Exploiting CPU Clock Modulation for Covert Communication Channel
Shariful Alam, Jidong Xiao, Nasir U. Eisty
TL;DR
This work reveals a covert-channel vulnerability that leverages the clock modulation feature of Intel CPUs through the IA32_CLOCK_MODULATION Model Specific Register. By placing a sender and receiver on the same core, the method encodes data into the duty cycle of the processor, with synchronization via 24-long start and end sequences and specific MSR values for bit encoding, achieving up to 55.24 bits per second. The authors validate the approach on real hardware, discuss timing and reliability considerations, and demonstrate how segmentation of data into blocks improves robustness. The study highlights a practical, hard-to-detect channel that challenges conventional resource-partitioning defenses and motivates the need for mitigations against hardware-level side channels.
Abstract
Covert channel attacks represent a significant threat to system security, leveraging shared resources to clandestinely transmit information from highly secure systems, thereby violating the system's security policies. These attacks exploit shared resources as communication channels, necessitating resource partitioning and isolation techniques as countermeasures. However, mitigating attacks exploiting modern processors' hardware features to leak information is challenging because successful attacks can conceal the channel's existence. In this paper, we unveil a novel covert channel exploiting the duty cycle modulation feature of modern x86 processors. Specifically, we illustrate how two collaborating processes, a sender and a receiver can manipulate this feature to transmit sensitive information surreptitiously. Our live system implementation demonstrates that this covert channel can achieve a data transfer rate of up to 55.24 bits per second.