ISA extensions are increasingly used to enhance performance for specialized workloads without major architectural redesign. However, these enhancements can unintentionally introduce new microarchitectural attack surfaces. This paper examines security implications of Intel’s new cldemote extension, which optimizes data sharing by transferring cache lines from upper to lower-level caches. Our analysis shows the cldemote facilitates efficient eviction set construction in non-inclusive LLCs without helper threads or extensive memory operations. Our method reduces eviction set construction time by 36% with high success rates. Additionally, we find cldemote’s execution latency leaks sensitive data such as TLB states, page table permissions, and translation termination levels. Leveraging these leaks, we successfully derandomize the kernel base address in 2.49 ms on Linux. Finally, we discuss potential mitigations, emphasizing the broad security impacts of emerging ISA extensions.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Cache Demote for Fast Eviction Set Construction and Page Table Attribute Leakage

  • Taehun Kim,
  • Hyerean Jang,
  • Youngjoo Shin

摘要

ISA extensions are increasingly used to enhance performance for specialized workloads without major architectural redesign. However, these enhancements can unintentionally introduce new microarchitectural attack surfaces. This paper examines security implications of Intel’s new cldemote extension, which optimizes data sharing by transferring cache lines from upper to lower-level caches. Our analysis shows the cldemote facilitates efficient eviction set construction in non-inclusive LLCs without helper threads or extensive memory operations. Our method reduces eviction set construction time by 36% with high success rates. Additionally, we find cldemote’s execution latency leaks sensitive data such as TLB states, page table permissions, and translation termination levels. Leveraging these leaks, we successfully derandomize the kernel base address in 2.49 ms on Linux. Finally, we discuss potential mitigations, emphasizing the broad security impacts of emerging ISA extensions.