Ecole d'ingénieur et centre de recherche en Sciences du numérique

Reverse engineering Intel complex addressing using performance counters

Maurice, Clémentine; Le Scouarnec, Nicolas, Neumann, Christoph; Heen, Olivier; Francillon, Aurélien

RAID 2015, 18th International Symposium on Research in Attacks, Intrusions and Defenses, November 2-4, 2015, Kyoto, Japan / Also published in LNCS, Volume 9404/2015

Cache attacks, which exploit differences in timing to perform covert or side channels, are now well understood. Recent works leverage the last level cache to perform cache attacks across cores. This cache is split in slices, with one slice per core. While predicting the slices used by an address is simple in older processors, recent processors are using an undocumented technique called complex addressing. This renders some attacks more difficult and makes other attacks impossible, because of the loss of precision in the prediction of cache collisions. In this paper, we build an automatic and generic method for reverse engineering Intel's last-level cache complex addressing, consequently rendering the class of cache attacks highly practical. Our method relies on CPU hardware performance counters to determine the cache slice an address is mapped to. We show that our method gives a more precise description of the complex addressing function than previous work. We validated our method by reversing the complex addressing functions on a diverse set of Intel processors. This set encompasses Sandy Bridge, Ivy Bridge and Haswell micro-architectures, with different number of cores, for mobile and server ranges of processors. We show the correctness of our function by building a covert channel. Finally, we discuss how other attacks benefit from knowing the complex addressng of a cache, such as sandboxed rowhammer. 

Document Doi Bibtex

Titre:Reverse engineering Intel complex addressing using performance counters
Mots Clés:Complex addressing, Covert channel, Cross-Core, Last level cache, Reverse engineering, Side channel.
Type:Conférence
Langue:English
Ville:Kyoto
Pays:JAPON
Date:
Département:Sécurité numérique
Eurecom ref:4671
Copyright: © Springer. Personal use of this material is permitted. The definitive version of this paper was published in RAID 2015, 18th International Symposium on Research in Attacks, Intrusions and Defenses, November 2-4, 2015, Kyoto, Japan / Also published in LNCS, Volume 9404/2015 and is available at : http://dx.doi.org/10.1007/978-3-319-26362-5_3
Bibtex: @inproceedings{EURECOM+4671, doi = {http://dx.doi.org/10.1007/978-3-319-26362-5_3}, year = {2015}, title = {{R}everse engineering {I}ntel complex addressing using performance counters}, author = {{M}aurice, {C}l{\'e}mentine and {L}e {S}couarnec, {N}icolas, {N}eumann, {C}hristoph and {H}een, {O}livier and {F}rancillon, {A}ur{\'e}lien}, booktitle = {{RAID} 2015, 18th {I}nternational {S}ymposium on {R}esearch in {A}ttacks, {I}ntrusions and {D}efenses, {N}ovember 2-4, 2015, {K}yoto, {J}apan / {A}lso published in {LNCS}, {V}olume 9404/2015}, address = {{K}yoto, {JAPON}}, month = {11}, url = {http://www.eurecom.fr/publication/4671} }
Voir aussi: