Kaiyuan Rong (Tsinghua University, Zhongguancun Laboratory), Junqi Fang (Tsinghua University, Zhongguancun Laboratory), Haixia Wang (Tsinghua University), Dapeng Ju (Tsinghua University, Zhongguancun Laboratory), Dongsheng Wang (Tsinghua University, Zhongguancun Laboratory)

In recent years, the Branch Target Buffer (BTB) has raised significant concerns in system security research.
As this component is logically or physically shared in certain attack scenarios, it is abused by adversaries to construct side-channels that leak sensitive branch information of victim processes.
However, existing BTB side-channel attacks either fail to leak kernel control-flow information from user mode due to the cross-privilege isolation mechanism, or suffer from limited spatial resolution in branch monitoring.

In this paper, we propose Occupy+Probe, a novel eviction-based BTB side-channel attack that bridges these gaps by successfully exposing kernel control-flow behaviors directly from user mode.
Our approach begins with an in-depth reverse engineering of the offset-related BTB update mechanism on Intel processors, and reveals that textit{BTB entries created in user mode can be directly replaced by kernel-mode entries, irrespective of the underlying replacement policy and the hardware isolation}, which forms the foundation of Occupy+Probe.
In contrast to existing BTB side-channel attacks, Occupy+Probe eliminates the need for entry sharing between the attacker and the victim.
Moreover, it achieves instruction-level granularity in branch monitoring, surpassing the spatial resolution of existing eviction-based BTB side-channels.

We experimentally demonstrate that Occupy+Probe can leak control-flow information across privilege boundaries with high spatial resolution on various Intel processors.
Furthermore, we validate the practical effectiveness of Occupy+Probe through a detailed case study targeting the Linux Kernel Crypto API, showcasing its potential to compromise critical kernel operations.
Additionally, compared to prior eviction-based BTB side-channels, Occupy+Probe demonstrates a unique capability to extract tag values of kernel branches, which can be exploited to break KASLR.

View More Papers

Augmented Shuffle Differential Privacy Protocols for Large-Domain Categorical and...

Takao Murakami (ISM/AIST/RIKEN AIP), Yuichi Sei (UEC), Reo Eriguchi (AIST)

Read More

Lightweight Internet Bandwidth Allocation and Isolation with Fractional Fair...

Marc Wyss (ETH Zurich), Yih-Chun Hu (University of Illinois at Urbana-Champaign), Vincent Lenders (University of Luxembourg), Roland Meier (armasuisse), Adrian Perrig (ETH Zurich)

Read More

Constructive Noise Defeats Adversarial Noise: Adversarial Example Detection for...

Meng Shen (Beijing Institute of Technology), Jiangyuan Bi (Beijing Institute of Technology), Hao Yu (National University of Defense Technology), Zhenming Bai (Beijing Institute of Technology), Wei Wang (Xi'an Jiaotong University), Liehuang Zhu (Beijing Institute of Technology)

Read More