New Covert and Side Channels Based on Retirement

TL;DR

This paper uncovers vulnerabilities in Intel processors' retirement mechanism, proposing new covert channels and demonstrating their effectiveness, while also exploring applications to Spectre attacks and program inference.

Contribution

It introduces two novel covert channels based on retirement sharing, applies retirement to Spectre variants, and discusses potential defenses against these channels.

Findings

DI covert channel achieves 98.5% accuracy at 1450 Kbps

SI covert channel achieves 94.85% accuracy at 483.33 Kbps

Retirement-based methods can infer SPEC benchmarks with 89.28% accuracy

Abstract

Intel processors utilize the retirement to orderly retire the micro-ops that have been executed out of order. To enhance retirement utilization, the retirement is dynamically shared between two logical cores on the same physical core. However, this shared retirement mechanism creates a potential vulnerability wherein an attacker can exploit the competition for retirement to infer the data of a victim on another logical core on the same physical core. Based on this leakage, we propose two new covert channels: the Different Instructions (DI) covert channel using different instructions for information transmission, and the Same Instructions (SI) covert channel using the same instructions to transmit information. The DI covert channel can achieve 98.5% accuracy with a bandwidth of 1450 Kbps, while the SI covert channel can achieve 94.85% accuracy with a bandwidth of 483.33 Kbps. Furthermore, this paper explores additional applications of retirement: Firstly, retirement is applied to Spectre attacks, resulting in a new variant of Spectre v1, which can achieve 94.17% accuracy with a bandwidth of 29 Kbps; Secondly, retirement is leveraged to infer the programs being executed by the victim, which can infer 10 integer benchmarks of SPEC with 89.28% accuracy. Finally, we discuss possible protection against new covert channels.