BandwidthBreach: Unleashing Covert and Side Channels through Cache Bandwidth Exploitation

TL;DR

This paper demonstrates how modern CPU features can be exploited to create high-capacity covert channels that bypass traditional security defenses, enabling extraction of cryptographic keys and evading Spectre mitigations.

Contribution

The authors introduce novel cache bandwidth-based covert channels (L2CC, L3CC, LiCC) that outperform previous methods and can bypass existing security protections.

Findings

Achieved covert channel capacities up to 10.37 Mbps.

Successfully extracted cryptographic keys using these channels.

Can evade most traditional Spectre defenses.

Abstract

In the modern CPU architecture, enhancements such as the Line Fill Buffer (LFB) and Super Queue (SQ), which are designed to track pending cache requests, have significantly boosted performance. To exploit this structures, we deliberately engineered blockages in the L2 to L1d route by controlling LFB conflict and triggering prefetch prediction failures, while consciously dismissing other plausible influencing factors. This approach was subsequently extended to the L3 to L2 and L2 to L1i pathways, resulting in three potent covert channels, termed L2CC, L3CC, and LiCC, with capacities of 10.02 Mbps, 10.37 Mbps, and 1.83 Mbps, respectively. Strikingly, the capacities of L2CC and L3CC surpass those of earlier non-shared-memory-based covert channels, reaching a level comparable to their shared memory-dependent equivalents. Leveraging this congestion further facilitated the extraction of key bits from RSA and EdDSA implementations. Coupled with SpectreV1 and V2, our covert channels effectively evade the majority of traditional Spectre defenses. Their confluence with Branch Prediction (BP) Timing assaults additionally undercuts balanced branch protections, hence broadening their capability to infiltrate a wide range of cryptography libraries.