Hacky Racers: Exploiting Instruction-Level Parallelism to Generate Stealthy Fine-Grained Timers

by   Haocheng Xiao, et al.

Side-channel attacks pose serious threats to many security models, especially sandbox-based browsers. While transient-execution side channels in out-of-order processors have previously been blamed for vulnerabilities such as Spectre and Meltdown, we show that in fact, the capability of out-of-order execution itself to cause mayhem is far more general. We develop Hacky Racers, a new type of timing gadget that uses instruction-level parallelism, another key feature of out-of-order execution, to measure arbitrary fine-grained timing differences, even in the presence of highly restricted JavaScript sandbox environments. While such environments try to mitigate timing side channels by reducing timer precision and removing language features such as SharedArrayBuffer that can be used to indirectly generate timers via thread-level parallelism, no such restrictions can be designed to limit Hacky Racers. We also design versions of Hacky Racers that require no misspeculation whatsoever, demonstrating that transient execution is not the only threat to security from modern microarchitectural performance optimization. We use Hacky Racers to construct novel backwards-in-time Spectre gadgets, which break many hardware countermeasures in the literature by leaking secrets before misspeculation is discovered. We also use them to generate the first known last-level cache eviction set generator in JavaScript that does not require SharedArrayBuffer support.


page 4

page 5

page 10

page 11


An Exhaustive Approach to Detecting Transient Execution Side Channels in RTL Designs of Processors

Hardware (HW) security issues have been emerging at an alarming rate in ...

AVX Timing Side-Channel Attacks against Address Space Layout Randomization

Modern x86 processors support an AVX instruction set to boost performanc...

An abstract semantics of speculative execution for reasoning about security vulnerabilities

Reasoning about correctness and security of software is increasingly dif...

This is How You Lose the Transient Execution War

A new class of vulnerabilities related to speculative and out-of-order e...

Preventing Timing Side-Channels via Security-Aware Just-In-Time Compilation

Recent work has shown that Just-In-Time (JIT) compilation can introduce ...

SMoTherSpectre: exploiting speculative execution through port contention

Spectre, Meltdown, and related attacks have demonstrated that kernels, h...

Instructional Level Parallelism

This paper is a review of the developments in Instruction level parallel...

Please sign up or login with your details

Forgot password? Click here to reset