Graduate School and Research Center in Digital Sciences

Reverse engineering Intel complex addressing using performance counters

Maurice, Clémentine; Le Scouarnec, Nicolas, Neumann, Christoph; Heen, Olivier; Francillon, Aurélien

RAID 2015, 18th International Symposium on Research in Attacks, Intrusions and Defenses, November 2-4, 2015, Kyoto, Japan / Also published in LNCS, Volume 9404/2015

Cache attacks, which exploit differences in timing to perform covert or side channels, are now well understood. Recent works leverage the last level cache to perform cache attacks across cores. This cache is split in slices, with one slice per core. While predicting the slices used by an address is simple in older processors, recent processors are using an undocumented technique called complex addressing. This renders some attacks more difficult and makes other attacks impossible, because of the loss of precision in the prediction of cache collisions. In this paper, we build an automatic and generic method for reverse engineering Intel's last-level cache complex addressing, consequently rendering the class of cache attacks highly practical. Our method relies on CPU hardware performance counters to determine the cache slice an address is mapped to. We show that our method gives a more precise description of the complex addressing function than previous work. We validated our method by reversing the complex addressing functions on a diverse set of Intel processors. This set encompasses Sandy Bridge, Ivy Bridge and Haswell micro-architectures, with different number of cores, for mobile and server ranges of processors. We show the correctness of our function by building a covert channel. Finally, we discuss how other attacks benefit from knowing the complex addressng of a cache, such as sandboxed rowhammer. 

Document Doi Bibtex

Title:Reverse engineering Intel complex addressing using performance counters
Keywords:Complex addressing, Covert channel, Cross-Core, Last level cache, Reverse engineering, Side channel.
Type:Conference
Language:English
City:Kyoto
Country:JAPAN
Date:
Department:Digital Security
Eurecom ref:4671
Copyright: © Springer. Personal use of this material is permitted. The definitive version of this paper was published in RAID 2015, 18th International Symposium on Research in Attacks, Intrusions and Defenses, November 2-4, 2015, Kyoto, Japan / Also published in LNCS, Volume 9404/2015 and is available at : http://dx.doi.org/10.1007/978-3-319-26362-5_3
Bibtex: @inproceedings{EURECOM+4671, doi = {http://dx.doi.org/10.1007/978-3-319-26362-5_3}, year = {2015}, title = {{R}everse engineering {I}ntel complex addressing using performance counters}, author = {{M}aurice, {C}l{\'e}mentine and {L}e {S}couarnec, {N}icolas, {N}eumann, {C}hristoph and {H}een, {O}livier and {F}rancillon, {A}ur{\'e}lien}, booktitle = {{RAID} 2015, 18th {I}nternational {S}ymposium on {R}esearch in {A}ttacks, {I}ntrusions and {D}efenses, {N}ovember 2-4, 2015, {K}yoto, {J}apan / {A}lso published in {LNCS}, {V}olume 9404/2015}, address = {{K}yoto, {JAPAN}}, month = {11}, url = {http://www.eurecom.fr/publication/4671} }
See also: