mjyan0720
Vulnerabilities Found
Hello,
We wanted to share a couple of vulnerabilities we discovered in InvisiSpec's current code base. It would be great if you could take a look and respond if these look correct: https://github.com/XsPFTdot7Hy3/InvisiSpec-vulnerabilities
Speculative Invalidation of Caches: We found a bug in the InvisiSpec’s Gem5 implementation where speculative loads can still perform evictions, and thus affect the final state of the cache. An attacker could exploit this through a Prime+Probe-style attack to determine information about addresses which are only accessed speculatively.
Speculative-Interference Attack Observable from the Same-Core: There is an additional issue with InvisiSpec’s vulnerability to Speculative interference attacks. Previously, such attacks required a reference load to be from another thread, and the attacker to be a multi-threaded attacker. We observe that this attack works even in a 1-core setting. Below, we provide a simple example with two asms, one for a secret=0 (test_case_input1.asm), and another for a secret=1 ((test_case_input2.asm). Only the inputs in registers are different in the two asms, the program itself is the same.
We have a reference load in the same program at the very end, which is a non-speculative cache hit. We observe that the reference load has a long latency if there is MSHR interference or short latency if there is no MSHR interference, based on if there is a speculative miss OR not.
Full details of our attack are contained here: https://github.com/XsPFTdot7Hy3/InvisiSpec-vulnerabilities/blob/main/InvisiSpec%20Disclosure.pdf
Code containing demonstration of our attacks: https://github.com/XsPFTdot7Hy3/InvisiSpec-vulnerabilities
