PMU-Spill: A New Side Channel for Transient Execution Attacks

Performance Monitor Unit (PMU) is an important hardware module in mainstream processors, which counts various architectural and microarchitectural events during the run-time of the processor. Theoretically, if an instruction is executed but doesn't successfully retire (this is called transient execution), the events it triggers needn't be recorded by PMU. However, in this study, we discover that current PMU implementations are capable of recording some events that are triggered in transient executions, which is a hardware vulnerability. Based on this vulnerability, we propose the attack, a new kind of side channel attack that enables attackers to maliciously leak secret data in transient executions. We perform a thorough study of PMU counters on five Intel processors and find that they all have vulnerable PMU counters that will measure transient execution events (there are 162 vulnerable PMU counters among all the 383 PMU counters). We demonstrate on real hardware that 112 vulnerable PMU counters can be utilized in attack to leak the secret data protected by Intel Software Guard Extensions (SGX). Besides, our experiments suggest that the throughput of attack is up to 291.2 bytes per second (Bps) with an error rate of 2.45% on average. This discovery and the corresponding mitigation methods can be helpful for microarchitecture designers to reevaluate the security risks induced by the PMU module.

Automated summary

Performance Monitor Unit (PMU), an important hardware module in mainstream processors, is capable of recording some events triggered in transient executions, leading to a hardware vulnerability. We propose a new kind of side channel attack utilizing this vulnerability, which enables attackers to maliciously leak secret data. Through thorough study on PMU counters of five Intel processors, we find that 112 vulnerable PMU counters can be utilized in the attack to leak secret data protected by Intel Software Guard Extensions (SGX), with a throughput of up to 291.2 bytes per second (Bps) and an average error rate of 2.45%.