DF-SCA: Dynamic Frequency Side Channel Attacks are Practical

TL;DR

This paper introduces DF-SCA, a practical software-based side-channel attack exploiting CPU frequency data on Linux and Android, enabling website fingerprinting, keystroke inference, and password recovery, highlighting new vulnerabilities in modern hardware.

Contribution

The paper presents a novel dynamic frequency side-channel attack (DF-SCA) that leverages unprivileged access to CPU frequency data to perform various security exploits on Linux and Android devices.

Findings

Successfully performed website fingerprinting on Chrome and Tor browsers.

Achieved 95% accuracy in keystroke classification on Android.

Recovered passwords with 88% success rate on first guess.

Abstract

The arm race between hardware security engineers and side-channel researchers has become more competitive with more sophisticated attacks and defenses in the last decade. While modern hardware features improve the system performance significantly, they may create new attack surfaces for malicious people to extract sensitive information about users without physical access to the victim device. Although many previously exploited hardware and OS features were patched by OS developers and chip vendors, any feature that is accessible from userspace applications can be exploited to perform software-based side-channel attacks. In this paper, we present DF-SCA, which is a software-based dynamic frequency side-channel attack on Linux and Android OS devices. We exploit unprivileged access to cpufreq interface that exposes real-time CPU core frequency values directly correlated with the system utilization, creating a reliable side-channel for attackers. We show that Dynamic Voltage and Frequency Scaling (DVFS) feature in modern systems can be utilized to perform website fingerprinting attacks for Google Chrome and Tor browsers on modern Intel, AMD, and ARM architectures. We further extend our analysis to a wide selection of scaling governors on Intel and AMD CPUs, verifying that all scaling governors provide enough information on the visited web page. Moreover, we extract properties of keystroke patterns on frequency readings, that leads to 95% accuracy to distinguish the keystrokes from other activities on Android phones. We leverage inter-keystroke timings of a user by training a k-th nearest neighbor model, which achieves 88% password recovery rate in the first guess on Bank of America application. Finally, we propose several countermeasures to mask the user activity to mitigate DF-SCA on Linux-based systems.