CCCiCC: A Cross-Core Cache-Independent Covert Channel on AMD Family 15h CPUs

  • Carl-Daniel HailfingerEmail author
  • Kerstin Lemke-Rust
  • Christof Paar
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11833)


Spectre and similar microarchitectural attacks have recently caused a major paradigm shift in hardware and software development to restrict attacker-controlled speculative execution and microarchitectural sampling. So far, research has focused on cache interaction, instruction scheduling, microarchitectural sampling and speculative side effects, whereas instruction decoding research has been notably absent. We disclose two cross-core covert channels on multiple AMD processor generations (Family 15h) spanning from Bulldozer to Excavator with partial applicability to Zen.

In this work, cross-core instruction decoding and synchronization interactions are explored as a source of information leakage on these processors to yield multiple cache-independent covert channels in a non-SMT environment. In contrast to other attacks, we do not rely on memory interaction nor on speculative execution. None of the existing mitigations in the Linux kernel and processor microcode against transient execution attacks have any measurable effect on the CCCiCC covert channels. To the best of our knowledge, this is not fixable with a microcode update since any updated instruction would also become usable for signaling.


Covert channel Multithreaded and multicore architecture AMD Family 15h Instruction scheduling CPUID instruction Cache-independent Cross-core Information hiding 


  1. 1.
    Acıiçmez, O., Seifert, J.P.: Cheap hardware parallelism implies cheap security. In: Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC 2007), pp. 80–91. IEEE (2007)Google Scholar
  2. 2.
    AMD: Software Optimization Guide for AMD Family 15h Processors (2014).
  3. 3.
    Bhattacharyya, A., et al.: SMoTherSpectre: exploiting speculative execution through port contention. arXiv preprint arXiv:1903.01843 (2019)
  4. 4.
    Cabrera Aldaya, A., Brumley, B.B., ul Hassan, S., Pereida García, C., Tuveri, N.: Port Contention for Fun and Profit. Cryptology ePrint Archive, Report 2018/1060 (2018).
  5. 5.
    Canella, C., et al.: A systematic evaluation of transient execution attacks and defenses. arXiv preprint arXiv:1811.05441 (2018)
  6. 6.
    Evtyushkin, D., Ponomarev, D.: Covert channels through random number generator: mechanisms, capacity estimation and mitigations. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 843–857. ACM (2016)Google Scholar
  7. 7.
    Fog, A.: Instruction tables: lists of instruction latencies, throughputs and micro-operation breakdowns for Intel, AMD and VIA CPUs (2018).
  8. 8.
    Fogh, A.: Covert Shotgun: automatically finding SMT covert channels (2016).
  9. 9.
    Ge, Q., Yarom, Y., Cock, D., Heiser, G.: A survey of microarchitectural timing attacks and countermeasures on contemporary hardware. J. Cryptogr. Eng. 8(1), 1–27 (2018)CrossRefGoogle Scholar
  10. 10.
    Gras, B., Razavi, K., Bos, H., Giuffrida, C.: Translation leak-aside buffer: defeating cache side-channel protections with TLB attacks. In: 27th USENIX Security Symposium, SEC 2018, pp. 955–972. USENIX Association, Berkeley (2018)Google Scholar
  11. 11.
    Horn, J.: Speculative execution, variant 4: speculative store bypass (2018).
  12. 12.
    Kocher, P., et al.: Spectre attacks: exploiting speculative execution. arXiv preprint arXiv:1801.01203 (2018)
  13. 13.
    Kocher, P.C.: Timing attacks on implementations of diffie-hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). Scholar
  14. 14.
    Lipp, M., et al.: Meltdown: reading kernel memory from user space. In: 27th USENIX Security Symposium, pp. 973–990 (2018)Google Scholar
  15. 15.
    Mcilroy, R., Sevcik, J., Tebbi, T., Titzer, B.L., Verwaest, T.: Spectre is here to stay: an analysis of side-channels and speculative execution. arXiv preprint arXiv:1902.05178 (2019)
  16. 16.
    Nussbaum, S.: AMD trinity APU. In: 2012 IEEE Hot Chips 24 Symposium (HCS), pp. 1–40. IEEE (2012)Google Scholar
  17. 17.
    Paoloni, G.: How to benchmark code execution times on Intel IA-32 and IA-64 instruction set architectures. Intel Corporation, p. 123 (2010)Google Scholar
  18. 18.
    Percival, C.: Cache Missing for Fun and Profit (2005)Google Scholar
  19. 19.
    Schwarz, M., Schwarzl, M., Lipp, M., Masters, J., Gruss, D.: NetSpectre: read arbitrary memory over network. In: Sako, K., Schneider, S., Ryan, P.Y.A. (eds.) ESORICS 2019. LNCS, vol. 11735, pp. 279–299. Springer, Cham (2019). Scholar
  20. 20.
    Shimpi, A.L.: Intel’s Sandy Bridge Architecture Exposed (2010).
  21. 21.
    Stecklina, J., Prescher, T.: LazyFP: leaking FPU register state using microarchitectural side-channels. arXiv preprint arXiv:1806.07480 (2018)
  22. 22.
    Tsunoo, Y.: Crypt-analysis of block ciphers implemented on computers with cache. In: Proceedings ISITA2002, October 2002Google Scholar
  23. 23.
    Tsunoo, Y., Saito, T., Suzaki, T., Shigeri, M., Miyauchi, H.: Cryptanalysis of DES implemented on computers with cache. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 62–76. Springer, Heidelberg (2003). Scholar
  24. 24.
    Wang, Z., Lee, R.B.: Covert and side channels due to processor architecture. In: Proceedings of the 22nd Annual Computer Security Applications Conference, ACSAC 2006, pp. 473–482. IEEE Computer Society, Washington (2006)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  1. 1.Bonn-Rhein-Sieg University of Applied SciencesSankt AugustinGermany
  2. 2.Horst-Görtz InstituteRuhr University BochumBochumGermany
  3. 3.Max Planck Institute for Cyber Security and PrivacyBochumGermany

Personalised recommendations