Attacks of the Knights: Exploiting Non Uniform Cache Access Time

Intel Knights Landing Processors have shared last level cache (LLC) across all the tiles using MESIF protocol and uses a mesh network of Caching and Homing Agents(CHA)s. Due to the structure of the network, the cache access is non uniform in nature having significant difference in cache hit times. In this paper, we try to exploit this idea to leak secret from a victim process. First, we show a naive implementation of the attack using a gem5 simulator that achieves 100\% accuracy of extracting the secret bits. Then we replicate the attack in a Intel Xeon Phi 7290@ 1.50 GHz Knight's Landing CPU to show the efficacy of the attack. In real machine we can leak the secret from a victim process at 85\% accuracy and ~350 kbps bandwidth. All the attacks were done on a machine without any root or sudo privileges, so this shows the strength of the attack. This can be further extended to leak secrets from different processes given the vulnerable patterns may exist in many libraries. Other processors with similar architecture (last level distributed cache in mesh networks) can also be vulnerable to similar attack strategy.