ThermalBleed: A Practical Thermal Side-Channel Attack

Modern OSs expose an interface for monitoring CPU temperature to unprivileged users for effective user decision-based thermal management. Due to the low sampling rate and resolution, thermal sensors have generally been restricted to the construction of covert channels. However, exposing the thermal interface to unprivileged users may be problematic, because the heat emission inside a CPU core is affected by program execution on the core; an attacker may be able to infer the secret information of the program by exploiting the thermal interface as a side-channel. In this paper, we extensively analyze digital thermal sensors in Intel CPUs and show that it is possible to implement a software-based thermal side-channel attack. Specifically, by analyzing some properties of the thermal sensors, we inferred that the thermal sensor makes it possible to distinguish between a cache hit and a physical memory access in memory load operations. Based on the analysis results, we implement ThermalBleed, a thermal side-channel attack that breaks kernel address space layout randomization (KASLR) in Linux systems. Moreover, by conducting an in-depth analysis, we identify useful hidden properties of the Intel thermal sensors. Our analysis establishes a stepping stone to build a more precise and effective thermal side-channel attack in the future. To the best of our knowledge, this is the first work that extends a thermal covert channel to a practical side-channel attack by exploring the properties of Intel digital thermal sensors.

leakage source [3], [4]. After the vulnerability has been 20 disclosed, OS maintainers came up with a security patch that 21 restricted the use of the interface only to privileged users [5]. 22 Hence, the current versions of the Linux kernel no longer 23 expose the RAPL interface to unprivileged users. However, 24 we deduce that there is still a vulnerable interface on the 25 processors. In this paper, we focus on a thermal sensor in Intel 26 CPUs, another unprivileged interface that supports tempera-27 ture monitoring. Specifically, we extensively analyze various 28 properties of the Intel digital thermal sensor. The analysis 29 results give us primitives that distinguish between a cache 30 hit and a physical memory access in memory load operations 31 through elaborate monitoring of the thermal sensors. 32 To demonstrate the vulnerability of Intel digital thermal 33 sensors, we present ThermalBleed, a practical thermal side-34 channel attack. ThermalBleed breaks kernel address space 35 layout randomization (KASLR) in state-of-the-art Linux sys-36 tems that are equipped with software- [6] and hardware-37 based [7] countermeasures against KASLR breaking side-38 that can distinguish instructions. These findings regarding 95 unexplored thermal properties may be utilized as a stepping 96 stone to build advanced thermal side-channel attacks that leak 97 confidential data (e.g., a secret key). 98 Finally, as a countermeasure, we proposed restricting the 99 thermal interface to the privileged level to mitigate software-100 based observable thermal side-channel attacks.

102
Contributions. The contributions of this paper are as fol-103 lows. 104 1) We evaluate digital thermal sensors in Intel CPUs and 105 uncover some properties that can be used as a practical 106 leakage source.
107 2) We present ThermalBleed, a first practical thermal 108 side-channel attack that breaks KASLR in Linux from 109 user mode applications. 110 3) We analyze some properties of CPU thermal sensors. 111 Based on this observation, we uncover useful hidden 112 properties of thermal sensors that make it possible to 113 enforce a thermal side-channel attack.

114
Outline. The remainder of this paper is organized as follows. 115 In Section II, we discuss background knowledge regarding 116 thermal side-channel analysis. In Section III, we present 117 attack primitives for the ThermalBleed attack. In Section 118 IV, we present how the ThermalBleed breaks KASLR and 119 evaluate the attack on various systems. In Section V, we 120 conduct an in-depth analysis on the properties of an Intel 121 digital thermal sensor for future research. In Section VII, we 122 discuss the related work and finally, we conclude this paper 123 in Section VIII.

125
In this section, we present background knowledge on thermal 126 analysis and the ThermalBleed attack.

127
A. THERMAL SIDE-CHANNEL ANALYSIS 128 The law of energy conservation (i.e., the first law of thermo-129 dynamics) [18] explains that energy is not created or dissi-130 pated but conserved, where it is only transformed to other 131 forms (e.g., heat). More importantly, Joule's first law (i.e., 132 Joule heating) [19] states that when an electric current flows 133 through a conductor, the electrical energy is transformed into 134 thermal energy. Equation (1) represents the heating effect of 135 an electric current, where H is the amount of heat, I is the 136 electric current, R is the electrical resistance of the conductor, 137 and t is the amount of time that the current flows. 138 With the Ohm's law, H can be expressed by the other form, 139 where P is the power consumption and V is voltage. Thus, 140 the heat generated by the electric components is highly 141 related to the power consumption.

205
Memory corruption attacks such as ROP attacks [22], [23] 206 use the knowledge of the memory layout to compromise 207 a system. Thus, recent OSs provide address space layout 208 randomization (ASLR), a defense mechanism based on non-209 deterministic behavior. The kernel ASLR (i.e., KASLR) 210 is an efficient strategy that mitigates memory corruption 211 attacks against OS kernels. However, KASLR has been 212 shown to be vulnerable to microarchitectural side-channel 213 attacks [24]- [27]. These attacks mainly exploit the timing 214 difference between a load from allocated and non-allocated 215 pages. More specifically, a kernel text section in Linux is 216 mapped in a 1 GB range (i.e., 0xffffffff80000000 217 -0xffffffffc0000000), where its base address is 218 aligned to a 2 MB boundary. Hence, Linux has only nine 219 bits of entropy in KASLR, and attackers can successfully 220 determine the kernel base address through a maximum of 512 221 (= 2 9 ) times of guessing.

223
In this section, we describe ThermalBleed attack primitives. 224 These attack primitives are identified by conducting exper-225 iments on thermal sensors. We present our setup for the 226 experiment and then describe the attack primitives in detail. 227 Specifically, we first show how to distinguish memory access 228 using Intel digital thermal sensors: cache access and physical 229 memory (i.e., DRAM) access. We also show that with the 230 sensors, we can infer whether the executed instruction caused 231 a TLB hit or not, giving unprivileged users the ability to 232 distinguish address translations. 234 We conducted experiments on various Intel CPUs ranging 235 from laptop to server-class processors. In the experimental 236 setup, we used a default system configuration in which no 237 VOLUME 4, 2016 CPU temperature from the die [14], [20]. This means that the without executing a target application. 'Physical memory 276 access' is the setting in which the temperature is measured 277 while the target application is running where a load occurs 278 on uncacheable memory page. 'Cache hit' is the same as the 279 setting of 'Physical memory access' except that the load takes 280 place on a cacheable memory page. Table 1 lists the average 281 temperature measured on various systems and its standard 282 deviation. Fig. 2 particularly shows the core temperature 283 traces on an i7-8700 CPU. As shown in the figure, there is 284 a clear difference in the temperature, where 'Cache hit' (i.e., 285 cacheable) shows approximately 46.591 • C (n = 10 5 , σ = 286 0.85), and 'Physical memory access' (i.e., uncacheable) 287 shows approximately 34.308 • C (n = 10 5 , σ = 0.81). 288 In our experiments, we could reliably distinguish the cache 289 access from the physical memory access with an observable 290 thermal difference. This difference is consistent with various 291 CPU models, regardless of the CPU cooler (cf. Table 1). It 292 is also noteworthy that the measured standard deviation of 293 the collected data is smaller than expected. We attribute this 294 to the remnant heat. That is, the temperature measurement 295 may be affected by the remnant heat caused from preceding 296 instructions. This phenomenon allows us to build a reliable 297 and efficient thermal-based side-channel, through which we 298

A. EXPERIMENTAL SETUP
can distinguish different types of memory accesses. 300 We further show that thermal sensors make it possible to dis- In this section, we propose ThermalBleed, a practical ther-362 mal side-channel attack that de-randomizes KASLR. The 363 basic idea of ThermalBleed is to infer kernel mappings by 364 distinguishing an allocated kernel page from a non-present 365 page using thermal information. For this, we apply the attack 366 primitive presented in the previous section, which allows us 367 to distinguish a TLB hit (for the allocated page) from a page 368 table walk (for the non-present page).

369
ThermalBleed is the first cross-core attack that infers 370 the TLB status of the other core without depending on 371 hyperthreading. There are some challenges that need to be 372 addressed to successfully deliver our ThermalBleed attack. 373 One of the challenges is to deal with the heat propagation, 374 i.e., the heat generated from a core may affect the other 375 core's temperature. Another challenge comes from the ther-376 mal capacity and resistance, i.e., a minimal amount of heat 377 is needed to increase the core temperature, and the remnant 378 heat can be a noise source for precisely measuring the core 379 temperature [8]. For instance, if the heat generated by the 380 target application on a core is insufficient to increase the core 381 temperature, there is no surge in temperature even if TLB 382 hits occur by the execution of the application. It makes the 383 reliable inference of the TLB state with ThermalBleed more 384 challenging.

