Memory DisOrder: Memory Re-orderings as a Timerless Side-channel

TL;DR

This paper introduces Memory DisOrder, a side-channel attack exploiting memory re-orderings in modern processors to infer activity and perform covert communications, revealing vulnerabilities across CPUs and GPUs.

Contribution

It demonstrates that memory re-orderings can be used as a timerless side-channel across various hardware, enabling covert channels and fingerprinting attacks.

Findings

Many mainstream processors are susceptible to cross-process signals.

Achieved up to 16 bits/second covert channel with 95% accuracy on Apple M3 GPU.

Enabled reliable application fingerprinting and high-speed covert channels.

Abstract

To improve efficiency, nearly all parallel processing units (CPUs and GPUs) implement relaxed memory models in which memory operations may be re-ordered, i.e., executed out-of-order. Prior testing work in this area found that memory re-orderings are observed more frequently when other cores are active, e.g., stressing the memory system, which likely triggers aggressive hardware optimizations. In this work, we present Memory DisOrder: a timerless side-channel that uses memory re-orderings to infer activity on other processes. We first perform a fuzzing campaign and show that many mainstream processors (X86/Arm/Apple CPUs, NVIDIA/AMD/Apple GPUs) are susceptible to cross-process signals. We then show how the vulnerability can be used to implement classic attacks, including a covert channel, achieving up to 16 bits/second with 95% accuracy on an Apple M3 GPU, and application fingerprinting, achieving reliable closed-world DNN architecture fingerprinting on several CPUs and an Apple M3 GPU. Finally, we explore how low-level system details can be exploited to increase re-orderings, showing the potential for a covert channel to achieve nearly 30K bits/second on X86 CPUs. More precise attacks can likely be developed as the vulnerability becomes better understood.