MC3: Memory Contention based Covert Channel Communication on Shared DRAM System-on-Chips
Ismet Dagli, James Crea, Soner Seckiner, Yuanchao Xu, Selçuk Köse, Mehmet E. Belviranli
TL;DR
This work reveals a vulnerability in shared-memory SM-SoCs by exploiting memory-contention to establish covert channels between unprivileged applications, notably CPU↔GPU configurations that lack a last-level cache. It introduces MC$^3$, a software-only attack that modulates DRAM access to encode data, and develops precise timing and cache-less techniques to achieve high throughput with low error. The study demonstrates substantial channel capacities, up to $6.4$ kbps, and shows that GPU-backed receivers can significantly boost performance (e.g., up to ~14 kbps versus ~5 kbps on CPU) across NVIDIA Orin platforms, including Hello World transmissions and 100 KB messages with high fidelity. The results underscore practical privacy and security risks in modern SM-SoCs and motivate the design of defenses against memory-contention covert channels in mobile and autonomous devices.
Abstract
Shared-memory system-on-chips (SM-SoC) are ubiquitously employed by a wide-range of mobile computing platforms, including edge/IoT devices, autonomous systems and smartphones. In SM-SoCs, system-wide shared physical memory enables a convenient and financially-feasible way to make data accessible by dozens of processing units (PUs), such as CPU cores and domain specific accelerators. In this study, we investigate vulnerabilities that stem from the shared use of physical memory in such systems. Due to the diverse computational characteristics of the PUs they embed, SM-SoCs often do not employ a shared last level cache (LLC). While the literature proposes covert channel attacks for shared memory systems, high-throughput communication is currently possible by either relying on an LLC or privileged/physical access to the shared memory subsystem. In this study, we introduce a new memory-contention based covert communication attack, MC3, which specifically targets the shared system memory in mobile SoCs. Different from existing attacks, our approach achieves high throughput communication between applications running on CPU and GPU without the need for an LLC or elevated access to the system. We extensively explore the effectiveness of our methodology by demonstrating the trade-off between the channel transmission rate and the robustness of the communication. We demonstrate the utility of MC3 on NVIDIA Orin AGX, Orin NX, and Orin Nano up to a transmit rate of 6.4 kbps with less than 1% error rate.