Go to DBLP homepageOxpecker: Leaking Secrets via Fetch Target Queue
Abstract: Modern processors integrate carefully designed micro-architectural components within the front-end to optimize performance. These components include instruction cache, micro-operation cache, and instruction prefetcher. Through experimentation, we observed that the rate of instruction generation in the fetch unit markedly exceeds the execution rate in the decode unit. However, existing frameworks of processors fail to explain this phenomenon. Consequently, we empirically validate the presence of an optimization feature, referred to as the fetch target queue (FTQ), within the Intel processor. To the best of our knowledge, our study represents the first empirical validation of FTQ across various Intel processors and provides a comprehensive characterization of unrecorded FTQ micro-structural details on Intel processors. Our analysis uncovers overlooked insights that front-end rollbacks caused by the incorrectly ordered instructions or mismatched instruction lengths stored in FTQ introduce specific execution latencies. Based on these observations, we introduce the Oxpecker attack, consisting of two attack primitives, which leverages the FTQ to construct novel side-channel attacks. We construct two distinct exploitation scenarios for each attack primitive to demonstrate the Oxpecker attack’s capability to leak secret control flow information and break Kernel Address Space Layout Randomization.
External IDs:dblp:journals/tcad/LiXSL25
Loading