Chronos vs. Chaos

Timing is one of the key metrics by which side-channel attacks distinguish between classes of executions. For example, a speculative execution may be specified in the architecture as having no visible side-effects, but the cache may still be accessed for some concrete micro-architecture implementation. Cache side-channel attacks interpret this signal by measuring the time a memory access will take to complete under some set of cache preconditions, in turn revealing some machine state that is expected to remain opaque. Some of the speculative structures in the micro-architecture (such as the Store Buffer) responsible for these behaviours also expose visible out-of-order, or "weak memory" execution under the correct conditions. This work investigates the environmental conditions under which visible weak memory executions occur and whether there is a micro architectural "signal" associated with those executions that can be exposed. It is our hypothesis that these characteristics can be used to identify micro-architectural speculation that may lead to weak-memory behaviour, and that the mechanisms at play in these executions, if subsequently rolled back, may induce cache side effects necessary for building transient execution attacks. kerntime is a kernel-mode utility that provides cycle-level granularity for execution time of weak memory litmus tests. We use kerntime to analyse the timing profile of Store Buffering behaviour present on x86 and develop characteristics based on observations from the dataset generated by kerntime, including a thread local indicator of Store Buffering behaviour.