USENIX Security Symposium.

[73]  Milos Doroslovacki,et al.  DFS covert channels on multi-core platforms , 2017, 2017 IFIP/IEEE International Conference on Very Large Scale Integration (VLSI-SoC).

[74]  Chien-Hung Tsai,et al.  Switching Frequency Stabilization Techniques for Adaptive On-Time Controlled Buck Converter With Adaptive Voltage Positioning Mechanism , 2016, IEEE Transactions on Power Electronics.

[75]  Gaël Pillonnet,et al.  LDO-Assisted Voltage Selector Over 0.5-to-1V VDD Range for Fine Grained DVS in FDSOI 28nm with 200ns/V Controlled Transition , 2018, ESSCIRC 2018 - IEEE 44th European Solid State Circuits Conference (ESSCIRC).

[76]  Joseph Shor,et al.  Dual-Mode Low-Drop-Out Regulator/Power Gate With Linear and On–Off Conduction for Microprocessor Core On-Die Supply Voltages in 14 nm , 2016, IEEE Journal of Solid-State Circuits.

[77]  Onur Mutlu,et al.  SysScale: Exploiting Multi-domain Dynamic Voltage and Frequency Scaling for Energy Efficient Mobile Processors , 2020, 2020 ACM/IEEE 47th Annual International Symposium on Computer Architecture (ISCA).

[78]  Onur Mutlu,et al.  Techniques for Reducing the Connected-Standby Energy Consumption of Mobile Devices , 2020, 2020 IEEE International Symposium on High Performance Computer Architecture (HPCA).

[79]  Thomas Ilsche,et al.  An Energy Efficiency Feature Survey of the Intel Haswell Processor , 2015, 2015 IEEE International Parallel and Distributed Processing Symposium Workshop.

[80]  Frank Piessens,et al.  Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic , 2018, CCS.

[81]  Colin Percival CACHE MISSING FOR FUN AND PROFIT , 2005 .