research-article

FetchBench: Systematic Identification and Characterization of Proprietary Prefetchers

Authors:

Till Schlüter,

Amit Choudhari,

Lorenz Hetterich,

Michael Schwarz,

Christian Rossow,

Nils Ole TippenhauerAuthors Info & Claims

CCS '23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

Pages 975 - 989

https://doi.org/10.1145/3576915.3623124

Published: 21 November 2023 Publication History

Abstract

Prefetchers speculatively fetch memory using predictions on future memory use by applications. Different CPUs may use different prefetcher types, and two implementations of the same prefetcher can differ in details of their characteristics, leading to distinct runtime behavior. For a few implementations, security researchers showed through manual analysis how to exploit specific prefetchers to leak data. Identifying such vulnerabilities required tedious reverse-engineering, as prefetcher implementations are proprietary and undocumented. So far, no systematic study of prefetchers in common CPUs is available, preventing further security assessment.

In this work, we address the following question: How can we systematically identify and characterize under-specified prefetchers in proprietary processors? To answer this question, we systematically analyze approaches to prefetching, design cross-platform tests to identify and characterize prefetchers on a given CPU, and demonstrate that our implementation FetchBench can characterize prefetchers on 19 different ARM and x86-64 CPUs. For example, FetchBench uncovers and characterizes a previously unknown replay-based prefetcher on the ARM Cortex-A72 CPU. Based on these findings, we demonstrate two novel attacks that exploit this undocumented prefetcher as a side channel to leak secret information, even from the secure TrustZone into the normal world.

References

[1]

Arm Ltd. 2016. ARM® Cortex®-A72 MPCore Processor Technical Reference Manual.

[2]

Arm Ltd. 2023. TrustZone for Cortex-A. https://developer.arm.com/Processors/TrustZone%20for%20Cortex-A

[3]

Grant Ayers, Heiner Litz, Christos Kozyrakis, and Parthasarathy Ranganathan. 2020. Classifying Memory Access Patterns for Prefetching. In Proceedings of the Twenty -Fifth International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS '20). Association for Computing Machinery, New York, NY, USA, 513--526.

Digital Library

[4]

Jean-Loup Baer and Tien-Fu Chen. 1991. An Effective On-Chip Preloading Scheme to Reduce Data Access Penalty. In Supercomputing '91:Proceedings of the 1991 ACM /IEEE Conference on Supercomputing. 176--186.

Digital Library

[5]

Nathan Binkert, Bradford Beckmann, Gabriel Black, Steven K. Reinhardt, Ali Saidi, Arkaprava Basu, Joel Hestness, Derek R. Hower, Tushar Krishna, Somayeh Sardashti, Rathijit Sen, Korey Sewell, Muhammad Shoaib, Nilay Vaish, Mark D. Hill, and David A. Wood. 2011. The Gem5 Simulator. SIGARCH Comput. Archit. News, Vol. 39, 2 (aug 2011), 1--7.

Digital Library

[6]

Claudio Canella, Jo Van Bulck, Michael Schwarz, Moritz Lipp, Benjamin von Berg, Philipp Ortner, Frank Piessens, Dmitry Evtyushkin, and Daniel Gruss. 2019. A Systematic Evaluation of Transient Execution Attacks and Defenses. In 28th USENIX Security Symposium (USENIX Security 19) (Santa Clara (US)). USENIX Association, 19.

[7]

Yun Chen, Lingfeng Pei, and Trevor E. Carlson. 2023. AfterImage: Leaking Control Flow Data and Tracking Load Operations via the Hardware Prefetcher. In Proceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 2. ACM, Vancouver BC Canada, 16--32.

[8]

Patrick Cronin and Chengmo Yang. 2019. A Fetching Tale : Covert Communication with the Hardware Prefetcher. In 2019 IEEE International Symposium on Hardware Oriented Security and Trust (HOST ).

[9]

Guillaume Didier, Clémentine Maurice, Antoine Geimer, and Walid J. Ghandour. 2022. Characterizing Prefetchers using CacheObserver. In 2022 IEEE 34th International Symposium on Computer Architecture and High Performance Computing (SBAC-PAD). 170--179.

