BEGIN:VCALENDAR VERSION:2.0 PRODID:Linklings LLC BEGIN:VTIMEZONE TZID:America/Los_Angeles X-LIC-LOCATION:America/Los_Angeles BEGIN:DAYLIGHT TZOFFSETFROM:-0800 TZOFFSETTO:-0700 TZNAME:PDT DTSTART:19700308T020000 RRULE:FREQ=YEARLY;BYMONTH=3;BYDAY=2SU END:DAYLIGHT BEGIN:STANDARD TZOFFSETFROM:-0700 TZOFFSETTO:-0800 TZNAME:PST DTSTART:19701101T020000 RRULE:FREQ=YEARLY;BYMONTH=11;BYDAY=1SU END:STANDARD END:VTIMEZONE BEGIN:VEVENT DTSTAMP:20240626T180034Z LOCATION:3012\, 3rd Floor DTSTART;TZID=America/Los_Angeles:20240626T134500 DTEND;TZID=America/Los_Angeles:20240626T140000 UID:dac_DAC 2024_sess155_RESEARCH1027@linklings.com SUMMARY:Whisper: Timing the Transient Execution to Leak Secrets and Break KASLR DESCRIPTION:Research Manuscript\n\nYu Jin and Chunlu Wang (Beijing Univers ity of Posts and Telecommunications); Pengfei Qiu and Chang Liu (Tsinghua University); Yihao Yang (Beijing University of Posts and Telecommunication s); Hongpei Zheng and Yongqiang Lyu (Tsinghua University); Xiaoyong Li (Be ijing University of Posts and Telecommunications); Gang Qu (Univ. of Maryl and, College Park); and Dongsheng Wang (Tsinghua University)\n\nThe vulner abilities of transient execution have been exploited in\nmany side-channel attacks (SCA). We report Whisper, a novel\ntransient execution timing (TE T) side channel, which is based on\nthe execution time difference of trans ient execution under different\nconditions. We develop TET version of SCAs including Meltdown,\nZombieload, and Spectre-RSB that use Whisper as cove rt channel\nto leak information. We further propose TET-KASLR to break the \nkernel address space layout randomization (KASLR) mechanism\nunder the p rotection of KPTI and FLARE. These attacks are simple\nto implement and ca n bypass the existing mitigation methods\nbecause the TET side channel rel ies on execution time that can\nbe conveniently obtained by architectural level timing analysis. We\ndemonstrate the correctness and effectiveness o f these attacks on\nvarious x86-64 CPUs. The root cause of Whisper is anal yzed with\nour toolset built on performance monitor unit (PMU) and potenti al\ndefense against Whisper is also discussed.\n\nTopic: Security\n\nKeywo rd: Hardware Security: Attack and Defense\n\nSession Chairs: Avani Dave (I ntel Corporation) and Vincent Immler (Oregon State University) END:VEVENT END:VCALENDAR