Adversarial Prefetch: New Cross-Core Cache Side Channel Attacks

On modern x86 processors, data prefetching instructions can be used by programmers to boost performance. Although good for performance, we found that PREFETCHW, which is a data prefetching instruction to accelerate future write operations, has two significant security flaws on Intel processors: first, this instruction can execute on data with read-only permission; second, the execution time of this instruction leaks the current coherence state of the target data. Based on these two design flaws, we build the first two cross-core cache timing attacks that can work on private caches. Specifically, we first propose two covert channel attacks that can achieve a 864KB/s transmission rate which is higher than all existing cache covert channel attacks. Then we further propose two side channel attacks that can be used to monitor the access pattern of the victim running on the same processor. We demonstrate the efficacy of our attacks by using them to leak private information from daily applications. Finally, we show that our prefetch based attacks can be used in transient execution attacks to leak more secrets within one speculative window.