New Cross-Core Cache-Agnostic and Prefetcher-based Side-Channels and Covert-Channels

TL;DR

This paper uncovers a new shared prefetcher in Intel processors, the XPT, which enables cross-core side-channel and covert-channel attacks that bypass traditional cache-based defenses, threatening data confidentiality.

Contribution

It introduces PrefetchX, a novel cross-core attack exploiting the XPT prefetcher, demonstrating its ability to leak sensitive data and bypass existing cache-based security measures.

Findings

PrefetchX can extract RSA private keys.

It enables keystroke and network traffic monitoring.

Achieves up to 1.7MB/s channel capacity.

Abstract

In this paper, we reveal the existence of a new class of prefetcher, the XPT prefetcher, in the modern Intel processors which has never been officially documented. It speculatively issues a load, bypassing last-level cache (LLC) lookups, when it predicts that a load request will result in an LLC miss. We demonstrate that XPT prefetcher is shared among different cores, which enables an attacker to build cross-core side-channel and covert-channel attacks. We propose PrefetchX, a cross-core attack mechanism, to leak users' sensitive data and activities. We empirically demonstrate that PrefetchX can be used to extract private keys of real-world RSA applications. Furthermore, we show that PrefetchX can enable side-channel attacks that can monitor keystrokes and network traffic patterns of users. Our two cross-core covert-channel attacks also see a low error rate and a 1.7MB/s maximum channel capacity. Due to the cache-independent feature of PrefetchX, current cache-based mitigations are not effective against our attacks. Overall, our work uncovers a significant vulnerability in the XPT prefetcher, which can be exploited to compromise the confidentiality of sensitive information in both crypto and non-crypto-related applications among processor cores.