

# **Osiris: Automated Discovery** of Microarchitectural Side Channels

**Daniel Weber**, Ahmad Ibrahim, Hamed Nemati, Michael Schwarz, Christian Rossow August 2021

CISPA Helmholtz Center for Information Security



Microarchitectural timing side channels, e.g., Flush+Reload or Prime+Probe, can be exploited in different scenarios:

• Attack implementations of cryptographic protocols



Microarchitectural timing side channels, e.g., Flush+Reload or Prime+Probe, can be exploited in different scenarios:

- Attack implementations of cryptographic protocols
- As building blocks for transient-execution attacks



Microarchitectural timing side channels, e.g., Flush+Reload or Prime+Probe, can be exploited in different scenarios:

- Attack implementations of cryptographic protocols
- As building blocks for transient-execution attacks



Finding side channels is a labour-intensive and time-consuming process



Microarchitectural timing side channels, e.g., Flush+Reload or Prime+Probe, can be exploited in different scenarios:

- Attack implementations of cryptographic protocols
- As building blocks for transient-execution attacks



Finding side channels is a labour-intensive and time-consuming process

# We **improve** this process **by fuzzing** for side channels!



```
int* probe_memory = malloc(4096);
_mm_clflush(probe_memory)
```

```
// potentially executed victim code
*probe_memory;
```

```
before = time();
*probe_memory;
after = time();
plot(after-before);
```



```
int* probe_memory = malloc(4096);
_mm_clflush(probe_memory)
```

```
// potentially executed victim code
*probe_memory;
```

```
before = time();
*probe_memory;
after = time();
plot(after-before);
```



```
int* probe_memory = malloc(4096);
_mm_clflush(probe_memory)
```

```
// potentially executed victim code
*probe_memory;
```

```
before = time();
*probe_memory;
after = time();
plot(after-before);
```



```
int* probe_memory = malloc(4096);
_mm_clflush(probe_memory)
```

```
// potentially executed victim code
*probe_memory;
```

```
before = time();
*probe_memory;
after = time();
plot(after-before);
```



```
int* probe_memory = malloc(4096);
_mm_clflush(probe_memory)
                                                   1 \cdot 10^{5}
                                                Observations
                                                   50,000
// potentially executed victim code
                                                       0
                                                            50
                                                                     100
                                                                              150
                                                                                       200
*probe_memory;
                                                                  Execution time [cycles]
                                                                          Cache Hit
                                                                          Cache Miss
before = time():
*probe_memory;
after = time();
```

```
plot(after-before);
```

Flush+Reload – Sequence Triple



```
int * probe_memory = malloc(4096);
_mm_clflush(probe_memory)
```



```
// potentially executed victim code
*probe_memory;
```

```
before = time();
*probe_memory;
after = time();
plot(after-before);
```

Flush+Reload – Sequence Triple



int \* probe\_memory = malloc(4096);
\_mm\_clflush(probe\_memory)



// potentially executed victim code
\*probe\_memory;

**Trigger Sequence** 

```
before = time();
*probe_memory;
after = time();
plot(after-before);
```

Flush+Reload – Sequence Triple



int \* probe\_memory = malloc(4096);
\_mm\_clflush(probe\_memory)



// potentially executed victim code
\*probe\_memory;

**Trigger Sequence** 

```
before = time();
*probe_memory;
after = time();
plot(after-before);
```

Measurement Sequence

# **Sequence Triples**















































### Example 1: Seq<sub>measure</sub> = Seq<sub>trigger</sub> = Seq<sub>reset</sub> = INC [mem]





Example 1: Seq<sub>measure</sub> = Seq<sub>trigger</sub> = Seq<sub>reset</sub> = INC [mem]





Example 1: Seq<sub>measure</sub> = Seq<sub>trigger</sub> = Seq<sub>reset</sub> = INC [mem]





Example 1: Seq<sub>measure</sub> = Seq<sub>trigger</sub> = Seq<sub>reset</sub> = INC [mem]





Example 1: Seq<sub>measure</sub> = Seq<sub>trigger</sub> = Seq<sub>reset</sub> = INC [mem]



































### **Osiris – Fuzzing x86 CPUs for Side Channels**





### **Osiris – Fuzzing x86 CPUs for Side Channels**





### **Osiris – Fuzzing x86 CPUs for Side Channels**





# We tested Osiris on **5 different CPUs** (AMD and Intel)





- Runtime of up to  $\sim 4$  days per CPU



- Runtime of up to  $\sim 4$  days per CPU
- < 30 clusters per CPU



- Runtime of up to  $\sim 4$  days per CPU
- $\bullet$  < 30 clusters per CPU
- Found different known and 4 novel side channels



- Runtime of up to  $\sim 4$  days per CPU
- $\bullet$  < 30 clusters per CPU
- Found different known and 4 novel side channels



**RDRAND-Based Side channel** 

#### **Case Studies – RDRAND Covert Channel**





#### **RDRAND Covert Channel Transmission on Ice-Lake**

#### Case Studies – RDRAND Covert Channel





## RDRAND Covert Channel Transmission on Ice-Lake (works cross-core cross-VM)

### Case Studies – RDRAND Covert Channel





## RDRAND Covert Channel Transmission on Ice-Lake (works cross-core cross-VM) Few requirements: no shared memory, no shared cache Stealthy: no related performance counters



### Improving Transient-Execution Attacks

• Mounted Spectre and Meltdown attacks using the novel side channels



### Improving Transient-Execution Attacks

- Mounted Spectre and Meltdown attacks using the novel side channels
- Spectre PoC was 2.4x as fast as with a similar non-cache side channel

### Case Studies – Improving Attacks and KASLR break



### Improving Transient-Execution Attacks

- Mounted Spectre and Meltdown attacks using the novel side channels
- Spectre PoC was 2.4x as fast as with a similar non-cache side channel
- Meltdown PoC leaked 7.83 bytes at once (previously 3 bytes)

### Case Studies – Improving Attacks and KASLR break



### Improving Transient-Execution Attacks

- Mounted Spectre and Meltdown attacks using the novel side channels
- Spectre PoC was 2.4x as fast as with a similar non-cache side channel
- Meltdown PoC leaked 7.83 bytes at once (previously 3 bytes)

### FlushConflict

• KASLR break based on transient execution

### Case Studies – Improving Attacks and KASLR break



### Improving Transient-Execution Attacks

- Mounted Spectre and Meltdown attacks using the novel side channels
- Spectre PoC was 2.4x as fast as with a similar non-cache side channel
- Meltdown PoC leaked 7.83 bytes at once (previously 3 bytes)

### FlushConflict

- KASLR break based on transient execution
- Works on new Intel CPUs (Ice Lake and Comet Lake)

### Summary



**Osiris: Automated Discovery of Microarchitectural Side Channels** 

• We denote side channels as sequence triples



### Summary



- We denote side channels as sequence triples
- Osiris fuzzes for CPU timing side channels



### Summary



- We denote side channels as sequence triples
- Osiris fuzzes for CPU timing side channels
- We found 4 novel side channels





- We denote side channels as sequence triples
- Osiris fuzzes for CPU timing side channels
- We found 4 novel side channels
- We evaluated these side channels in 3 case studies





**Osiris: Automated Discovery of Microarchitectural Side Channels** 

- We denote side channels as sequence triples
- Osiris fuzzes for CPU timing side channels
- We found 4 novel side channels
- We evaluated these side channels in 3 case studies
- We open-sourced Osiris on https://github.com/cispa/osiris