385
To overcome these challenges, we use a spatially parti-386 tioning strategy in which a target and collecting application 387 are running on physically separated cores. In this setting, 388 the collecting application obtains 300, or 500 number of 389 sufficient temperature traces on each slot (i.e., possible kernel 390 base address). Because the current version of the Linux 391 kernel only has 9-bits of entropy in KASLR (cf. Section 392 VOLUME 4, 2016 sufficient to offer a reliable channel. There is no clear dif-432 ference in the temperature between an allocated kernel page 433 and a non-present page with a single trace. To overcome this 434 problem, the collecting application obtains multiple temper-435 ature traces, i.e., T n , from each slot. If the slot is a physically 436 backed address, the target application will result in a dTLB 437 hit, inducing a surge increase in the temperature. However, 438 if the slot is an invalid address, it will cause a dTLB miss 439 and page table walk, accessing a physical memory outside 440 of the CPU package die. It introduces a slight increase in 441 the temperature. Thereafter, the collected data of all the 442 temperature traces against possible base addresses are handed 443 over to the next phase. 444 Table 2 shows code snippets of a target and collecting 445 application, which are used in the collecting data phase. 446 As aforementioned, ThermalBleed needs to address several 447 challenges caused by heat propagation, thermal capacity 448 and resistance. For the elaborate temperature measurement, 449 it is crucial to synchronize executions of a collecting and 450 target application. We resolve the challenges by devising a 451 synchronization algorithm ( 1 ⃝ in Table 2).

452
To address the heat propagation issue, a spatial partitioning 453 strategy is used in the synchronization algorithm to minimize 454 the noise caused by heat propagation from adjacent cores. 455 That is, we can place a target and collecting application 456 on spatially separate cores by using a taskset command 457 (Lines 2 and 5 in 1 ⃝).

458
Dealing with thermal capacity and resistance is not trivial. 459 Due to those thermal properties, a certain amount of work-460 load is necessary to make distinguishable variation in temper-461 ature. For instance, if the collecting application gets executed 462 prior to the target application, the heat generated by the target 463 application cannot immediately affect the core temperature. 464 Thus, the obtained temperature traces will contain a huge 465 amount of noise, disturbing the simple thermal analysis in 466 Phase 2.

467
To address the challenges caused by thermal capacity and 468 resistance, we come up with two solutions. The first solution 469 is an execution ordering: run the target application ( 2 ⃝ in 470 Table 2) first, and then run the collecting application ( 3 ⃝). 471 As the target application is initially heating the core, the 472 execution ordering can address thermal capacity and resis-473 tance well. Our second solution is to increase the number 474 of obtained temperature traces (i.e., T n ). By increasing T n , 475 we can reduce the noise introduced by the thermal capacity 476 and resistance owing to the sufficient execution of the target 477 application. However, there is a trade-off between the attack 478 accuracy and the overall execution time of the attack over the 479 number of traces. We discuss this in more detail in Section 480 IV-C. 2) Phase 2: Simple thermal analysis. 482 There is a clear difference in the temperature between a dTLB 483 hit from an allocated kernel page and a dTLB miss (and a 484 subsequent page table walk) from a non-present page (cf. 485 Section III-C). Thus, we use a simple thermal analysis to 486  which is approximately 11 • C higher than other slots. This 515 indicates that the ThermalBleed reliably infers an allocated 516 kernel page, which consequently results in the breaking of 517 the KASLR. We also observed that additional slots between 518 478-th and 495-th also exhibit high temperatures. Based on 519 the simple thermal analysis, we found that the slots with 520 higher temperature are exactly the same as the present pages 521 in the kernel text. This result shows that in an KPTI-disabled 522 system, all the present pages in the kernel can induce an 523 TLB hit that will increase the core temperature. It allows 524 ThermalBleed to identify the base address as well as the size 525 of kernel text 526 It is notable that at the 478-th and 495-th slot in Fig.5, 527 the temperature drastically surges to 57 • C and falls down 528 to 46 • C. We attribute this to a sleep() function used 529 in the synchronization algorithm (Line 4 in 1 ⃝ in Table 2). 530 The sleep() function is necessary to address the side 531 effect caused by the remnant heat during the measurement. 532 Considering the low sampling rate (i.e., 2 ms) of the digital 533 thermal sensor, 20 ms of a sleeping interval in the algorithm 534 is sufficient so that the measured temperature changes drasti-535 cally. 537 We evaluate the performance of the ThermalBleed attack 538 under various target systems.

