Scheduled Disclosure: Turning Power into Timing Without Frequency Scaling

Power side-channel attacks are seeing a resurgence of interest in computer security research. An emerging class of these attacks exploits remote methods to monitor power consumption-most notably by observing power-dependent CPU frequency variations. However, existing methods have only been demonstrated on (older) x86 CPU architectures where frequency scaling is the primary-if not only-mechanism utilized to keep the system within safe operating conditions. It remains unclear whether remote power side-channel attacks are still feasible on modern x86 CPU architectures with additional, more sophisticated such mechanisms. We demonstrate that not only do remote power-side channel attacks remain feasible on modern x86 CPU architectures, but that they are also more effective and work even in the absence of frequency side-channel leakage. Our attacks take advantage of Thread Director, a hardware optimization that provides scheduling “hints” to enhance performance and energy efficiency on modern Intel processors. We demonstrate that these hints depend on the processor's power consumption, leading to power-dependent scheduling behaviors-such as variations in the number of active cores-that can be observed purely from software and even via remote-timing analysis. We show the efficacy of our attacks by leaking keys from constant-time cryptographic code (5 x faster than prior attacks on older x86 CPUs) and mounting cross-origin pixel stealing attacks.