Spectre without shared memory

Ben Amos, Niv Gilboa, Arbel Levy

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

The Spectre attack by Kocher et al. [11] reads arbitrary data from colocated processes by exploiting two common features of modern processors: speculative execution and shared caches. While theoretically the attack works in many different settings, the current variations all require that the attacker share with the target a memory region that includes vulnerable code which accepts input from the attacker. Motivated by the common practice in cloud computing of not allowing shared memory between different users, we construct the first Spectre type attack in which the target and the attacker do not share any memory pages. The target is a server and the attacker is colocated with the target, shares a Last-Level Cache with it and provides input to the target as a typical client over TCP. We develop new techniques for the attack including accurate location of the target's code and data in the shared cache, noise suppression enabling reliable retrieval of the target's data and optimizations speeding up the retrieval process. An indispensable tool in the retrieval process is a careful comparison of cache activity between two scenarios: the attacker sending as input an address of interest x and the attacker sending a different address x. The comparison enables extraction of a single memory byte from the target. We report on a Proof-of-Concept implementation of our attack and on tests on two Intel multi-core platforms with inclusive Last-Level Caches and speculative execution. The tests ran in two virtualization settings, Virtual Machines and Linux containers and in two profiles of cache activity, relative inactivity and very high activity. The setup phase in which the attacker locates the target's data in the cache requires on the order of several minutes to several tens of minutes. The attack successfully extracts the data with probability per byte between 0.91 to 0.99 and rate ranging from 0.4 to 10 bytes per second.

Original languageEnglish
Title of host publicationProceedings of the ACM Symposium on Applied Computing
PublisherAssociation for Computing Machinery
Pages1944-1951
Number of pages8
ISBN (Print)9781450359337
DOIs
StatePublished - 1 Jan 2019
Event34th Annual ACM Symposium on Applied Computing, SAC 2019 - Limassol, Cyprus
Duration: 8 Apr 201912 Apr 2019

Publication series

NameProceedings of the ACM Symposium on Applied Computing
VolumePart F147772

Conference

Conference34th Annual ACM Symposium on Applied Computing, SAC 2019
Country/TerritoryCyprus
CityLimassol
Period8/04/1912/04/19

Keywords

  • Cross-VM side channel
  • Last-level cache
  • Side-channel attack
  • Speculative execution

Fingerprint

Dive into the research topics of 'Spectre without shared memory'. Together they form a unique fingerprint.

Cite this