Journal
IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS I-REGULAR PAPERS
Volume -, Issue -, Pages -Publisher
IEEE-INST ELECTRICAL ELECTRONICS ENGINEERS INC
DOI: 10.1109/TCSI.2023.3298913
Keywords
Performance monitor unit; side channel attack; transient execution attacks; hardware vulnerability; data leakage
Categories
Ask authors/readers for more resources
Performance Monitor Unit (PMU), an important hardware module in mainstream processors, is capable of recording some events triggered in transient executions, leading to a hardware vulnerability. We propose a new kind of side channel attack utilizing this vulnerability, which enables attackers to maliciously leak secret data. Through thorough study on PMU counters of five Intel processors, we find that 112 vulnerable PMU counters can be utilized in the attack to leak secret data protected by Intel Software Guard Extensions (SGX), with a throughput of up to 291.2 bytes per second (Bps) and an average error rate of 2.45%.
Performance Monitor Unit (PMU) is an important hardware module in mainstream processors, which counts various architectural and microarchitectural events during the run-time of the processor. Theoretically, if an instruction is executed but doesn't successfully retire (this is called transient execution), the events it triggers needn't be recorded by PMU. However, in this study, we discover that current PMU implementations are capable of recording some events that are triggered in transient executions, which is a hardware vulnerability. Based on this vulnerability, we propose the attack, a new kind of side channel attack that enables attackers to maliciously leak secret data in transient executions. We perform a thorough study of PMU counters on five Intel processors and find that they all have vulnerable PMU counters that will measure transient execution events (there are 162 vulnerable PMU counters among all the 383 PMU counters). We demonstrate on real hardware that 112 vulnerable PMU counters can be utilized in attack to leak the secret data protected by Intel Software Guard Extensions (SGX). Besides, our experiments suggest that the throughput of attack is up to 291.2 bytes per second (Bps) with an error rate of 2.45% on average. This discovery and the corresponding mitigation methods can be helpful for microarchitecture designers to reevaluate the security risks induced by the PMU module.
Authors
I am an author on this paper
Click your name to claim this paper and add it to your profile.
Reviews
Recommended
No Data Available