PMU-Spill: Performance Monitor Unit Counters Leak Secrets in Transient Executions

Abstract

The processor's Performance Monitor Unit (PMU) allows the recording of architectural and microarchitectural events for profiling purposes. In this study, we reveal a security issue caused by the fact that current PMU implementations are capable of recording some events that happened during transient executions. We propose the PMU -Spill attack, a new kind of attack that enables attackers to maliciously leak the secret data in transient executions. We demonstrate on real hardware that PMU -Spill attack can leak the secret data stored in Intel Software Guard Extensions (SGX). In addition, we perform a thorough study to reveal all the vulnerable PMU counters and find that 20 of them can be used to achieve PMU -Spill attack. Our experiments suggest that the throughput of PMU -Spill attack is up to 575.3 bytes per second (Bps) with an average error rate of 1.89% when leaking the SGX-protected secret data.