

# **SQUIP**

Exploiting the Scheduler Queue Contention Side Channel

Stefan Gast <sup>1</sup> Jonas Juffinger <sup>1</sup> Martin Schwarzl <sup>1</sup> Gururaj Saileshwar <sup>2</sup> Andreas Kogler <sup>1</sup>
Simone Franza <sup>1</sup> Markus Köstl <sup>1</sup> Daniel Gruss <sup>1</sup>

2023-05-23

<sup>&</sup>lt;sup>1</sup>Graz University of Technology

<sup>&</sup>lt;sup>2</sup>Georgia Institute of Technology







#### Can we exploit this difference?



#### **Attacker**



# **Victim**

mov (%rsi), %rax
mul %rbx
add \$0x8, %rsi
add %rcx, %rax
mov %r8, %rcx
adc \$0x0, %rdx
nop

### **Attacker**





# **Victim**

mov (%rsi), %rax
mul %rbx
add \$0x8, %rsi
add %rcx, %rax
mov %r8, %rcx
adc \$0x0, %rdx
nop



#### **Attacker**





# **Victim**

```
mov (%rsi), %rax
mul %rbx
add $0x8, %rsi
add %rcx, %rax
mov %r8, %rcx
adc $0x0, %rdx
nop
```





















































































rdtsc / rdpru

...

rdtsc / rdpru

mov (%rdi), %rax

rdtsc / rdpru

...

















...

rdtsc / rdpru

mov (%rdi), %rax

rdtsc / rdpru

...





Adding serializing instructions around rdtsc

Exploiting out-of-order execution of rdtsc



movl \$10000, %eax drain loop: imulq \$3, %r15 subl \$1, %eax imulq \$3, %r15 queue fill jnz loop imulq \$3, %r15 imulq \$3, %r15 queue imulq \$3, %r15 # ...





read movl \$1, %ecx rdpru movl %eax, %ebx time movl \$10000, %eax drain imulg \$3, %r15 loop: subl \$1, %eax imulg \$3, %r15 queue fill jnz loop imulq \$3, %r15 imulg \$3, %r15 queue imulg \$3, %r15 movg \$12345678, %r15 # ... cvtsi2sd %r15, %xmm0 delay sgrtsd %xmm0, %xmm0 multiplisqrtsd %xmm0, %xmm0 sqrtsd %xmm0, %xmm0 cations cvtsd2si %xmm0, %r15

read movl \$1, %ecx rdpru movl %eax, %ebx time movl \$10000, %eax drain imulg \$3, %r15 loop: subl \$1, %eax imulg \$3, %r15 queue fill jnz loop imulq \$3, %r15 imulg \$3, %r15 queue imulg \$3, %r15 movg \$12345678, %r15 # ... cvtsi2sd %r15, %xmm0 delay sgrtsd %xmm0, %xmm0 multiplisqrtsd %xmm0, %xmm0 rdpru read sqrtsd %xmm0, %xmm0 cations subl %ebx, %eax time cvtsd2si %xmm0, %r15













#### Sender

```
forever:

if rdpru(APERF) & 65536 = 0:

15 nops

else:

15 imuls
```

лл

#### Receiver

```
while k < max_iter:
    s[k] = squip()
    ++k</pre>
```





**Covert Channel Evaluation** 



| Scenario | CPU | Raw Tx Rate | Error Rate |
|----------|-----|-------------|------------|
|          |     |             |            |
|          |     |             |            |
|          |     |             |            |
|          |     |             |            |
|          |     |             |            |
|          |     |             |            |

| Scenario      | СРИ                                            | Raw Tx Rate | Error Rate |
|---------------|------------------------------------------------|-------------|------------|
| Cross-Process | Ryzen 7 3700X (Zen 2)<br>Ryzen 7 5800X (Zen 3) |             |            |

| Scenario      | CPU                                                                 | Raw Tx Rate                                                                            | Error Rate                 |
|---------------|---------------------------------------------------------------------|----------------------------------------------------------------------------------------|----------------------------|
| Cross-Process | Ryzen 7 3700X (Zen 2)<br>Ryzen 7 5800X (Zen 3)                      | $2.195{ m Mbits^{-1}}$ $2.700{ m Mbits^{-1}}$                                          |                            |
| Cross-VM      | Ryzen 7 3700X (Zen 2)<br>Ryzen 7 5800X (Zen 3)<br>EPYC 7443 (Zen 3) | 0.873 Mbit s <sup>-1</sup><br>0.892 Mbit s <sup>-1</sup><br>0.874 Mbit s <sup>-1</sup> | 3.18 %<br>0.75 %<br>0.96 % |

| Scenario       | CPU                                                                 | Raw Tx Rate                                                                            | Error Rate                 |
|----------------|---------------------------------------------------------------------|----------------------------------------------------------------------------------------|----------------------------|
| Cross-Process  | Ryzen 7 3700X (Zen 2)<br>Ryzen 7 5800X (Zen 3)                      | $2.195{ m Mbit}{ m s}^{-1}$ $2.700{ m Mbit}{ m s}^{-1}$                                | 0.71 %<br>0.62 %           |
| Cross-VM       | Ryzen 7 3700X (Zen 2)<br>Ryzen 7 5800X (Zen 3)<br>EPYC 7443 (Zen 3) | 0.873 Mbit s <sup>-1</sup><br>0.892 Mbit s <sup>-1</sup><br>0.874 Mbit s <sup>-1</sup> | 3.18 %<br>0.75 %<br>0.96 % |
| Cross-VM (SEV) | EPYC 7443 (Zen 3)                                                   | $0.873{ m Mbit}{ m s}^{-1}$                                                            | 1.47 %                     |



## Attacking RSA (Square+Multiply)









































| Scenario      | Edit Distance | Error Rate | Recording Time |
|---------------|---------------|------------|----------------|
| Cross-Process | 4.9 bit       | 0.12 %     | 41 min         |
| Cross-VM      | 17.8 bit      | 0.5 %      | 38 min         |

- 10 keys, generated with openssl genrsa
- CPU: AMD Ryzen 7 5800X (Zen 3)
- 50500 traces per key









## Countermeasures: Hardware



**Countermeasures: Software** 







## **SQUIP**

Exploiting the Scheduler Queue Contention Side Channel

<u>Stefan Gast</u> Jonas Juffinger Martin Schwarzl Gururaj Saileshwar Andreas Kogler Simone Franza Markus Köstl Daniel Gruss

2023-05-23

■ stefan.gast@iaik.tugraz.at

notbobbytables@infosec.exchange

www.stefangast.eu