[10]

Electronic Frontier Foundation. 1998. Frequently Asked Questions (FAQ) About the Electronic Frontier Foundation's "DES Cracker" Machine. https://w2.eff.org/Privacy/Crypto/Crypto_misc/DESCracker/HTML/19980716_eff_des_faq.html

[11]

Babak Falsafi and Thomas F. Wenisch. 2014. A Primer on Hardware Prefetching. Number 28 in Synthesis Lectures Computer Architecture. Morgan & Claypool.

[12]

Lukas Gerlach, Daniel Weber, Ruiyi Zhang, and Michael Schwarz. 2023. A Security RISC: Microarchitectural Attacks on Hardware RISC-V CPUs. In IEEE Symposium on Security and Privacy (S&P) 2023. IEEE Computer Society.

[13]

Marius Grannaes, Magnus Jahre, and Lasse Natvig. 2010. Multi-Level Hardware Prefetching Using Low Complexity Delta Correlating Prediction Tables with Partial Matching. In Proceedings of the 5th International Conference on High Performance Embedded Architectures and Compilers (Pisa, Italy) (HiPEAC'10). 247--261.

Digital Library

[14]

Daniel Gruss, Clémentine Maurice, Anders Fogh, Moritz Lipp, and Stefan Mangard. 2016a. Prefetch Side -Channel Attacks: Bypassing SMAP and Kernel ASLR. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS '16). Association for Computing Machinery, New York, NY, USA, 368--379.

Digital Library

[15]

Daniel Gruss, Clémentine Maurice, Klaus Wagner, and Stefan Mangard. 2016b. FlushFlush: A Fast and Stealthy Cache Attack. In Proceedings of the 13th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment - Volume 9721 (DIMVA 2016).

Digital Library

[16]

Yanan Guo, Andrew Zigerelli, Youtao Zhang, and Jun Yang. 2023. Adversarial Prefetch: New Cross-Core Cache Side Channel Attacks. In IEEE Symposium on Security and Privacy (S&P) 2022. IEEE Computer Society.

[17]

Ahmad Ibrahim, Hamed Nemati, Till Schlüter, Nils Ole Tippenhauer, and Christian Rossow. 2022. Microarchitectural Leakage Templates and Their Application to Cache-Based Side Channels. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security (CCS '22).

Digital Library

[18]

Intel Corp. 2022. Guidelines for Mitigating Timing Side Channels Against Cryptographic Implementations. https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/secure-coding/mitigate-timing-side-channel-crypto-implementation.html

[19]

Intel Corp. 2023. Intel® 64 and IA-32 Architectures Optimization Reference Manual.

[20]

Doug Joseph and Dirk Grunwald. 1997. Prefetching Using Markov Predictors. In Proceedings of the 24th Annual International Symposium on Computer Architecture (Denver, Colorado, USA) (ISCA '97). Association for Computing Machinery, New York, NY, USA, 252--263.

Digital Library

[21]

Paul Kocher, Jann Horn, Anders Fogh, and Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom. 2019. Spectre Attacks: Exploiting Speculative Execution. In 40th IEEE Symposium on Security and Privacy (S&P'19).

[22]

Yoochan Lee, Changwoo Min, and Byoungyoung Lee. 2021. ExpRace: Exploiting Kernel Races through Raising Interrupts. In 30th USENIX Security Symposium (USENIX Security 21). USENIX Association, 2363--2380.

[23]

Moritz Lipp, Daniel Gruss, and Michael Schwarz. 2022. AMD Prefetch Attacks through Power and Time. In 31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Boston, MA, 643--660.

[24]

Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, and Mike Hamburg. 2018. Meltdown: Reading Kernel Memory from User Space. In 27th USENIX Security Symposium (USENIX Security 18).

Digital Library

[25]

Kyle J. Nesbit and James E. Smith. 2004. Data Cache Prefetching Using a Global History Buffer. In 10th International Symposium on High Performance Computer Architecture (HPCA '04). 96--96.

