Modern x86 processors support an AVX instruction set to boost performance. However, this extension set may also cause security issues. We discovered that there are vulnerable properties in the implementation of the masked load/store instructions. First, these instructions can suppress exceptions caused by invalid or inaccessible memory access. Second, the execution time of these instructions leaks the current state of the page mappings, permissions, and TLB states.Based on this, we present a novel AVX timing side-channel attack that can defeat address space layout randomization. We demonstrate the significance of our side-channel attack by showing User and Kernel ASLR breaks on the recent Intel and AMD processors in various environments, including cloud computing systems (Amazon AWS, Google GCP, and Microsoft Azure), an SGX enclave (a fine-grained ASLR break), and major OSes (Linux, Windows, and macOS). Our attack can identify the Linux kernel's base address in 0.29 ms as well as those of loaded kernel modules in 2.24 ms, with a near-zero error rate. We further demonstrate that our attack can be used to infer user behavior, such as mouse movements and data transmissions over the network. Our evaluation results on multiple mobile, desktop, and server processors (a total of 26 Intel and AMD CPUs) show that 1) the AVX timing side-channel works on the vast majority of Intel processors (from the Sandy Bridge microarchitecture) as well as AMD processors (from the Zen microarchitecture onward) and 2) our KASLR breaks are very fast and reliable. To the best of our knowledge, our attack is the first to demonstrate a KASLR break on both the recent Intel Alder Lake and AMD Zen 3 CPUs. We highlight that more robust isolation or fine-grained randomization should be adopted to mitigate our presented attacks successfully.
Read full abstract