New Covert and Side Channels Based on Retirement

Intel processors utilize the retirement to orderly retire the micro-ops that have been executed out of order. To enhance retirement utilization, the retirement is dynamically shared between two logical cores on the same physical core. However, this shared retirement mechanism creates a potential vulnerability wherein an attacker can exploit the competition for retirement to infer the data of a victim on another logical core on the same physical core. Based on this leakage, we propose two new covert channels: the Different Instructions (DI) covert channel using different instructions for information transmission, and the Same Instructions (SI) covert channel using the same instructions to transmit information. The DI covert channel can achieve 98.5% accuracy with a bandwidth of 1450 Kbps, while the SI covert channel can achieve 94.85% accuracy with a bandwidth of 483.33 Kbps. Furthermore, this paper explores additional applications of retirement: Firstly, retirement is applied to Spectre attacks, resulting in a new variant of Spectre v1, which can achieve 94.17% accuracy with a bandwidth of 29 Kbps; Secondly, retirement is leveraged to infer the programs being executed by the victim, which can infer 10 integer benchmarks of SPEC with 89.28% accuracy. Finally, we discuss possible protection against new covert channels.