[26]

Colin Percival. 2005. Cache Missing for Fun and Profit. In In Proc. of BSDCan 2005.

[27]

Rockchip Electronics Co., Ltd. 2021. Rockchip RK3399-T Datasheet. Revision 1.0.

[28]

Aditya Rohan, Biswabandan Panda, and Prakhar Agarwal. 2020. Reverse Engineering the Stream Prefetcher for Profit. In IEEE European Symposium on Security and Privacy Workshops, EuroS&P Workshops 2020, Genoa, Italy, September 7-11, 2020. 682--687.

[29]

Jose Rodrigo Sanchez Vicarte, Michael Flanders, Riccardo Paccagnella, Grant Garrett-Grossman, Adam Morrison, Christopher W. Fletcher, and David Kohlbrenner. 2022. Augury: Using Data Memory-Dependent Prefetchers to Leak Data at Rest. In IEEE Symposium on Security and Privacy (S&P) 2022. IEEE Computer Society.

[30]

Jose Rodrigo Sanchez Vicarte, Pradyumna Shome, Nandeeka Nayak, Caroline Trippel, Adam Morrison, David Kohlbrenner, and Christopher W. Fletcher. 2021. Opening Pandora's Box: A Systematic Study of New Ways Microarchitecture Can Leak Private Data. In 48th ACM/IEEE Annual International Symposium on Computer Architecture, ISCA 2021, Valencia, Spain, June 14-18, 2021. 347--360.

[31]

Ashley Saulsbury, Fredrik Dahlgren, and Per Stenstrom. 2000. Recency-Based TLB Preloading. In Proceedings of 27th International Symposium on Computer Architecture (ISCA 2000). 117--127.

Digital Library

[32]

Youngjoo Shin, Hyung Chan Kim, Dokeun Kwon, Ji Hoon Jeong, and Junbeom Hur. 2018. Unveiling Hardware -Based Data Prefetcher, a Hidden Source of Information Leakage. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS '18). Association for Computing Machinery, New York, NY, USA.

Digital Library

[33]

Alan Jay Smith. 1978. Sequential Program Prefetching in Memory Hierarchies. Computer, Vol. 11, 12 (Dec. 1978), 7--21.

Digital Library

[34]

Stephen Somogyi, Thomas F. Wenisch, Anastasia Ailamaki, and Babak Falsafi. 2009. Spatio-Temporal Memory Streaming. In Proceedings of the 36th Annual International Symposium on Computer Architecture (ISCA '09). Association for Computing Machinery, New York, NY, USA, 69--80.

Digital Library

[35]

Stephen Somogyi, Thomas F. Wenisch, Anastassia Ailamaki, Babak Falsafi, and Andreas Moshovos. 2006. Spatial Memory Streaming. In Proceedings of the 33rd Annual International Symposium on Computer Architecture (ISCA '06). IEEE Computer Society, USA.

Digital Library

[36]

Eran Tromer, Dag Arne Osvik, and Adi Shamir. 2010. Efficient Cache Attacks on AES, and Countermeasures. Journal of Cryptology, Vol. 23, 1 (Jan. 2010), 37--71.

Digital Library

[37]

Krishnaswamy Viswanathan. 2014. Disclosure of Hardware Prefetcher Control on Some Intel® Processors. Intel. https://web.archive.org/web/20201112034737/https://software.intel.com/content/www/us/en/develop/articles/disclosure-of-hw-prefetcher-control-on-some-intel-processors.html

[38]

Thomas F. Wenisch, Michael Ferdman, Anastasia Ailamaki, Babak Falsafi, and Andreas Moshovos. 2009. Practical Off-Chip Meta-Data for Temporal Memory Streaming. In 2009 IEEE 15th International Symposium on High Performance Computer Architecture. 79--90.

[39]

Thomas F. Wenisch, Stephen Somogyi, Nikolaos Hardavellas, Jangwoo Kim, Anastassia Ailamaki, and Babak Falsafi. 2005. Temporal Streaming of Shared Memory. In Proceedings of the 32nd Annual International Symposium on Computer Architecture (ISCA 2005). 12.

