SPOILER: Speculative Load Hazards Boost Rowhammer and Cache Attacks

TL;DR

This paper reveals that speculative load hazards in modern CPUs can be exploited as side channels to significantly accelerate Rowhammer and cache attacks, enabling more efficient and deterministic memory abuse even in sandboxed environments.

Contribution

It introduces the SPOILER attack, exploiting speculative load dependency resolution to enhance reverse engineering of physical addresses and improve the effectiveness of Rowhammer and cache attacks.

Findings

Speeds up virtual-to-physical address mapping reverse engineering by 256x.

Enables cache eviction set search to be 4096x faster, even in sandboxed environments.

Achieves deterministic DRAM row conflicts and double-sided Rowhammer attacks with normal user privileges.

Abstract

Modern microarchitectures incorporate optimization techniques such as speculative loads and store forwarding to improve the memory bottleneck. The processor executes the load speculatively before the stores, and forwards the data of a preceding store to the load if there is a potential dependency. This enhances performance since the load does not have to wait for preceding stores to complete. However, the dependency prediction relies on partial address information, which may lead to false dependencies and stall hazards. In this work, we are the first to show that the dependency resolution logic that serves the speculative load can be exploited to gain information about the physical page mappings. Microarchitectural side-channel attacks such as Rowhammer and cache attacks like Prime+Probe rely on the reverse engineering of the virtual-to-physical address mapping. We propose the SPOILER attack which exploits this leakage to speed up this reverse engineering by a factor of 256. Then, we show how this can improve the Prime+Probe attack by a 4096 factor speed up of the eviction set search, even from sandboxed environments like JavaScript. Finally, we improve the Rowhammer attack by showing how SPOILER helps to conduct DRAM row conflicts deterministically with up to 100% chance, and by demonstrating a double-sided Rowhammer attack with normal user's privilege. The later is due to the possibility of detecting contiguous memory pages using the SPOILER leakage.