539
Experimental environment. For systems equipped with 8-th 540 or lower generations of Intel CPU, we enabled KPTI, which 541 is the default mitigation feature in Linux against microarchi-542 tectural side-channel attacks. For other CPU models that have 543 hardware fixes against a side-channel attack, KPTI is not 544 applied to the system. The rest of the system configurations 545 are the same as in Section III-A. In the experiment, the col-546 lecting application obtains a trace of the core temperature by 547 measuring 300 and 500 times on each slot. If not mentioned 548 otherwise, the target application runs on the core 0, and the 549 collecting application runs on farthest away from core 0. 550 1) Breaking KASLR without noise. 551 We use ThermalBleed to break KASLR from an unprivileged 552 user. In this experiment, we consider an ideal attack scenario: 553 VOLUME 4, 2016 Noise from a different physical core. We evaluate the per-595 formance of our attack under the case where an application 596 that introduces a noise (i.e. increases the temperature) is 597 running on a different physical core. As the hwmon inter-598 face allows an unprivileged user to obtain the temperature 599 generated from each core, our attack is robust against the 600 noise unless the noise-generating application is co-located 601 with the target application. In order to validate our argument, 602 we perform an experiment by using stress-ng as a noise 603 source. Fig. 6 shows the accuracy of the ThermalBleed attack 604 under the noise generated by running stress-ng with 80% 605 of a CPU load. As expected, the accuracy is almost the same 606 as the case without noise. Specifically, when stress-ng 607 is running on the core 2 and 4, the attack accuracy reaches 608 100% (T n =500). For the core 6 and 8, we see a performance 609 degradation of 1% and 2% (T n =500), respectively. However, 610 when the stress-ng process is co-located with the target 611 application, the accuracy decreases to 20% (T n =500) and 4% 612 (T n =300). conducting a thorough analysis of the thermal sensor. This 669 restricted the current research to a simple thermal covert 670 channel, rather than a precise and effective thermal side-671 channel attack. We performed an in-depth analysis of Intel 672 thermal sensors to promote further research on software-673 based thermal side-channel attacks. Specially, we study some 674 thermal properties with the following questions.

675
Q1 Why does the physical memory access have a lower 676 effect on the core temperature measured by the thermal 677 sensor than the cache access?

678
Q2 Which elements in the CPU actually affect the tempera-679 ture of the core?

680
To answer the first question, we analyzed the structure 681 of the CPU package (A1). For the second question, we 682 uncovered the element's activity that is correlated with the 683 core temperature by utilizing Instruction Per Cycle (IPC) 684 (A2). 685 A1: Dissecting a structure of the CPU package. We 686 investigate where the Intel digital thermal sensors are placed 687 in the CPU package. Fig. 9 illustrates an internal structure 688 and a longitudinal section of the CPU package [14]- [17]. 689 A thermal interface material (TIM) is a compound material 690 that transfers heat between the interfaces, facilitating thermal 691 coupling. An integrated heat spreader (IHS) is a thin metal lid 692 with high thermal conductivity, which protects the CPU die 693 from external risk factors and provides an interface between 694 the processor and heatsink (i.e., cooling device) for efficient 695 heat transfer. The CPU cooler cools down the CPU die from 696 the heatsink to the IHS, TIM, and CPU die. In this structure, 697 Intel digital thermal sensors were located in the CPU die. 698 More specifically, the sensors were placed in each core to 699 measure the heat generated from the core [13], [31]. Thus, 700 the Intel digital thermal sensors directly retrieve the core 701 temperature, not the temperature from the outside of the die 702 (i.e., DRAM). For physical memory access to affect the core 703 temperature, the heat generated from the DRAM should raise 704 the air temperature. The hot air then disturbs the efficiency of 705 the CPU cooler, indirectly affecting the CPU temperature. 706 Thus, a load from a physical memory has a notably lower 707 effect on the thermal sensors placed in the core than the load 708 VOLUME 4, 2016 . In an i7-8700 processor, "imul 0x00" 772 and "shl r64, 0x00" instructions result in temperatures 773 of 30.855 • C and 31.759 • C, respectively. In this case, the 774 minimum amount of voltage and current was applied to 775 the CPUs. The "imul 0xffffffff" and "shl r64, 776 0xff" instructions caused the highest temperature in the 777 core thermal sensors. 778 We performed an additional experiment to determine 779 whether there is a correlation between the core temperature 780 and IPC for various types of instructions. Table 5 shows 781 the result of our additional experiment, where the core tem-782 perature tends to increase with respect to the value of IPC. 783 Thus, there seems to be a degree of correlation between the 784 temperature and IPC. We confirm this by calculating the 785 Pearson correlation between the core temperature and IPC. 786 The coefficients are 0.965 and 0.971 for the i7-10510U and 787 i7-8700 processors, respectively. This implies that there is a 788 high correlation between the temperature and IPC. 789 We observe from the experimental result that the heat 790 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication.  Fig.10. In the 858 experiment, the collecting process is located at the core 859 which is farthest away from core 0, and obtains 10K traces 860 of temperatures measured at the core 0. At the same time, the 861 target process runs repeatedly executing prefetch instructions 862 to an allocated page at each core.