Digital Library

[40]

Chong Xiao, Ming Tang, and Sylvain Guilley. 2023. Exploiting the Microarchitectural Leakage of Prefetching Activities for Side-Channel Attacks. Journal of Systems Architecture (April 2023), 102877.

Digital Library

[41]

Yuval Yarom and Katrina Falkner. 2014. FLUSH RELOAD : A High Resolution, Low Noise, L3 Cache Side-Channel Attack. In 23rd USENIX Security Symposium (USENIX Security 14). 719--732.

[42]

Xiangyao Yu, Christopher J. Hughes, Nadathur Satish, and Srinivas Devadas. 2015. IMP: indirect memory prefetcher. In Proceedings of the 48th International Symposium on Microarchitecture, MICRO 2015, Waikiki, HI, USA, December 5-9, 2015. 178--190.

Digital Library

[43]

Zhiyuan Zhang, Mingtian Tao, Sioli O'Connell, Chitchanok Chuengsatiansup, Daniel Genkin, and Yuval Yarom. 2023. BunnyHop: Exploiting the Instruction Prefetcher. In 32nd USENIX Security Symposium (USENIX Security 23).

Cited By

Kühn RMühlig JTeubner J(2024)How to Be Fast and Not Furious: Looking Under the Hood of CPU Cache PrefetchingProceedings of the 20th International Workshop on Data Management on New Hardware10.1145/3662010.3663451(1-10)Online publication date: 10-Jun-2024
https://dl.acm.org/doi/10.1145/3662010.3663451

Index Terms

FetchBench: Systematic Identification and Characterization of Proprietary Prefetchers
1. Security and privacy
  1. Security in hardware
    1. Hardware attacks and countermeasures
      1. Side-channel analysis and countermeasures

Recommendations

Coordinated control of multiple prefetchers in multi-core systems
MICRO 42: Proceedings of the 42nd Annual IEEE/ACM International Symposium on Microarchitecture

Aggressive prefetching is very beneficial for memory latency tolerance of many applications. However, it faces significant challenges in multi-core systems. Prefetchers of different cores on a chip multiprocessor (CMP) can cause significant interference ...
Hardware prefetchers for emerging parallel applications
PACT '12: Proceedings of the 21st international conference on Parallel architectures and compilation techniques

Hardware prefetching has been studied in the past for multi-programmed workloads as well as GPUs. Efficient hardware prefetchers like stream-based or GHB-based ones work well for multiprogrammed workloads because different programs get mapped to ...
Page Size Aware Cache Prefetching
MICRO '22: Proceedings of the 55th Annual IEEE/ACM International Symposium on Microarchitecture

The increase in working set sizes of contemporary applications outpaces the growth in cache sizes, resulting in frequent main memory accesses that deteriorate system performance due to the disparity between processor and memory speeds. Prefetching ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

November 2023

3722 pages

ISBN:9798400700507

DOI:10.1145/3576915

General Chairs:
Weizhi Meng
Technical University of Denmark
,
Christian D. Jensen
Technical University of Denmark
,
Program Chairs:
Cas Cremers
CISPA Helmholtz Center for Information Security
,
Engin Kirda
Khoury College of Computer Sciences

Copyright © 2023 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 November 2023

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS '23

Sponsor:

SIGSAC

CCS '23: ACM SIGSAC Conference on Computer and Communications Security

November 26 - 30, 2023

Copenhagen, Denmark

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
457
Total Downloads

Downloads (Last 12 months)354
Downloads (Last 6 weeks)21

Reflects downloads up to 26 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Kühn RMühlig JTeubner J(2024)How to Be Fast and Not Furious: Looking Under the Hood of CPU Cache PrefetchingProceedings of the 20th International Workshop on Data Management on New Hardware10.1145/3662010.3663451(1-10)Online publication date: 10-Jun-2024
https://dl.acm.org/doi/10.1145/3662010.3663451

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents