In a paper published earlier this month, a team of researchers from EPFL and IBM Research introduce the port-induced side channel called SMoTher. They show how it can be leveraged (instead of a cache-based side channel), as a powerful transient execution attack to leak secrets that may be held in registers or the closely-coupled L1 cache, called SMoTherSpectre.
The authors focus on ‘contention,’ contrary to popular and conventional research that looks at a string of exploits leveraging caches. They demonstrate that by leveraging contention, it is possible to detect a sequence as small as a single instruction tied at design time to a specific subset of ports.
The study dwells on Simultaneously Multi-threaded (SMT) threads, which have ready micro-ops that can use the same port. Since they contend for the same port in each cycle, each thread would need to wait for a few cycles when the port under contention chooses to schedule a micro-op from another thread. That causes a detectable slowdown, sometimes upto 35% as recorded in the experiments conducted by the authors.
Since each instruction in a sequence of code can be scheduled on specific ports, it was possible to create a port-fingerprint for every sequence. By timing instructions specifically scheduled on these ports, the attacker can measure contention. SMoTherSpectre becomes a very powerful attack because of the vast availability of SMoTher gadgets, viz., a BTI gadget (to trigger speculation) and a SMoTher gadget (to leak the secret).
The researchers have released the proof of concept to facilitate further research on SMoTher. They have also created a concept exploit for OpenSSL.
The authors of the study include EPFL scholars Atri Bhattacharyya, Babak Falsafi, and Mathias Payer, and IBM Research experts Alexandra Sandulescu, Matthias Neugschwandtner, Alessandro Sorniotti, and Anil Kurmus. While the full paper is available on arXiv, a summary of their findings is available in a blog post by the EPFL team. The research is a collaborative work of EPFL’s HexHive and PARSA labs, and IBM Research Zurich.