Exploitation of Security Vulnerability on Retirement

The backend of the processor executes the μops decoded from the frontend out of order, while the retirement is responsible for retiring completed μops in the Reorder Buffer in order. Consequently, the retirement may stall differently depending on the execution time of the first instruction in the Reorder Buffer. Moreover, since retirement is shared between two logical cores on the same physical core, an attacker can deduce the instructions executed on the other logical core by observing the availability of its own retirement. Based on this finding, we introduce two novel covert channels: the Different Instructions covert channel and the Same Instructions covert channel, which can transmit information across logical cores and possess the ability to bypass the existing protection strategies. Furthermore, this paper explores additional applications of retirement. On the one hand, we propose a new variant of Spectre v1 by applying the retirement to the Spectre attack using the principle that the fallback penalty of misprediction is related to the instructions speculated to be executed. On the other hand, based on the principle that different programs result in varied usage patterns of retirement, we propose an attack method that leverages the retirement to infer the program run by the victim. Finally, we discuss possible mitigations against new covert channels.

Year of Publication
Date Published
Google Scholar | BibTeX | DOI