SQUIP: Exploiting the Scheduler Queue Contention Side Channel

Stefan Gast*, Jonas Juffinger, Martin Schwarzl, Gururaj Saileshwar, Andreas Kogler, Simone Franza, Markus Köstl, Daniel Gruss

*Corresponding author for this work

Research output: Contribution to conferencePaperpeer-review

Abstract

Modern superscalar CPUs have multiple execution units that independently execute operations from the instruction stream.
Previous work has shown that numerous side channels exist around these out-of-order execution pipelines, particularly for an attacker running on an SMT core.
In this paper, we present the SQUIP attack, the first side-channel attack on scheduler queues, which are critical for deciding the schedule of instructions to be executed in superscalar CPUs.
Scheduler queues have not been explored as a side channel so far, as Intel CPUs only have a single scheduler queue, and contention thereof would be virtually the same as contention of the reorder buffer.
However, the Apple M1, AMD Zen 2, and Zen 3 microarchitectures have separate scheduler queues per execution unit.

We first reverse-engineer the behavior of the scheduler queues on these CPUs and show that they can be primed and probed.
The SQUIP attack observes the occupancy level from within the same hardware core and across SMT threads.
We evaluate the performance of the SQUIP attack in a covert channel, exfiltrating 0.89 Mbit/s from a co-located virtual machine at an error rate below 0.8 %, and 2.70 Mbit/s from a co-located process at an error rate below 0.8%.
We then demonstrate the side channel on an mbedTLS RSA signature process in a co-located process and in a co-located virtual machine.
Our attack recovers full RSA4096 keys with only 50 500 traces and less than 5 to 18 bit errors on average.
Finally, we discuss mitigations necessary, especially for Zen 2 and Zen 3 systems, to prevent our attacks.
Original languageEnglish
Number of pages17
Publication statusPublished - 2023
Event43th IEEE Symposium on Security and Privacay: IEEE S&P 2023 - San Francisco, United States
Duration: 22 May 202324 May 2023

Conference

Conference43th IEEE Symposium on Security and Privacay
Abbreviated titleIEEE S&P 2023
Country/TerritoryUnited States
CitySan Francisco
Period22/05/2324/05/23

Fingerprint

Dive into the research topics of 'SQUIP: Exploiting the Scheduler Queue Contention Side Channel'. Together they form a unique fingerprint.

Cite this