Presentation
Whisper: Timing the Transient Execution to Leak Secrets and Break KASLR
SessionWhat's Your Best Side?
DescriptionThe vulnerabilities of transient execution have been exploited in
many side-channel attacks (SCA). We report Whisper, a novel
transient execution timing (TET) side channel, which is based on
the execution time difference of transient execution under different
conditions. We develop TET version of SCAs including Meltdown,
Zombieload, and Spectre-RSB that use Whisper as covert channel
to leak information. We further propose TET-KASLR to break the
kernel address space layout randomization (KASLR) mechanism
under the protection of KPTI and FLARE. These attacks are simple
to implement and can bypass the existing mitigation methods
because the TET side channel relies on execution time that can
be conveniently obtained by architectural level timing analysis. We
demonstrate the correctness and effectiveness of these attacks on
various x86-64 CPUs. The root cause of Whisper is analyzed with
our toolset built on performance monitor unit (PMU) and potential
defense against Whisper is also discussed.
many side-channel attacks (SCA). We report Whisper, a novel
transient execution timing (TET) side channel, which is based on
the execution time difference of transient execution under different
conditions. We develop TET version of SCAs including Meltdown,
Zombieload, and Spectre-RSB that use Whisper as covert channel
to leak information. We further propose TET-KASLR to break the
kernel address space layout randomization (KASLR) mechanism
under the protection of KPTI and FLARE. These attacks are simple
to implement and can bypass the existing mitigation methods
because the TET side channel relies on execution time that can
be conveniently obtained by architectural level timing analysis. We
demonstrate the correctness and effectiveness of these attacks on
various x86-64 CPUs. The root cause of Whisper is analyzed with
our toolset built on performance monitor unit (PMU) and potential
defense against Whisper is also discussed.
Event Type
Research Manuscript
TimeWednesday, June 261:45pm - 2:00pm PDT
Location3012, 3rd Floor
Security
Hardware Security: Attack and Defense