### Synchronization Storage Channels (S<sup>2</sup>C): Timer-less Cache Side-Channel Attacks on the Apple M1 via Hardware Synchronization Instructions

<u>Jiyong Yu</u>, Aishani Dutta, Trent Jaeger\*, David Kohlbrenner<sup>+</sup>, Chris Fletcher University of Illinois Urbana-Champaign, \*Penn State University, <sup>+</sup>University of Washington







#### Observing µarch State is Crucial for Side-Channel Attacks



#### Observing µarch State is Crucial for Side-Channel Attacks





Observing µarch State is Crucial for Side-Channel Attacks



### Load-Linked (LL) / Store-Conditional (SC) on Apple M1



### Load-Linked (LL) / Store-Conditional (SC) on Apple M1



# Load-Linked (LL) / Store-Conditional (SC) on Apple M1



## Observations of LL/SC on Apple M1



# Observations of LL/SC on Apple M1



Key observations:

• LL/SC only monitors addresses in L1

# Observations of LL/SC on Apple M1



Key observations:

- LL/SC only monitors addresses in L1
- Monitoring granularity = L1 cache line size
- Each core only supports **1** outstanding LL/SC

## Cross-core Cache Attack with LL/SC

µarch State Change (address cached in L1) arch State Change (SC succeeds/fails)

But ...

LL/SC only monitors addresses in private L1.

Only 1 address is monitored at a time.

What cross-core cache attack needs ...

Observation over the shared L2.

Monitoring multiple addresses (ideally)

Synchronization Storage Channel (S<sup>2</sup>C)

LL/SC

## M1 L2 Cache Reverse-Engineering

• Inclusion Policy

Precisely control L1 / L2 evictions

• L1/L2 Replacement Policy

• L1/L2 Cache Set Index Mapping ---- Generate eviction set





14









Shared L2 cache



Evtyushkin, Dmitry, et al. "Computing with time: Microarchitectural weird machines." *Proceedings of the 26th ACM International Conference on Architectural* 19 *Support for Programming Languages and Operating Systems*. 2021.



Shared L2 cache







### Evaluation

- $\mu$ WC method can monitor at most 11 different L2 cache sets
- Cross-core covert channel: 185Kb/s with 98.5% accuracy
- Full private key extraction in T-table AES

### Conclusion

#### • Synchronization Storage Channels (S<sup>2</sup>C):

- 1<sup>st</sup> timer-less, cross-core attack on Apple M1
- 1<sup>st</sup> cache attack leveraging hardware synchronization instructions (LL/SC)
- Motivate future efforts in finding new "µarch-state-to-arch-state converters"

### Synchronization Storage Channels (S<sup>2</sup>C): Timer-less Cache Side-Channel Attacks on the Apple M1 via Hardware Synchronization Instructions

<u>Jiyong Yu</u>, Aishani Dutta, Trent Jaeger\*, David Kohlbrenner<sup>+</sup>, Chris Fletcher University of Illinois Urbana-Champaign, \*Penn State University, <sup>+</sup>University of Washington





