Translation Leak-aside Buffer: Defeating Cache Side-channel Protections with TLB Attacks

Authors: 

Ben Gras, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida, Vrije Universiteit

Abstract: 

To stop side channel attacks on CPU caches that have allowed attackers to leak secret information and break basic security mechanisms, the security community has developed a variety of powerful defenses that effectively isolate the security domains. Of course, other shared hardware resources exist, but the assumption is that unlike cache side channels, any channel offered by these resources is insufficiently reliable and too coarse-grained to leak general-purpose information.

This is no longer true. In this paper, we revisit this assumption and show for the first time that hardware translation lookaside buffers (TLBs) can be abused to leak fine-grained information about a victim’s activity even when CPU cache activity is guarded by state-of-the-art cache side-channel protections, such as CAT and TSX. However, exploiting the TLB channel is challenging, due to unknown addressing functions inside the TLB and the attacker’s limited monitoring capabilities which, at best, cover only the victim’s coarse-grained data accesses. To address the former, we reverse engineer the previously unknown addressing function in recent Intel processors.

To address the latter, we introduce a new analysis technique that exploits temporal information about a victim’s memory activity rather than relying on commonly-used spatial information exploited by existing cache attacks. Our prototype implementation, TLBleed, can leak a 256-bit EdDSA secret key from a single capture after 17 seconds of computation time with a 98% success rate, even in presence of state-of-the-art cache isolation. Similarly, using a single capture, TLBleed reconstructs 92% of RSA keys from an implementation that is hardened against FLUSH + RELOAD attacks.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {217454,
author = {Ben Gras and Kaveh Razavi and Herbert Bos and Cristiano Giuffrida},
title = {Translation Leak-aside Buffer: Defeating Cache Side-channel Protections with {TLB} Attacks},
booktitle = {27th USENIX Security Symposium (USENIX Security 18)},
year = {2018},
isbn = {978-1-939133-04-5},
address = {Baltimore, MD},
pages = {955--972},
url = {https://www.usenix.org/conference/usenixsecurity18/presentation/gras},
publisher = {USENIX Association},
month = aug
}

Presentation Video 

Presentation Audio