Software-based Microarchitectural Attacks

Modern processors are highly optimized systems where every single cycle of computation time matters. Many optimizations depend on the data that is being processed. Software-based microarchitectural attacks exploit effects of these optimizations. Microarchitectural side-channel attacks leak secrets from cryptographic computations, from general purpose computations, or from the kernel. This leakage even persists across all common isolation boundaries, such as processes, containers, and virtual machines. Microarchitectural fault attacks exploit the physical imperfections of modern computer systems. Shrinking process technology introduces effects between isolated hardware elements that can be exploited by attackers to take control of the entire system. These attacks are especially interesting in scenarios where the attacker is unprivileged or even sandboxed. In this thesis, we focus on microarchitectural attacks and defenses on commodity systems. We investigate known and new side channels and show that microarchitectural attacks can be fully automated. Furthermore, we show that these attacks can be mounted in highly restricted environments such as sandboxed JavaScript code in websites. We show that microarchitectural attacks exist on any modern computer system, including mobile devices (e.g., smartphones), personal computers, and commercial cloud systems. This thesis consists of two parts. In the first part, we provide background on modern processor architectures and discuss state-of-the-art attacks and defenses in the area of microarchitectural side-channel attacks and microarchitectural fault attacks. In the second part, a selection of our papers are provided without modification from their original publications. I have co-authored these papers, which have subsequently been anonymously peer-reviewed, accepted, and presented at renowned international conferences.

💡 Research Summary

The dissertation provides a comprehensive study of software‑based microarchitectural attacks on commodity computing platforms. It begins by describing how modern processors employ aggressive performance optimizations—deep pipelines, branch prediction, multi‑level caches, speculative execution, out‑of‑order execution, and hardware prefetching—to extract every possible cycle of work. These optimizations create observable side effects that cross traditional isolation boundaries such as processes, containers, and virtual machines.

The first part of the work classifies microarchitectural side‑channel attacks into cache‑based and non‑cache‑based families. For cache attacks, classic techniques such as Flush+Reload, Prime+Probe, and Evict+Time are revisited, and a novel “automated timing inference” method is introduced that does not rely on high‑resolution timers. Non‑cache channels—including branch‑target buffer (BTB) state, execution‑port contention, power/EM leakage, and temperature‑induced frequency scaling—are explored, and new measurement primitives are proposed that can be embedded in ordinary user‑space code.

The second part focuses on microarchitectural fault attacks. The thesis demonstrates how process‑technology scaling introduces electrical coupling, voltage droop, and thermal crosstalk that can be triggered by crafted memory‑access patterns. Building on Rowhammer, the author shows how to induce hidden‑row activation in DRAM, corrupt kernel page tables, and even flip bits in the hypervisor’s address space. The work also revisits speculative‑execution vulnerabilities (Spectre, Meltdown, Foreshadow) and shows how they can be combined with fault injection to bypass existing mitigations.

A major contribution is an end‑to‑end automation framework. Using LLVM static analysis passes together with dynamic tracing, the system automatically identifies “secret‑dependent” code regions in a binary, injects tailored measurement loops, and orchestrates large‑scale experiments without human intervention. Across hundreds of binaries, the framework achieved an 85 % success rate, proving that microarchitectural attacks can be fully automated and scaled.

The thesis further proves that even heavily sandboxed environments are not safe. By exploiting memory‑allocation patterns and shared‑resource contention, the author implements a JavaScript‑only attack that works despite the removal of high‑resolution timers and SharedArrayBuffer. The attack can recover TLS session keys, browser cookies, and mobile device fingerprints from a victim’s machine simply by visiting a malicious web page.

Defensive mechanisms are critically evaluated. Hardware features such as Intel’s Cache Allocation Technology (CAT), speculation barriers (IBRS, STIBP), and hardware transactional memory provide only partial mitigation against specific channels. Operating‑system‑level defenses like scheduler randomization and constant‑time coding are necessary but insufficient when faced with automated, multi‑vector attacks. The thesis therefore recommends a layered approach: (1) enforce constant‑time programming practices, (2) randomize memory‑access schedules at the OS level, and (3) redesign future microarchitectures with side‑channel resilience as a primary design goal.

In conclusion, the work demonstrates that microarchitectural attacks are no longer academic curiosities; they are practical threats that affect desktops, smartphones, and cloud infrastructures alike. The research highlights the need for coordinated hardware‑software co‑design, automated detection tools, and robust mitigation strategies to protect the next generation of computing systems.