SpectrEM: Exploiting Electromagnetic Emanations During Transient Execution

Authors: 

Jesse De Meulemeester, Antoon Purnal, Lennert Wouters, Arthur Beckers, and Ingrid Verbauwhede, COSIC, KU Leuven

Abstract: 

Modern processors implement sophisticated performance optimizations, such as out-of-order execution and speculation, that expose programs to so-called transient execution attacks. So far, such attacks rely on specific on-chip covert channels (e.g., cache timing), instilling the hope that they can be thwarted by closing or weakening these channels. In this paper, we consider the inevitable physical side effects of transient execution. We focus on electromagnetic (EM) emanations produced by the processor and develop two lightweight and accurate EM channels to extract secret bits from the transient window. We propose SpectrEM, a Spectre variant for embedded devices exposed to physical access by an attacker. While it assumes a physical adversary, it does not fundamentally require code execution, expanding its applicability in the embedded world. We evaluate SpectrEM on an Arm Cortex-A72, leaking up to 366 bits per second at a bit error rate as low as 0.008%. To our knowledge, this is the first practical demonstration of physical transient execution attacks.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {290995,
author = {Jesse De Meulemeester and Antoon Purnal and Lennert Wouters and Arthur Beckers and Ingrid Verbauwhede},
title = {{SpectrEM}: Exploiting Electromagnetic Emanations During Transient Execution},
booktitle = {32nd USENIX Security Symposium (USENIX Security 23)},
year = {2023},
isbn = {978-1-939133-37-3},
address = {Anaheim, CA},
pages = {6293--6310},
url = {https://www.usenix.org/conference/usenixsecurity23/presentation/de-meulemeester},
publisher = {USENIX Association},
month = aug
}

Presentation Video