Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Demoting Security via Exploitation of Cache Demote Operation in Intel's Latest ISA Extension

Taehun Kim, Hyerean Jang, Youngjoo Shin

TL;DR

This paper reveals security risks inherent in Intel's cldemote ISA extension, showing that unprivileged access, inter-cache state transitions, and fault suppression enable novel microarchitectural attacks. It introduces two practical primitives, Flush+Demote and Demote+Time, yielding a $2.84$ Mbps covert channel and a $2.49$ ms KASLR break on Linux, and demonstrates that cldemote can accelerate eviction-set construction in non-inclusive LLCs by $36\%$ through Access+Demote. The authors reverse-engineer Sapphire Rapids LLC and directory structures to support eviction-set methods and present a five-characteristic taxonomy of exploitable ISA extensions with four corresponding attack types. They discuss mitigations, emphasizing the need for security-aware ISA design and proposing noise-based timing, restricted privileges, and architecture-level protections to mitigate such threats in future ISAs.

Abstract

ISA extensions are increasingly adopted to boost the performance of specialized workloads without requiring an entire architectural redesign. However, these enhancements can inadvertently expose new attack surfaces in the microarchitecture. In this paper, we investigate Intel's recently introduced cldemote extension, which promotes efficient data sharing by transferring cache lines from upper-level caches to the Last Level Cache (LLC). Despite its performance benefits, we uncover critical properties-unprivileged access, inter-cache state transition, and fault suppression-that render cldemote exploitable for microarchitectural attacks. We propose two new attack primitives, Flush+Demote and Demote+Time, built on our analysis. Flush+Demote constructs a covert channel with a bandwidth of 2.84 Mbps and a bit error rate of 0.018%, while Demote+Time derandomizes the kernel base address in 2.49 ms on Linux. Furthermore, we show that leveraging cldemote accelerates eviction set construction in non-inclusive LLC designs by obviating the need for helper threads or extensive cache conflicts, thereby reducing construction time by 36% yet retaining comparable success rates. Finally, we examine how ISA extensions contribute to broader microarchitectural attacks, identifying five key exploitable characteristics and categorizing four distinct attack types. We also discuss potential countermeasures, highlighting the far-reaching security implications of emerging ISA extensions.

Demoting Security via Exploitation of Cache Demote Operation in Intel's Latest ISA Extension

TL;DR

This paper reveals security risks inherent in Intel's cldemote ISA extension, showing that unprivileged access, inter-cache state transitions, and fault suppression enable novel microarchitectural attacks. It introduces two practical primitives, Flush+Demote and Demote+Time, yielding a Mbps covert channel and a ms KASLR break on Linux, and demonstrates that cldemote can accelerate eviction-set construction in non-inclusive LLCs by through Access+Demote. The authors reverse-engineer Sapphire Rapids LLC and directory structures to support eviction-set methods and present a five-characteristic taxonomy of exploitable ISA extensions with four corresponding attack types. They discuss mitigations, emphasizing the need for security-aware ISA design and proposing noise-based timing, restricted privileges, and architecture-level protections to mitigate such threats in future ISAs.

Abstract

ISA extensions are increasingly adopted to boost the performance of specialized workloads without requiring an entire architectural redesign. However, these enhancements can inadvertently expose new attack surfaces in the microarchitecture. In this paper, we investigate Intel's recently introduced cldemote extension, which promotes efficient data sharing by transferring cache lines from upper-level caches to the Last Level Cache (LLC). Despite its performance benefits, we uncover critical properties-unprivileged access, inter-cache state transition, and fault suppression-that render cldemote exploitable for microarchitectural attacks. We propose two new attack primitives, Flush+Demote and Demote+Time, built on our analysis. Flush+Demote constructs a covert channel with a bandwidth of 2.84 Mbps and a bit error rate of 0.018%, while Demote+Time derandomizes the kernel base address in 2.49 ms on Linux. Furthermore, we show that leveraging cldemote accelerates eviction set construction in non-inclusive LLC designs by obviating the need for helper threads or extensive cache conflicts, thereby reducing construction time by 36% yet retaining comparable success rates. Finally, we examine how ISA extensions contribute to broader microarchitectural attacks, identifying five key exploitable characteristics and categorizing four distinct attack types. We also discuss potential countermeasures, highlighting the far-reaching security implications of emerging ISA extensions.

Paper Structure

This paper contains 25 sections, 12 figures, 7 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Background
  3. Cache organization
  4. Address translation and TLB
  5. Cache-based side-channel attack
  6. New ISA extensions in Sapphire Rapids
  7. Analysis of CLDEMOTE Instruction
  8. Cache line demote operation
  9. Execution latency
  10. Fault suppression
  11. Case Study 1 - Side-Channel Attacks
  12. Building attack primitives
  13. Flush+Demote
  14. Demote+Time
  15. Building covert-channel
  16. ...and 10 more sections

Figures (12)

  • Figure 1: Comparison of cldemote and prefetch behavior.
  • Figure 2: Execution latency of cldemote instruction on various cache levels.
  • Figure 3: Overview of Golden Cove microarchitecture.
  • Figure 4: The channel capacity and bit error possibility for Flush+Demote covert channel.
  • Figure 5: An experimental results from the cldemote-based KASLR breaking.
  • ...and 7 more figures