BunnyHop: Exploiting the Instruction Prefetcher

Authors: 

Zhiyuan Zhang, Mingtian Tao, and Sioli O'Connell, The University of Adelaide; Chitchanok Chuengsatiansup, The University of Melbourne; Daniel Genkin, Georgia Tech; Yuval Yarom, The University of Adelaide

Abstract: 

The instruction prefetcher is a microarchitectural component whose task is to bring program code into the instruction cache. To predict which code is likely to be executed, the instruction prefetcher relies on the branch predictor.

In this paper we investigate the instruction prefetcher in modern Intel processors. We first propose BunnyHop, a technique that uses the instruction prefetcher to encode branch prediction information as a cache state. We show how to use BunnyHop to perform low-noise attacks on the branch predictor. Specifically, we show how to implement attacks similar to Flush+Reload and Prime+Probe on the branch predictor instead of on the data caches. We then show that BunnyHop allows using the instruction prefetcher as a confused deputy to force cache eviction within a victim. We use this to demonstrate an attack on an implementation of AES protected with both cache coloring and data prefetch.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {287370,
author = {Zhiyuan Zhang and Mingtian Tao and Sioli O{\textquoteright}Connell and Chitchanok Chuengsatiansup and Daniel Genkin and Yuval Yarom},
title = {{BunnyHop}: Exploiting the Instruction Prefetcher},
booktitle = {32nd USENIX Security Symposium (USENIX Security 23)},
year = {2023},
isbn = {978-1-939133-37-3},
address = {Anaheim, CA},
pages = {7321--7337},
url = {https://www.usenix.org/conference/usenixsecurity23/presentation/zhang-zhiyuan-bunnyhop},
publisher = {USENIX Association},
month = aug
}

Presentation Video