ThermalBleed: A Practical Thermal Side-Channel Attack

Modern OSs expose an interface for monitoring CPU temperature to unprivileged users for effective user decision-based thermal management. Due to the low sampling rate and resolution, thermal sensors have generally been restricted to the construction of covert channels. However, exposing the thermal interface to unprivileged users may be problematic, because the heat emission inside a CPU core is affected by program execution on the core; an attacker may be able to infer the secret information of the program by exploiting the thermal interface as a side-channel. In this paper, we extensively analyze digital thermal sensors in Intel CPUs and show that it is possible to implement a software-based thermal side-channel attack. Specifically, by analyzing some properties of the thermal sensors, we inferred that the thermal sensor makes it possible to distinguish between a cache hit and a physical memory access in memory load operations. Based on the analysis results, we implement ThermalBleed, a thermal side-channel attack that breaks kernel address space layout randomization (KASLR) in Linux systems. Moreover, by conducting an in-depth analysis, we identify useful hidden properties of the Intel thermal sensors. Our analysis establishes a stepping stone to build a more precise and effective thermal side-channel attack in the future. To the best of our knowledge, this is the first work that extends a thermal covert channel to a practical side-channel attack by exploring the properties of Intel digital thermal sensors.