Hardware Security Architecture and Research at USENIX Security Symposium 2022

Hardware Security Architecture and Research at USENIX Security Symposium 2022 | itkovian

Hardware microarchitecture and security remained a very active research area in 2022. Each of the major information architecture conferences had multiple sessions dedicated to security (4 sessions at ISCA’22 and 3 sessions each at MICRO’22, HPCA ’22 and ASPLOS’22). However, this blog post is dedicated to the microarchitecture and hardware security documents that appeared in the USENIX Security Symposium 2022, a leading security conference. The symposium was held in Boston in August 2022, had three submission deadlines during the year, and a record 256 papers were accepted. This broad technical program includes numerous documents that are of direct interest to the computer architecture community. This blog post summarizes these contributions.

Side channel attacks continued to receive a significant amount of attention. While previous transient attacks focused primarily on Intel processors, AMD prefetch attacks the article demonstrated that timing and power-based side-channel attacks are also possible on AMD processors, especially their prefetch units. In fact, the authors demonstrated that prefetch instructions leak even more information about AMD processors than Intel ones. The key observation behind these attacks is that the timing of prefetching instructions targeting kernel addresses depends on the level of the page table where the page-visiting process stops. Also, since the timing of the prefetch instructions is also based on the TLB state, this attack can leak information about whether the kernel is currently using a targeted kernel page.

Hidden in plain sight unveiled a new attack against systems that use physical side channels for program control flow monitoring. The authors presented a method to create functional malware without activating the detector. Hertzbleed showed how to transform power side-channel attacks into timing attacks on modern x86-based systems that can run without access to the power metering infrastructure. The key observation is that under certain circumstances, DVFS-induced CPU frequency adjustments depend on current power consumption and are data dependent. Also, these settings can be observed without special privileges from a remote control attacker. Binoculars described a new side-channel attack that exploits the observation that contention for the use of shared resources between page walker loads and normal memory operations can cause significant delays in program execution time originating from a single instruction dynamic. The authors further demonstrated that this contention across address dependence applies to high-order address bits, low-order address bits, and also to line address bits within the cache and across address spaces, allowing low noise attacks.

Branch history injection introduced a new primitive for creating cross-privilege branch target injection attacks on systems that implement hardware isolation-based defenses such as Intel eIBRS and ARM CSV2. The key observation is that the isolation afforded by these defenses is not extended to other branch predictive structures, thus making attacks still possible. Furthermore, the authors analyzed the impact of isolating branch history as well and demonstrated that, without a collision-free design, practical attacks with the same predictive mode are still possible here as well. TLB; DR presented TLB desynchronization as a new approach for reverse engineering TLB behavior from software. This approach allows you to rebuild features such as replacement policies and PCID management on Intel base processors. The authors then showed how these new insights can be transformed into faster, more efficient, and finer-grained attacks on both L1 and L2 TLBs.

ReZone faced the limitation of TrustZone assisted TEE systems in that the trusted OS has unlimited access to both secure and regular world storage. Specifically, attackers can exploit a chain of exploits to hijack the trusted operating system and gain full control over the system, targeting the advanced execution environment itself, trusted applications, and/or trusted monitor. Rezone splits a monolithic trusted environment into multiple named sandbox domains zones. The goal is to limit the memory access privileges of code running within a zone, preventing it from arbitrarily accessing memory allocated for the normal world, other zones, and the protected monitor.

Modular cachelets described a new partitioned last-level cache architecture, in which sections of isolated caches (cachelets) are allocated to secure enclaves to make caches an integral part of a TEE system and stop side-channel attacks. Cache partitioning is done both ways and sets, partitioning decisions are tied to enclave operations, and cachelets can be dynamically combined to create larger partitions for performance reasons. A small size of individual cachelets supports scalability, which is an important factor in cloud computing environments. Importantly, the authors also introduced a formal security model based on the operational semantics of caches and memory systems.

Don’t engage studied side-channel attacks on the mesh interconnect in server-class Intel processors and also considered possible mitigation strategies against such attacks. The authors reverse engineered the lane scheduling and priority arbitration policies of the mesh interconnect to understand the conditions under which contention-based attacks are possible. They then demonstrated the feasibility of side-channel attacks that leak secret keys using this contention. Finally, they proposed a scheduler-based mitigation leveraging the observation that the placement of victims and attackers across cores can have a significant impact on channel effectiveness.

LightEnclave considered the use of Intel MPKs (Memory Protection Keys) to support efficient intra-enclave isolation in SGX-based systems. Although MPK divides the address space into multiple memory domains, the trust models between MPK and SGX are incompatible by design. The proposed solution builds on extensions of existing SGX hardware to securely embed MPKs and allow for the isolation of multiple light enclaves within an SGX enclave. SecSMT presented a comprehensive analysis of SMT processors in terms of vulnerability to contention-based side-channel attacks. The authors also discussed a number of unified mitigation strategies that can be implemented to address this information loss.

Double trouble considered non-inclusive cache attacks in a system with domain-specific accelerators. The authors developed a novel accelerator approach to find cache eviction sets and leverage precise double-sided checking on cache lines to expose undocumented behavior in non-inclusive cache hierarchies. The accelerator can efficiently eliminate shared targets with small elimination sets, refuting the common assumption that elimination sets should be as large as the associativity of the cache.

Half double presented a variation of Rowhammer attacks that target rows beyond the immediate neighbors of the victim’s row. In particular, errors in a victim row can be generated by combining few accesses to a row close to the victim with many accesses to a row adjacent to the next one. Cumulatively, this causes enough disturbance in the victim row to induce bit flips. Rebleeding demonstrated a new Specter-style attack that leaks arbitrary kernel memory on fully patched Intel and AMD systems, questioning the effectiveness of defenses like retpoline. Unlike previous return-based Specter attacks, RETBLEED exploits return instructions to achieve arbitrary execution of speculative kernel-level code by targeting the BTB instead of the RSB.

ÆPIC Loss described a new exploit that leaks outdated data from the CPU microarchitecture without relying on side channels. In particular, the authors found that the memory-mapped registers of the local Advanced Programmable Interrupt Controller (APIC) are not initialized correctly. As a result, the architectural reading of these registers returns obsolete data from the CPU microarchitecture and allows any data transferred between the L2 cache and the last level cache to be read. This discovery leads to an end-to-end attack that extracts AES-NI, RSA, and even Intel SGX attestation keys from the enclaves within seconds.

While the format of this blog only allowed us to give an overview of one security conference (due to the sheer number of relevant papers), other security conferences have also had interesting contributions. 2022 has not disappointed in terms of volume and quality of new ideas in this area, we can’t wait for more in 2023!

About the author: Dmitry Ponomarev is a Professor and an Associate Professor in the Department of Computer Science at Binghamton University. His research interests are in computer architecture and security.

Disclaimer: These posts are written by individual contributors to share their thoughts on the Computer Architecture Today blog for the benefit of the community. Any views or opinions represented in this blog are personal, belong solely to the blog author, and do not represent those of ACM SIGARCH or its parent organization, ACM.

Hi, I’m Samuel