A team of the University of Virginia School of Engineering has found a new approach to side channel attacks on X86 processors. Instead of previous SpectRe attacks on the main memory or the Level 3 cache shared by multiple CPU nuclei, the variation aims for the micro-surgical cache of modern processors. Micro-op caches have been containing all Intel Core I processors since the generation Sandy Bridge (Core I-2000) of 2011 as well as all AMD processors with ZEN microarchitecture since Ryzen 1000. Even server CPUs are affected, ie AMD EPYC and Intel Xeon since 2011. The security researchers baptized their attack technology "I Lake Dead μops".
Decoded micro operations
As micro operations (also called μOps or Uops), it is already decoded operations that can immediately export the calculation mills of a processor core. Micro-op caches accelerate processors considerably by saving thousands of micro operations in very fast SRAM close to the arithmetic. Without detour of the decoder, these instructions are loaded particularly quickly and thus increased the computational speed with a correct jump prediction.
Lying attacks in the waiting area
The research team under Ashish Venkat compares the micro-surgical cache with a hypothetical airport scenario: you could save the presentation of a valued airline ticket on the security control because it goes so faster and the ticket is checked on the gate anyway. In the realitat, however, the ticket must show twice.
In CPU speaking, the passenger is the (harmful) code and the ticket control corresponds to a validation that takes place only later. Although previously charged instructions are rejected when not in use, in the meantime, attackers can be used: inside other processes in the micro-op cache (wait area).
In a proof-of-concept (POC) attack, the researchers show how their technology will overlay the foreclosure programmed by Lfence instructions of different memory address areas. However, this works relatively slowly, so that an attack had to run quite long to browse larger storage areas after sensitive information.
The attack works in particular between two threads, which share the resources of a processor core (simultaneous multi-threading, SMT).
Costly patches
According to the security researchers, the computing power of processors suffer considerably if you take the safety chucks by firm or software, as the micro-surgical cache then could no longer be presented and validated. As with previous SPECTRE security swagen, the procedure requires a superstructure of cache construction that needs to be implemented in hardware with art CPU architectures. A counter-statement that the researchers discuss is the empty (flushing) of the micro-op cache at context changes, as they provide Intel’s Software Guard Extensions (SGX) at RAM Enclaves.
The Team of the University of Virginia School of Engineering consisting of Ashish Venkat, Xida Ren, Logan Moody and Matthew Jordan have made chip manufacturers at the attack vector in April 2021. In June 2021, you want to introduce this as part of the International Symposium on Computer Architecture (ISCA).
Expensive attack
A CVE number is available for "I Lake Dead μops" not yet. The attack technology is very complicated and threatens mainly cloud servers on which potentially virtual virtual machines and containers with malware parallel to other VMs and containers with protective data can be started. In typical PCs and notebooks, there are usually easy usable vulnerabilities, which is why "I Lake Dead μops" the security risk in these systems could not increase significant.