Oxpecker：通过获取目标队列泄露机密

IF 2.7 3区计算机科学 Q2 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems Pub Date : 2025-01-09 DOI:10.1109/TCAD.2025.3527903

Shan Li;Zheliang Xu;Haihua Shen;Huawei Li

{"title":"Oxpecker：通过获取目标队列泄露机密","authors":"Shan Li;Zheliang Xu;Haihua Shen;Huawei Li","doi":"10.1109/TCAD.2025.3527903","DOIUrl":null,"url":null,"abstract":"Modern processors integrate carefully designed micro-architectural components within the front-end to optimize performance. These components include instruction cache, micro-operation cache, and instruction prefetcher. Through experimentation, we observed that the rate of instruction generation in the fetch unit markedly exceeds the execution rate in the decode unit. However, existing frameworks of processors fail to explain this phenomenon. Consequently, we empirically validate the presence of an optimization feature, referred to as the fetch target queue (FTQ), within the Intel processor. To the best of our knowledge, our study represents the first empirical validation of FTQ across various Intel processors and provides a comprehensive characterization of unrecorded FTQ micro-structural details on Intel processors. Our analysis uncovers overlooked insights that front-end rollbacks caused by the incorrectly ordered instructions or mismatched instruction lengths stored in FTQ introduce specific execution latencies. Based on these observations, we introduce the Oxpecker attack, consisting of two attack primitives, which leverages the FTQ to construct novel side-channel attacks. We construct two distinct exploitation scenarios for each attack primitive to demonstrate the Oxpecker attack’s capability to leak secret control flow information and break Kernel Address Space Layout Randomization.","PeriodicalId":13251,"journal":{"name":"IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems","volume":"44 7","pages":"2461-2474"},"PeriodicalIF":2.7000,"publicationDate":"2025-01-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Oxpecker: Leaking Secrets via Fetch Target Queue\",\"authors\":\"Shan Li;Zheliang Xu;Haihua Shen;Huawei Li\",\"doi\":\"10.1109/TCAD.2025.3527903\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Modern processors integrate carefully designed micro-architectural components within the front-end to optimize performance. These components include instruction cache, micro-operation cache, and instruction prefetcher. Through experimentation, we observed that the rate of instruction generation in the fetch unit markedly exceeds the execution rate in the decode unit. However, existing frameworks of processors fail to explain this phenomenon. Consequently, we empirically validate the presence of an optimization feature, referred to as the fetch target queue (FTQ), within the Intel processor. To the best of our knowledge, our study represents the first empirical validation of FTQ across various Intel processors and provides a comprehensive characterization of unrecorded FTQ micro-structural details on Intel processors. Our analysis uncovers overlooked insights that front-end rollbacks caused by the incorrectly ordered instructions or mismatched instruction lengths stored in FTQ introduce specific execution latencies. Based on these observations, we introduce the Oxpecker attack, consisting of two attack primitives, which leverages the FTQ to construct novel side-channel attacks. We construct two distinct exploitation scenarios for each attack primitive to demonstrate the Oxpecker attack’s capability to leak secret control flow information and break Kernel Address Space Layout Randomization.\",\"PeriodicalId\":13251,\"journal\":{\"name\":\"IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems\",\"volume\":\"44 7\",\"pages\":\"2461-2474\"},\"PeriodicalIF\":2.7000,\"publicationDate\":\"2025-01-09\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://ieeexplore.ieee.org/document/10835128/\",\"RegionNum\":3,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q2\",\"JCRName\":\"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10835128/","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 0

摘要

现代处理器在前端集成了精心设计的微架构组件，以优化性能。这些组件包括指令缓存、微操作缓存和指令预取器。通过实验，我们观察到读取单元的指令生成速率明显超过解码单元的执行速率。然而，现有的处理器框架无法解释这一现象。因此，我们根据经验验证了英特尔处理器中存在的一个优化特性，称为获取目标队列（FTQ）。据我们所知，我们的研究代表了各种英特尔处理器上FTQ的首次实证验证，并提供了英特尔处理器上未记录的FTQ微观结构细节的全面表征。我们的分析揭示了一些被忽视的见解，即由FTQ中存储的顺序不正确的指令或不匹配的指令长度引起的前端回滚会引入特定的执行延迟。基于这些观察，我们介绍了Oxpecker攻击，它由两个攻击原语组成，利用FTQ构造新的侧信道攻击。我们为每个攻击原语构建了两个不同的利用场景，以演示Oxpecker攻击泄露秘密控制流信息和破坏内核地址空间布局随机化的能力。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Oxpecker: Leaking Secrets via Fetch Target Queue

Modern processors integrate carefully designed micro-architectural components within the front-end to optimize performance. These components include instruction cache, micro-operation cache, and instruction prefetcher. Through experimentation, we observed that the rate of instruction generation in the fetch unit markedly exceeds the execution rate in the decode unit. However, existing frameworks of processors fail to explain this phenomenon. Consequently, we empirically validate the presence of an optimization feature, referred to as the fetch target queue (FTQ), within the Intel processor. To the best of our knowledge, our study represents the first empirical validation of FTQ across various Intel processors and provides a comprehensive characterization of unrecorded FTQ micro-structural details on Intel processors. Our analysis uncovers overlooked insights that front-end rollbacks caused by the incorrectly ordered instructions or mismatched instruction lengths stored in FTQ introduce specific execution latencies. Based on these observations, we introduce the Oxpecker attack, consisting of two attack primitives, which leverages the FTQ to construct novel side-channel attacks. We construct two distinct exploitation scenarios for each attack primitive to demonstrate the Oxpecker attack’s capability to leak secret control flow information and break Kernel Address Space Layout Randomization.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 工程技术-工程：电子与电气

CiteScore

5.60

自引率

13.80%

发文量

500

审稿时长

7 months

期刊介绍： The purpose of this Transactions is to publish papers of interest to individuals in the area of computer-aided design of integrated circuits and systems composed of analog, digital, mixed-signal, optical, or microwave components. The aids include methods, models, algorithms, and man-machine interfaces for system-level, physical and logical design including: planning, synthesis, partitioning, modeling, simulation, layout, verification, testing, hardware-software co-design and documentation of integrated circuit and system designs of all complexities. Design tools and techniques for evaluating and designing integrated circuits and systems for metrics such as performance, power, reliability, testability, and security are a focus.