back to agenda

on this page

(M)WAIT for It: Bridging the Gap between Microarchitectural and Architectural Side Channels

  • 16:30
  • Thu
  • 17 Nov
Technical Focus
Reverse Engineering
Briefing Stage 2


In recent years, there has been a rapid increase in microarchitectural attacks, exploiting the side effects of various CPU parts. However, most of them have in common that they rely on timing differences, requiring a high-resolution architectural timer to make microarchitectural states visible to attackers. Hence, several mitigations deteriorate timers or try to eliminate them entirely. 

In this talk, we present a new primitive that converts microarchitectural states into architectural states without relying on time measurements. With the latest Intel microarchitectures (Tremont and Alder Lake), Intel introduces unprivileged instructions that aim to optimize idle loops. However, we show that the undocumented properties of these instructions blur the line between microarchitecture and architecture further. Using these instructions, we can directly convert microarchitectural cache-line states to architectural states without using a side channel, i.e., with nearly perfect accuracy even on systems under load.
We show the versatility of our primitive via three different attack scenarios: A high-speed Spectre attack leaking up to 200 kbit/s, well-known attacks on cryptography but without using a timer, and finally a technique that can similarly also be used on AMD and ARM devices to perform website fingerprinting attacks.
Our case studies show that instruction-set extension focussing on performance still introduces undesirable properties undermining the security of systems.