Guardado en:
Detalles Bibliográficos
Autores principales: Li, Zhouyang, Qiu, Pengfei, Qing, Yu, Wang, Chunlu, Wang, Dongsheng, Zhang, Xiao, Qu, Gang
Formato: Preprint
Publicado: 2025
Materias:
Acceso en línea:https://arxiv.org/abs/2502.10722
Etiquetas: Agregar Etiqueta
Sin Etiquetas, Sea el primero en etiquetar este registro!
_version_ 1866916617076604928
author Li, Zhouyang
Qiu, Pengfei
Qing, Yu
Wang, Chunlu
Wang, Dongsheng
Zhang, Xiao
Qu, Gang
author_facet Li, Zhouyang
Qiu, Pengfei
Qing, Yu
Wang, Chunlu
Wang, Dongsheng
Zhang, Xiao
Qu, Gang
contents Modern processors widely equip the Performance Monitoring Unit (PMU) to collect various architecture and microarchitecture events. Software developers often utilize the PMU to enhance program's performance, but the potential side effects that arise from its activation are often disregarded. In this paper, we find that the PMU can be employed to retrieve instruction operands. Based on this discovery, we introduce PMU-Data, a novel category of side-channel attacks aimed at leaking secret by identifying instruction operands with PMU. To achieve the PMU-Data attack, we develop five gadgets to encode the confidential data into distinct data-related traces while maintaining the control-flow unchanged. We then measure all documented PMU events on three physical machines with different processors while those gadgets are performing. We successfully identify two types of vulnerable gadgets caused by DIV and MOV instructions. Additionally, we discover 40 vulnerable PMU events that can be used to carry out the PMU-Data attack. We through real experiments to demonstrate the perniciousness of the PMU-Data attack by implementing three attack goals: (1) leaking the kernel data illegally combined with the transient execution vulnerabilities including Meltdown, Spectre, and Zombieload; (2) building a covert-channel to secretly transfer data; (3) extracting the secret data protected by the Trusted Execution Environment (TEE) combined with the Zombieload vulnerability.
format Preprint
id arxiv_https___arxiv_org_abs_2502_10722
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle PMU-Data: Data Traces Could be Distinguished
Li, Zhouyang
Qiu, Pengfei
Qing, Yu
Wang, Chunlu
Wang, Dongsheng
Zhang, Xiao
Qu, Gang
Cryptography and Security
Modern processors widely equip the Performance Monitoring Unit (PMU) to collect various architecture and microarchitecture events. Software developers often utilize the PMU to enhance program's performance, but the potential side effects that arise from its activation are often disregarded. In this paper, we find that the PMU can be employed to retrieve instruction operands. Based on this discovery, we introduce PMU-Data, a novel category of side-channel attacks aimed at leaking secret by identifying instruction operands with PMU. To achieve the PMU-Data attack, we develop five gadgets to encode the confidential data into distinct data-related traces while maintaining the control-flow unchanged. We then measure all documented PMU events on three physical machines with different processors while those gadgets are performing. We successfully identify two types of vulnerable gadgets caused by DIV and MOV instructions. Additionally, we discover 40 vulnerable PMU events that can be used to carry out the PMU-Data attack. We through real experiments to demonstrate the perniciousness of the PMU-Data attack by implementing three attack goals: (1) leaking the kernel data illegally combined with the transient execution vulnerabilities including Meltdown, Spectre, and Zombieload; (2) building a covert-channel to secretly transfer data; (3) extracting the secret data protected by the Trusted Execution Environment (TEE) combined with the Zombieload vulnerability.
title PMU-Data: Data Traces Could be Distinguished
topic Cryptography and Security
url https://arxiv.org/abs/2502.10722