University of Illinois Urbana-Champaign

Leaking secrets via page walk side channels

Wang, Alan Linghao

Permalink

https://hdl.handle.net/2142/129189

Description

Title
Leaking secrets via page walk side channels
Author(s)
Wang, Alan Linghao
Issue Date
2025-04-09
Director of Research (if dissertation) or Advisor (if thesis)
Fletcher, Christopher W
Department of Study
Siebel School Comp & Data Sci
Discipline
Computer Science
Degree Granting Institution
University of Illinois Urbana-Champaign
Degree Name
M.S.
Degree Level
Thesis
Keyword(s)
  • side channels
  • page walk
  • spectre
  • data-memory prefetchers
Abstract
Microarchitectural side-channel attacks are an insidious threat to program security. An emerging class of these attacks constructs gadgets that dereference the contents of data memory directly. This is caused by optimizations, such as speculative execution and data-memory prefetching, that can guess (incorrectly) that the program is performing a pointer chase. In theory, this is devastating for security, as dereferencing a secret seemingly leaks it over memory-based side channels, e.g., through the cache. In practice, it is not. Since most secrets do not look like valid pointers, their dereference typically fails and does not leak anything. In this paper, we introduce the page walk side channel (PWSC), a new attack that can leak information even when an invalid pointer is dereferenced. In particular, given a 64-bit secret that passes the address canonicality check, PWSC can leak all remaining bits of the secret except for the low-order 6 bits, without making any assumptions on what these bits look like. We demonstrate how PWSC amplifies leakage in scenarios exploiting speculative execution and data-memory prefetching. For speculative execution, we show that PWSC, combined with Intel’s LAM feature, can be exploited to leak nearly all of physical memory and that even without LAM, PWSC can be used to leak Dilithium secret keys. For data-memory prefetching, we reverse engineer the semantics of Intel’s data-memory dependent prefetcher (DMP) and show how this DMP and PWSC can be combined to break security in an intra-process sandbox setting.
Graduation Semester
2025-05
Type of Resource
Thesis
Handle URL
https://hdl.handle.net/2142/129189
Copyright and License Information
Copyright 2025 Alan Linghao Wang

Owning Collections

Graduate Dissertations and Theses at Illinois PRIMARY
Graduate Theses and Dissertations at Illinois