Exploits: I See Dead µops Leaking Secrets via Micro-Op Caches

grarpamp grarpamp at gmail.com
Sun May 2 22:13:01 PDT 2021


I See Dead µops: Leaking Secrets via Intel/AMD Micro-Op Caches

New micro-op cache attacks break all Spectre defences.
All modern AMD and Intel processors featuring micro-op caches are vulnerable.

Abstract -- Modern Intel, AMD, and ARM processors translate
complex instructions into simpler internal micro-ops that are
then cached in a dedicated on-chip structure called the micro-
op cache. This work presents an in-depth characterization study
of the micro-op cache, reverse-engineering many undocumented
features, and further describes attacks that exploit the micro-
op cache as a timing channel to transmit secret information.
In particular, this paper describes three attacks ­ (1) a same
thread cross-domain attack that leaks secrets across the user-
kernel boundary, (2) a cross-SMT thread attack that transmits
secrets across two SMT threads via the micro-op cache, and
(3) transient execution attacks that have the ability to leak
an unauthorized secret accessed along a misspeculated path,
even before the transient instruction is dispatched to execution,
breaking several existing invisible speculation and fencing-based
solutions that mitigate Spectre.
This paper presents a detailed characterization of the micro-
op cache in Intel Skylake and AMD Zen microarchitectures,
revealing details on several undocumented features. The paper
also presents new attacks that exploit the micro-op cache to
leak secrets in three primary settings: (a) across the user-kernel
boundary, (b) across co-located SMT threads running on the
same physical core, but different logical cores, and (c) two
transient execution attack variants that exploit the micro-op
cache timing channel, bypassing many recently proposed de-
fenses in the literature. Finally, the paper includes a discussion
on the effectiveness of the attack under existing mitigations
against side-channel and transient execution attacks, and fur-
ther identifies potential mitigations.

More information about the cypherpunks mailing list