U Can Touch This! Microarchitectural Timing Attacks via Machine Clears
Billy Bob Brumley
TL;DR
This paper introduces MC-Ham-mer, a microarchitectural side-channel that exploits machine clears triggered by Self-Modifying Code detection to reveal secret-dependent code traversal, achieving 13–15× greater trace granularity than Flush+Reload as measured by NICV. It demonstrates a practical single-trace key-recovery attack on an open-source SECCURE ECDSA implementation, recovering the private key from a single signature. The work contrasts MC-Ham-mer with traditional FR techniques, showing both covert-channel and side-channel capabilities and discussing software-level mitigations via constant-time practices. The findings highlight a real-world risk from machine-clear-based leakage and motivate broader defensive strategies across software and hardware platforms.
Abstract
Microarchitectural timing attacks exploit subtle timing variations caused by hardware behaviors to leak sensitive information. In this paper, we introduce MCHammer, a novel side-channel technique that leverages machine clears induced by self-modifying code detection mechanisms. Unlike most traditional techniques, MCHammer does not require memory access or waiting periods, making it highly efficient. We compare MCHammer to the classical Flush+Reload technique, improving in terms of trace granularity, providing a powerful side-channel attack vector. Using MCHammer, we successfully recover keys from a deployed implementation of a cryptographic tool. Our findings highlight the practical implications of MCHammer and its potential impact on real-world systems.