Quantitative Analysis on Attack Capacity in Meltdown-Type Attacks

In recent years, modern CPUs have been suffering from Meltdown-type attacks. These attacks are delivered by exploiting transient execution created by a faulting load operation. A secret value is encoded into the cache by transient instructions, which in turn is deduced from a microarchitectural covert channel such as Flush+Reload. Recent studies on these attacks mainly focus on finding new vulnerable microarchitectural structures, while lacking interest in how many transient instructions can be executed in the transient execution. If attackers know the exact attack capacity, i.e., the maximum number of instructions available within a transient execution window, they will be able to maximize information leakage by executing additional transient instructions. In order to devise security solutions against Meltdown-type attacks, it is of crucial importance to measure and evaluate the attack capacity. In this paper, we quantitatively analyze the attack capacity in terms of the number of mu ops, the latency of transient instructions, and the size of the Reorder Buffer (ROB). Specifically, we present our method in detail that measures the capacity by reconstructing the original implementations of Meltdown-type attacks. We analyze the attack capacity by conducting experiments with various CPU models and identify several elements that affect the capacity. Based on our findings, we propose two methods that reinforce the Meltdown-type attacks.