UC Riverside

CPU micro-architectural side-channels, or CPU side-channels in short, have gained plenty of attention recently. Many existing works have proved that classical CPU side-channel attacks (e.g. Prime+probe and Flush+reload), as well as recently-discovered attacks (e.g. Spectre, Meltdown, Zombieload), are practical and effective against cryptographic libraries. However, it's in our belief that CPU side-channels have more potential and can be utilized in a wider variety of attacks and applications.

In our work, we strive to push the capacity of existing CPU side-channel attacks and apply them for novel attacks and applications, and in the meanwhile discovering new research aspects. More specifically, 1) we propose the concept of a prime+probe attack to extract onscreen keyboard inputs on Android, 2) we design and implement an automated approach to augment prime+pro be attack in the environment of aggressive cache prefetching and demonstrate significant improvement over traditional prime+probe attack, 3) we design a machine-learning-based system to automatically discover execution timing side-channels in graphics rendering libraries and using flush+reload attack to exploit them on multiple platforms, evaluate using real-world applications and demonstrate its ability to infer sensitive user input with high accuracy, 4) we propose to use CPU side-channels as feedback to fuzzing when target binary cannot be modified and performed some initial evaluations, 5) we propose to use improve the coverage discovery rate of kernel fuzzing with reinforcement learning, implement it around Syzkaller and significantly improve its coverage growth fuzzing Linux kernel. Ultimately, we demonstrate that CPU side-channels have great potentials and can be practically applied in many attacks and applications. Moreover, researching CPU side-channel attacks and applications can sometimes lead to interesting new research aspects.