PPA: Novel Page Prefetcher-Based Side-Channel Attacks

Abstract

Hardware data prefetchers are designed to fetch memory in advance to reduce cache misses and mitigate memory bottlenecks. By analyzing historical memory access patterns, these prefetchers predict and prefetch likely data targets. Major commercial CPU vendors, e.g., Intel, Arm, and AMD, incorporate various prefetchers in their products to optimize memory latency. While these prefetchers can significantly enhance performance, they can also introduce security concerns by accessing unintended data. In this paper, we reveal new features of prefetchers in recent Intel Xeon processors, termed the page prefetcher. We find that this page prefetcher is indexed by the instruction pointer (IP) and can prefetch page translations (into the TLB) and cache lines across page boundaries. To investigate its implications, we propose several attacks using our page prefetcher attack (PPA) primitives. We demonstrate that PPA can be leveraged to expose kernel information to user space, and secrets from SGX enclaves to untrusted zones, such as control flow details. Furthermore, when combined with transient attacks, PPA can extend information leakage. Our findings uncover a significant vulnerability in the page prefetcher and highlight the broad applicability of PPA in various attack scenarios. Index Terms—hardware security, prefetcher, side-channel attacks.