25-sidechan-6up.pdf-Computer Science 202...
25-sidechan-6up.pdf-Computer Science 2021 Side channels and
Showing 4 out of 6
25-sidechan-6up.pdf-Computer Science 2021 Side cha...
25-sidechan-6up.pdf-Computer Science 2021 Side channels and
25-sidechan-6up.pdf-Computer Scienc...
25-sidechan-6up.pdf-Computer Science 2021 Side channels and
Page 4
Computer Science 2021
Timing of a page fault
Problem: the page fault is often recognized not when the
access occurs, but when the faulting instruction retires
Instructions after an illegal kernel memory access will be
But, these transient instructions can still have micro-
architectural effects
Attack idea:
Write cache covert channel code using the result of a faulting
kernel memory access
Recover from the fault, and then look for the side effect of the
transient access in the cache
Computer Science 2021
Meltdown attack structure
You might be surprised that this works: so were the
people who first found it in 2017
This version affects Intel processors but not AMD-compatible ones
Ethics note: don’t try something like this on a shared
computer like a lab machine
Violates Labs and University rules, might hurt other users
(Also, probably patched by now.)
int array[1024];
int secret = *kernel_mem_ptr;
array[secret * 16]++;
/* transient only */
/* recover here after segfault */
Computer Science 2021
Side and covert channels
Transient execution
Transient execution and kernel isolation: Meltdown
Transient execution and software checks: Spectre
Fixes, lessons learned, and the future
Computer Science 2021
Example: JavaScript bounds check
Your web server runs JavaScript code from untrusted
sources like advertisers, so must enforce security at
For instance, JavaScript arrays have runtime bounds
checks in the C implementation
if (index < 0 || index > ary_size) {
} else {
void *value = raw_array[index];
/* … */
Computer Science 2021
Branch prediction and bounds check
Branch prediction helps ensure the cost of check is low
Benign JS code will only access indexes in bounds
Branch will be predicted in-bounds
Execution can continue beyond the check
Architecturally, the check is still enforced
Out of bounds access will mean prediction is incorrect, discarded
Okay for buggy JS code to run slower
if (index < 0 || index > ary_size) {
} else {
void *value = raw_array[index];
/* … */
Computer Science 2021
Dangers of branch speculation
Problem: code executed after the mis-speculated branch
could still have a micro-architectural effect
For instance, leaking information via a cache access
The protection being subverted here is JavaScript’s
For instance, attacker could read data elsewhere in the web
browser, like your banking password in another tab
Real JavaScript engines are just-in-time compilers, which
actually makes the attack easier

Ace your assessments! Get Better Grades
Browse thousands of Study Materials & Solutions from your Favorite Schools
University of Minnesota-T...
Great resource for chem class. Had all the past labs and assignments
Leland P.
Santa Clara University
Introducing Study Plan
Using AI Tools to Help you understand and remember your course concepts better and faster than any other resource.
Find the best videos to learn every concept in that course from Youtube and Tiktok without searching.
Save All Relavent Videos & Materials and access anytime and anywhere
Prepare Smart and Guarantee better grades

Students also viewed documents