MC3: Memory Contention based Covert Channel Communication on Shared DRAM System-on-Chips

Abstract: Shared-memory system-on-chips (SM-SoC) are ubiquitously employed by a wide-range of mobile computing platforms, including edge/IoT devices, autonomous systems and smartphones. In SM-SoCs, system-wide shared physical memory enables a convenient and financially-feasible way to make data accessible by dozens of processing units (PUs), such as CPU cores and domain specific accelerators. In this study, we investigate vulnerabilities that stem from the shared use of physical memory in such systems. Due to the diverse computational characteristics of the PUs they embed, SM-SoCs often do not employ a shared last level cache (LLC). While the literature proposes covert channel attacks for shared memory systems, high-throughput communication is currently possible by either relying on an LLC or privileged/physical access to the shared memory subsystem. In this study, we introduce a new memory-contention based covert communication attack, MC3, which specifically targets the shared system memory in mobile SoCs. Different from existing attacks, our approach achieves high throughput communication between applications running on CPU and GPU without the need for an LLC or elevated access to the system. We extensively explore the effectiveness of our methodology by demonstrating the trade-off between the channel transmission rate and the robustness of the communication. We demonstrate the utility of MC3 on NVIDIA Orin AGX, Orin NX, and Orin Nano up to a transmit rate of 6.4 kbps with less than 1% error rate.

• The paper presents a novel software-only covert channel that exploits memory contention without requiring privileged access.
• It demonstrates an attack achieving up to 6.4 kbps transmission with an error rate below 1% on NVIDIA SoC architectures.
• The research highlights critical vulnerabilities in shared memory systems, calling for enhanced security in SM-SoCs.

Memory Contention Covert Channels in Shared DRAM SoCs

The proliferation of shared-memory system-on-chips (SM-SoCs) across mobile computing platforms introduces new vulnerabilities that can be exploited for covert-channel communication. This paper presents a covert communication attack methodology, termed MC^3, that leverages memory contention in shared DRAM architectures to achieve high-throughput, low-error data transmission between CPU and GPU applications on mobile SoCs, without requiring elevated privileges.

Covert Channel Communication in SM-SoCs

SM-SoCs integrate multiple processing units (PUs), such as CPUs, GPUs, and various domain-specific accelerators, within a shared memory architecture. This shared architecture aims to reduce chip area and production costs by minimizing data transfer overhead between PUs. Existing covert communication attacks primarily exploit shared caches or require privileged memory access, leaving a gap in high-throughput, software-only attacks on shared memory systems devoid of shared last level caches (LLC).

MC^3 Attack Design and Evaluation

MC^3 targets NVIDIA's SoC architectures (Orin AGX, Orin NX, and Orin Nano) by capitalizing on memory contention observable via software-only measurements. The attack achieves up to 6.4 kbps transmission with an error rate of less than 1%. Distinct from cache-based or privileged-access attacks, MC^3 generates contention exclusively within the shared memory resources, bypassing private cache hierarchies and mitigating detection risks.

Key contributions of this work include:

• Novel Attack Vector: Introduction of a software-only, memory-contention-based covert channel communication vector that does not necessitate privileged access.
• Transmitter and Receiver Design: Elaborate design allowing either CPU+GPU or CPU-only operation for both transmitting and detecting memory contention without external synchronization.
• Performance Analysis: Demonstrating trade-offs between throughput and robustness, optimizing buffer sizes and contention intervals by employing non-temporal memory instructions to evade cache interference.

Practical and Theoretical Implications

The implications of this research are significant in both practical and theoretical domains. Practically, the presence of such vulnerabilities calls for heightened scrutiny of shared memory architectures in SoCs, particularly in mobile and autonomous systems where GPU-accelerated computation is prevalent. Theoretically, this work expands the covert channel threat model to encompass shared memory contentions as viable attack surfaces, urging a reevaluation of existing countermeasures focused solely on cache or physical access vulnerabilities.

Limitations and Future Directions

The study acknowledges limitations in synchronization between transmitter and receiver activities and potential variability in execution environments that could affect consistency. Future work could explore more dynamic synchronization mechanisms and extend the analysis to other SM-SoCs architectures, reinforcing the paper's call for developing comprehensive security enhancement strategies for shared memory components.

In conclusion, this paper contributes to the understanding of memory contention as a covert communication channel in shared DRAM systems. By successfully achieving high-throughput, low-error communication without privileged access, it underscores a critical vulnerability in modern SoCs, compelling further research and mitigative efforts in shared memory security.