863
The experimental result is presented in Fig.11. The figure 864 shows how the temperature measurement at the core 0 is 865 affected by the heat generated from other cores. We observe 866 from the result that there is a noticeable difference between 867 core 3 and 4. We attribute the difference to the physical 868 VOLUME 4, 2016 In addition to using the dTLB, there are other ways to 907 infer the present pages. Schwarz et al.
[39] exploited a 908 store-to-load forwarding unit, where the stored data was 909 only forwarded to the next load instruction if the destination 910 address was successfully resolved in the address translation. 911 Canella et al. [27] analyzed Meltdown-patched CPUs and 912 disclosed how Intel fixed the CPUs against Meltdown attacks. 913 More specifically, these CPUs immediately zeroed out if the 914 illegally accessed address is the present page; otherwise, a 915 pipeline stall occurs. This attack exploits the timing differ-916 ence to break KASLR.

917
All these previous works commonly depend on precise 918 timing information to deliver the attack. This implies that 919 they are easily mitigated by a defense approach that limits 920 the timing information [9], [10]. However, ThermalBleed 921 is a timer-free side-channel attack; it does not rely on any 922 timing information to de-randomize KASLR. Therefore, our 923 attack is more resistant to defense mechanisms compared to 924 previous studies.

925
Similar to ThermalBleed, Lipp-(a), (b) et al. [3], [40] pre-926 sented another timer-free side-channel attack; they exploited 927 information from the CPU power consumption using the 928 powercap interface without relying on the timer informa-929 tion. However, Lipp-(a) et al. [3] was limited in that it did 930 not allow cross-core side-channel attacks. Moreover, after 931 patching the vulnerability, the powercap interface was no 932 longer available to user mode applications (i.e., unprivileged 933 users), which significantly reduced the effectiveness of the 934 attack. Thus, the ThermalBleed attack is the only one timer-935 free thermal side-channel attack that is effective and practical 936 in various environments.

938
Thermal-based attacks. Previous works on thermal-based 939 attacks can be classified according to some criteria; an attack 940 goal (i.e., constructing a covert-or a side-channel), a mea-941 surement method (i.e., software-or hardware-based), and a 942 target platform (i.e., x86, AVR, etc). Table 7 presents a com-943 parison of thermal-based attacks according to the criteria.
[35] presented a heating fault attack on an 945 AVR-based target device. By exploiting the fact that a fault 946 is induced if the device temperature reaches a threshold, 947 they successfully recovered a RSA private key via a side-948 channel analysis. Aljuffri et al.
[41] improved previous 949 hardware-based thermal side-channel attacks by applying 950 power analysis techniques such as SPA and CPA. As a result, 951 they successfully extracted a private key of an Montgomery 952 ladder implementation of RSA algorithm with 100% ac-953 curacy on AVR-based devices. As shown in Table 7, all 954 the aforementioned thermal side-channel attacks are based 955 on hardware-based measurement. As hardware-based attacks 956 basically require an attacker to have physical access to the 957 target device, their attack models are restricted to limited and 958 unpractical attack scenarios. Unlike the previous work, the 959 ThermalBleed attack is based on a software-based temper-960 ature measurement, which eliminates the need for physical 961 access to a target device.