SegScope: Probing Fine-grained Interrupts via Architectural Footprints

Xin Zhang, Zhi Zhang, Qingni Shen, Wenhao Wang, Yansong Gao, Zhuoxi Yang, Jiliang Zhang

Research output: Chapter in Book/Conference paperConference paperpeer-review

Abstract

Interrupts are critical hardware resources for OS kernels to schedule processes. As they are related to system activities, interrupts can be used to mount various side-channel attacks (i.e., monitoring keystrokes, inferring website visits, detecting GPU activities, and fingerprinting processes). Given that all these attacks rely on system file interfaces or architectural timers to probe interrupts, various countermeasures have been proposed to either remove the unprivileged access to the file interfaces or detect/cripple architectural timers. In this work, we propose SegScope, a new technique that abuses segment protection to provision fine-grained interrupt observations without any timer. As segment protection is widely used on x86, SegScope works across a wide range of Intel-And AMD-based CPUs. Particularly, we observe that while segment protection preserves the confidentiality of high privileged domain, it leaves a footprint via the data segment registers values when an interrupt occurs. With this key observation, SegScope is crafted by capturing the footprints. To show its security implications, we evaluate it in four case studies. First, SegScope has inferred website visits with a respective success rate of 92.4% on Chrome and 87.4% on Tor Browser in default system settings. Second, SegScope successfully extracts the keys from Cloudflare's Interoperable Reusable Cryptographic Library (CIRCL) vl.l. Third, SegScope steals DNN model architectures with an accuracy of over 80%. Last, SegScope effectively reduces the noise of interrupts to improve the performance of other side channels. As an example, SegScope reduces the error rate of Spectral side channel by 56×. Compared with existing timer-based interrupt-probing techniques, SegScope is fine-grained without introducing false-positives. Further, we leverage SegScope to craft a fine-grained timer, as regular timer interrupts as clock edges contain timestamps. Our evaluation shows that it achieves the same level of timing granularity as the high-resolution timer, i.e., rdtsc and rdpru. We then leverage the timer to break KASLR in about 10 seconds and mount a Flush+Reload based Spectre attack.

Original languageEnglish
Title of host publicationProceedings of the 2024 IEEE International Symposium on High-Performance Computer Architecture, HPCA 2024
PublisherIEEE, Institute of Electrical and Electronics Engineers
Pages424-438
Number of pages15
ISBN (Electronic)9798350393132
DOIs
Publication statusPublished - 2024
Event30th IEEE International Symposium on High-Performance Computer Architecture, HPCA 2024 - Edinburgh, United Kingdom
Duration: 2 Mar 20246 Mar 2024

Publication series

NameProceedings - International Symposium on High-Performance Computer Architecture
ISSN (Print)1530-0897

Conference

Conference30th IEEE International Symposium on High-Performance Computer Architecture, HPCA 2024
Country/TerritoryUnited Kingdom
CityEdinburgh
Period2/03/246/03/24

Fingerprint

Dive into the research topics of 'SegScope: Probing Fine-grained Interrupts via Architectural Footprints'. Together they form a unique fingerprint.

Cite this