Exploiting the microarchitectural leakage of prefetching activities for side-channel attacks

Microarchitectural optimizations are designed to maximize CPU usage from all aspects of instruction execution. While they effectively shorten the overall timing of execution by executing instructions or load data speculatively, observable traces, which can be used to infer sensitive information about programs on the fly, are left behind. The Instruction Pointer (IP) based stride prefetcher is implemented by Intel since Sandy Bridge, which uses sequential load history to determine whether to fetch additional lines in advance. Shin et al. (2018) discovered that lines near the lookup table are prefetched by the IP-based stride prefetcher, and they conducted side-channel attack on ECDH in face of constant-time algorithm. Their exploitation of prefetching leakage leverage secret bits which directly relate to prefetching themselves, hence such attacks cannot be applied to algorithms without bit-dependent control/data flow, e.g., AES. @We believe the potential of prefetching leakage is not fully explored as many details of prefetcher implementation are unrevealed. Understanding how the prefetching works will help us to construct more powerful attacks. Motivated by this, we reverse-engineer three prefetching rules of IP-based stride prefetcher. A novel side-channel attack to recover the secret key of AES-128 is proposed to exemplify the exploitation, in which 3 or 4 consecutive bytes of the secret key are inferred according to observed prefetching activities combined with our concluded rules. Other unknown bytes can be complemented one at a time iteratively with our complement method. Besides, we verify that little interference is introduced by delaying the probing phase. In that case, it is rather reasonable and practical to schedule probing after the entire encryption is completed, instead of the first round where attackers need to interrupt the execution of encryption. Based on the inference, our side-channel attack successfully recovered all bytes of the secret key of AES-128. The microarchitectural leakage of prefetching activities is proved to contribute in terms of direct sensitive information recovery when detailed prefetching mechanisms are offered.