FetchBench: Systematic Identification and Characterization of Proprietary Prefetchers
Till Schlüter, Amit Choudhari, Lorenz Hetterich, Leon Trampert, Hamed Nemati, Ahmad Ibrahim, Michael Schwarz, Christian Rossow, Nils Ole Tippenhauer
CCS 2023, Copenhagen (DK), published November 2023
PDF · Slides · BibTeX · Code · DOI
Abstract:
Prefetchers speculatively fetch memory using predictions on future memory use by applications. Different CPUs may use different prefetcher types, and two implementations of the same prefetcher can differ in details of their characteristics, leading to distinct runtime behavior. For a few implementations, security researchers showed through manual analysis how to exploit specific prefetchers to leak data. Identifying such vulnerabilities required tedious reverse-engineering, as prefetcher implementations are proprietary and undocumented. So far, no systematic study of prefetchers in common CPUs is available, preventing further security assessment.
In this work, we address the following question: How can we systematically identify and characterize under-specified prefetchers in proprietary processors? To answer this question, we systematically analyze approaches to prefetching, design cross-platform tests to identify and characterize prefetchers on a given CPU, and demonstrate that our implementation FetchBench can characterize prefetchers on 19 different ARM and x86-64 CPUs. For example, FetchBench uncovers and characterizes a previously unknown replay-based prefetcher on the ARM Cortex-A72 CPU. Based on these findings, we demonstrate two novel attacks that exploit this undocumented prefetcher as a side channel to leak secret information, even from the secure TrustZone into the normal world.
Note on CVE-2023-33936:
We responsibliy disclosed our findings to Arm on May 8, 2023. On May 24, 2023, Arm notified us they recognize that our work identifies sharing of microarchitectural state of prefetchers across hardware contexts and that they allocated CVE-2023-33936 for this issue. On November 23, 2023, two days before the CCS 2023 conference, Arm notified us that they cannot assign the CVE because the issue we identified does not affect their products significantly. As a reaction to our paper, Arm released a security advisory about prefetcher side channels.
- Paper (PDF, accepted version)
- Slides (PDF, 12min version)
- Slides (PDF, 12min version, with animations)
- BibTeX
- Paper in the CISPA publication database
- Code (scy-phy/FetchBench on Github)
- Code (local mirror, ZIP)
- DOI (10.1145/3576915.3623124)
- Arm v8 Security Bulletin: Prefetcher Side Channels
- Arm Architecture Security Advisory: Prefetcher Side Channels
- CCS 2023 Program