Leaky Frontends: Micro-Op Cache and Processor Frontend Vulnerabilities.

This paper demonstrates a new class of security vulnerabilities due to the Micro-Op Caches, also called Decode Stream Buffer, and other components in the processor frontend. The vulnerabilities presented in this work exploit multiple paths in the processor frontend that the micro-ops can take: through the Micro-Instruction Translation Engine (MITE), through the Decode Stream Buffer (DSB), or through the Loop Stream Detector (LSD). Each path has its own unique timing and power signature, which leads to security vulnerabilities. The vulnerabilities can be used as side or covert channels for information leakage and can be exploited to create both timing and power attacks. As information leakage channels, the new vulnerabilities are orthogonal to the existing speculative execution attacks and can be used as covert transmission channels in a new variant of speculative attacks that is demonstrated in this work. The vulnerabilities further affect Intel SGX enclaves, and this work shows how information can be leaked from SGX enclaves through the sharing of the frontend paths. The transmission rates for new attacks based on the vulnerabilities presented can be as high as 1410 Kbps (1.41 Mbps) with an almost 0% error rate. Consequently, this work demonstrates that multiple paths in the processor frontend are a source of security vulnerabilities which have not been considered before and that focusing on just speculative execution attacks is not sufficient to secure today's processors.