AVX Timing Side-Channel Attacks against Address Space Layout Randomization

TL;DR

This paper uncovers a novel AVX timing side-channel attack that can bypass address space layout randomization on modern x86 processors, revealing significant security vulnerabilities across various environments including cloud systems and SGX enclaves.

Contribution

The paper introduces a new AVX timing side-channel attack exploiting masked load/store instructions to defeat ASLR on recent Intel and AMD processors.

Findings

Successfully breaks User and Kernel ASLR on multiple processors

Can infer user behaviors like Bluetooth events and mouse movements

Demonstrates vulnerabilities in cloud and enclave environments

Abstract

Modern x86 processors support an AVX instruction set to boost performance. However, this extension may cause security issues. We discovered that there are vulnerable properties in implementing masked load/store instructions. Based on this, we present a novel AVX timing side-channel attack that can defeat address space layout randomization. We demonstrate the significance of our attack by showing User and Kernel ASLR breaks on the recent Intel and AMD processors in various environments, including cloud computing systems, an SGX enclave (a fine-grained ASLR break), and major operating systems. We further demonstrate that our attack can be used to infer user behavior, such as Bluetooth events and mouse movements. We highlight that stronger isolation or more fine-grained randomization should be adopted to successfully mitigate our presented attacks.