TL;DR
Hacky Racers exploit instruction-level parallelism in out-of-order processors to create stealthy, fine-grained timers that bypass sandbox restrictions, enabling new side-channel and Spectre attacks even without transient execution.
Contribution
This paper introduces Hacky Racers, a novel timing gadget leveraging instruction-level parallelism to attack sandboxed environments and construct Spectre gadgets without relying on transient execution.
Findings
Hacky Racers can measure fine-grained timing differences in restricted environments.
They enable the creation of backwards-in-time Spectre gadgets.
They can generate cache eviction sets in JavaScript without SharedArrayBuffer.
Abstract
Side-channel attacks pose serious threats to many security models, especially sandbox-based browsers. While transient-execution side channels in out-of-order processors have previously been blamed for vulnerabilities such as Spectre and Meltdown, we show that in fact, the capability of out-of-order execution \emph{itself} to cause mayhem is far more general. We develop Hacky Racers, a new type of timing gadget that uses instruction-level parallelism, another key feature of out-of-order execution, to measure arbitrary fine-grained timing differences, even in the presence of highly restricted JavaScript sandbox environments. While such environments try to mitigate timing side channels by reducing timer precision and removing language features such as \textit{SharedArrayBuffer} that can be used to indirectly generate timers via thread-level parallelism, no such restrictions can be…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
