Exploration and Exploitation of Hidden PMU Events

Performance Monitoring Unit (PMU) is a common hardware module in modern processors that monitors the processor's architectural and microarchitectural events (PMU events) for CPU performance analysis and optimization. Vendors publish PMU events in documents such as Intel's Software Development Manual (SDM) and ARM processor technical reference manuals. In this paper, we report our findings that these documented PMU events are only a very small portion of the PMU event space. We define hidden PMU events as those that can be triggered in the instruction's execution but are not documented by the vendors. The hidden PMU events may not be as useful as the documented ones for CPU performance analysis. However, they might introduce security vulnerabilities. We develop an automated tool to traverse all the possible PMU events during the execution of each valid instruction to locate the hidden PMU events. On six Intel processors with different micro-architectures, where there are about 307 documented PMU core events on average, our tool finds an average of 17,361 hidden PMU events. We further demonstrate the security implications in both defense and attack of these hidden PMU events. Our experimental results show that up to 6,613 hidden PMU events on the i7-6700 can be used to detect transient execution attacks and 1,192 hidden PMU events can be exploited for side-channel attacks.