Abstract
Modern OSs expose an interface for monitoring CPU temperature to unprivileged users for effective user decision-based thermal management. Due to the low sampling rate and resolution, thermal sensors have generally been restricted to the construction of covert channels. However, exposing the thermal interface to unprivileged users may be problematic, because the heat emission inside a CPU core is affected by program execution on the core; an attacker may be able to infer the secret information of the program by exploiting the thermal interface as a side-channel. In this paper, we extensively analyze digital thermal sensors in Intel CPUs and show that it is possible to implement a software-based thermal side-channel attack. Specifically, by analyzing some properties of the thermal sensors, we inferred that the thermal sensor makes it possible to distinguish between a cache hit and a physical memory access in memory load operations. Based on the analysis results, we implement ThermalBleed, a thermal side-channel attack that breaks kernel address space layout randomization (KASLR) in Linux systems. Moreover, by conducting an in-depth analysis, we identify useful hidden properties of the Intel thermal sensors. Our analysis establishes a stepping stone to build a more precise and effective thermal side-channel attack in the future. To the best of our knowledge, this is the first work that extends a thermal covert channel to a practical side-channel attack by exploring the properties of Intel digital thermal sensors.
Highlights
CPU vendors make use of various performance-optimizing techniques to meet the requirements of various applications.For the purpose of CPU monitoring, they provide interfaces through which various types of measurement data such as CPU frequency, energy consumption, and temperature are obtained
Owing to the properties of the CPU thermal sensors that we evaluated, the memory access to the physically backed address shows a sharp increase in the temperature as causes dTLB hits
1) We evaluate digital thermal sensors in Intel CPUs and uncover some properties that can be used as a practical leakage source
Summary
CPU vendors make use of various performance-optimizing techniques (e.g., cache, out-of-order, and speculative execution) to meet the requirements of various applications. By measuring the CPU temperature, an attacker can successfully de-randomize the kernel address Such thermal differences between the dTLB hits and dTLB misses provide a sufficiently reliable channel to the attacker despite various noise factors (e.g., dynamic voltage and frequency scaling (DFVS), cooling devices, and remnant heat [8]). The previous work utilizes a basic thermal property that a compute-intensive workload generates more heat than a lightweight workload This restricts the research direction to coarse-grained covert channel attacks only. 1) We evaluate digital thermal sensors in Intel CPUs and uncover some properties that can be used as a practical leakage source.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
