In cache-based side channel attacks, an attacker infers information about the victim based on the presence, or lack thereof, of one or more cachelines. Determining a cacheline’s presence, which we refer to as ”reading the signal”, typically requires testing the access time of the line using a suitably high precision timer. In this work we introduce novel gadgets which leverage CPU speculation to enable modification of these signals, before they are read, for a variety of purposes. First, these gadgets enable an attacker to optimize cache-based side channel attacks by evaluating arbitrary logic functions on cacheline signals prior to their measurement. Second, we demonstrate amplification techniques that enable an attacker to read a signal even if no high precision timer is available. Combined, these techniques can be used to improve existing side channel attacks even if timer access is limited. We evaluate the effectiveness of these techniques on a modern x86 CPU and demonstrate that when properly tuned, cache side channel signals can be reliably modified with near 100% accuracy and are able to be read with a timer as coarse as 100ms or more.
David Kaplan is a Fellow at AMD who focuses on developing new security technologies across the AMD product line as part of the Product Security Organization. He is the lead architect for the AMD encrypted virtualization features and has worked on both CPU and SOC level security features for the last 9 years. David has over 15 years of experience at AMD, has filed over 50 patents in his career so far, and spoken at events including Linux Security Summit, ISCA, USENIX Security, and CCC.