Cross-Core Interrupt Detection: Exploiting User and Virtualized IPIs

Interrupts are fundamental for inter-process and cross-core communication in modern systems. Controlling these communication mechanisms historically requires switches into the kernel or hypervisor, incurring high-performance costs. To alleviate these costs, Intel introduced new hardware mechanisms to send inter-processor interrupts (IPIs) from user space without switching into the kernel and from virtual machines without switching into the hypervisor. However, it is unclear whether this direct, unsupervised interaction between unprivileged (or virtualized) workloads and the underlying hardware introduces a significant change in the attack surface. In this paper, we present the IPI side channel, a novel sidechannel attack exploiting the recently introduced user interrupts and IPI virtualization features on Intel Sapphire Rapids and the upcoming Intel Arrow Lake processors. The IPI side channel is the first cross-core interrupt detection side channel, allowing an attacker to monitor interrupts delivered to any physical core of the same processor. Our attack is based on precise measurements of the hardware delivery time of interrupts from user space and virtual machines. More specifically, we exploit that interrupts are delivered through a cross-core bus, leading to timing variations on the attacker's local IPIs. We present multiple case studies to compare the IPI side channel with the state of the art: First, we present an unprivileged cross-core covert channel with a native true capacity of 434.7 kbit/s (𝑛=100, 𝜎 x =0.03) and a cross-VM capacity of 3.45 kbit/s (𝑛=100, 𝜎 x =0.01). Second, we demonstrate a native inter-keystroke timing attack with an 𝐹 1 score of 97.9 %. Third, we present an open-world website fingerprinting attack on the top 100 websites, achieving an 𝐹 1 score of 89.0 % in a native scenario and an 𝐹 1 score of 71.0 % in a cross-VM (thin client) scenario. Furthermore, we discuss the broader context of the IPI side channels and categorize interrupt side channels and mitigations. CCS Concepts • Security and privacy → Side-channel analysis and countermeasures; Operating systems security; Systems security.