# **ShowTime**

CPU Timing Attacks with the Human Eye

**Antoon Purnal** 

Frank Piessens

Marton Bognar

Ingrid Verbauwhede



Time to Start

# 1683796500























Side-channel attacks exploit minuscule timing differences



1-100 ns



Side-channel attacks exploit minuscule timing differences







Side-channel attacks exploit minuscule timing differences

































































 $> 100~\mu s$ 





















### **Attacker Model**

## Basic capabilities

Cross-core
No hugepages
No fixed CPU frequency























not in cache

















# in cache





















multi-shot amplifier









multi-shot amplifier





















not in cache







5100 μs

multi-shot amplifier































































100 μs



200 μs

#### **Sets and Eviction**



#### **Sets and Eviction**



tag index offset



tag 000 offset















































X









B





## **BABCBDBA**…



























# **BABCBDBA**…

all L1 hits

















all L1 hits













all L1 hits

**BABCBDBA**…

many L1 misses















BABCBDBA...

all L1 hits

many L1 misses

1. **from** 1.3x to 2x



















### BABCBDBA··· BABCBDBA···

all I 1 hits

many L1 misses

- from 1.3x to 2x
- 2. **T** from 500us to 5ms











### BABCBDBA...

**BABCBDBA**…

all L1 hits

many L1 misses

- 1. **from** 1.3x to 2x
- 2. **The image of the image of t**
- 3. 💂 amplify more side channels































- 1. 🚺 10×
- 2. 📘 ? ms

# **Live Demo**

Can the audience perform a cache attack with their eyes?

# Fifteen humans (100 samples each)



Fifteen humans (100 samples each)



Average

98.4%

# Fifteen humans (100 samples each)



Average 98.4% Median 99%

Max 100%

### Time to Order







res = fn()

load(res)
load(x)

### Time to Order

```
dep = prepare()
```

race-end(dep1, dep2)

### Time to Order



```
d = evict(A)
```

```
// first leg  // second leg
d1 = secret-delay(d)  d2 = fixed-delay(d)
d1 = load(A ^ d1)  d2 = prefetchNTA(A ^ d2)
```

load(B ^ d1 ^ d2)

### **Teasers**

### Cross-core port contention



CPU frequency



### Architectural reordering



### Eviction set construction



### **Eviction Set Construction**



### **LLC Eviction Sets**





 $100 \mu s$ 



📢 L1 PLRU 🌲



Time To Order

### **LLC Eviction Sets**





100 µs



📢 L1 PLRU 🜲



Time To Order









 $1\,\mathrm{ms}$ 

 $1\,\mu s$ 

Timer Granularity

$$1 \, \mathrm{ms}$$
  $1 \, \mathrm{ms}$   $10 \, \mathrm{\mu s}$ 

**Timer Granularity** 



Timer Granularity



Timer Granularity



Timer Granularity









### **Takeaways**

### Restricting timers is not a holistic countermeasure against timing attacks

### **Takeaways**

### Restricting timers is not a holistic countermeasure against timing attacks



### **Takeaways**

### Restricting timers is not a holistic countermeasure against timing attacks



Side channels can be converted



### **ShowTime**

CPU Timing Attacks with the Human Eye

**Antoon Purnal** 

Marton Bognar

Frank Piessens

Ingrid Verbauwhede

