Remote Scheduler Contention Attacks

TL;DR

This paper investigates scheduler contention side channels on AMD Zen 3 and Zen 4, revealing leakage across all scheduler queues and introducing a timingless bingo-race method that yields exact queue capacities. It demonstrates inter-keystroke timing attacks with a $F_1$ score of at least $0.995$ and jitter under $4$ ms, and a pure JavaScript-based scheduler contention covert channel in Firefox achieving true capacities of $891.9$ on Zen 3 and $940.7$ on Zen 4. The work extends attacker access from native code to JavaScript, enabling cross-window data transmission that bypasses cross-origin policies and site isolation. These findings imply urgent consideration of mitigations beyond traditional timing defenses, as watermarking and SMT-disabling approaches incur substantial performance overheads and may be insufficient.

Abstract

In this paper, we investigate unexplored aspects of scheduler contention: We systematically study the leakage of all scheduler queues on AMD Zen 3 and show that all queues leak. We mount the first scheduler contention attacks on Zen 4, with a novel measurement method evoking an out-of-order race condition, more precise than the state of the art. We demonstrate the first inter-keystroke timing attacks based on scheduler contention, with an F1 score of $\geq$ 99.5 % and a standard deviation below 4 ms from the ground truth. Our end-to-end JavaScript attack transmits across Firefox instances, bypassing cross-origin policies and site isolation, with 891.9 bit/s (Zen 3) and 940.7 bit/s (Zen 4).

Figures (6)

• Figure 1: Measuring scheduler contention with a bingo race. After draining the pipeline ❶, we fill the scheduler queue with repetitions of the priming instruction ❹, delayed by a high-latency input operand dependency chain ❷. The bingo variable at [r15] is constantly updated by the bingo thread on another core. If the pipeline stalls due to scheduler contention, r14 will contain a different value than r13.
• Figure 2: Average load delay for different lengths $k$ of the multiplication block for Zen 2, 3 and 4; with sibling thread being busy or idle. ($n=100000.0$).
• Figure 3: Keystroke ($\mathbf{\triangle}$) timings observed via scheduler 3 by a co-located observer due to the watermark mechanism ($\mid\mid\mid$). Multiple samples with reduced scheduler capacity are clustered and filtered, resulting in a clear recovered keystroke signal (+).
• Figure 4: The jitter of the individual recorded keystrokes (from the aligned ground truth), observed via scheduler 3. The low number of outliers and high concentration around 0ms shows that inter-keystroke timings are extracted with very high accuracy.
• Figure 5: Spawning multiple receiver threads to achieve co-location. Each core has two hardware threads: one occupied by the bingo thread (B) the other by the sender (S). Other hardware threads run receiver threads (R), measuring scheduler contention. The transmitted bit is recovered from the number of threads that have observed a low contention level (a, b), unless the sender is co-located with the bingo thread (c).