Side Channel Research on CPU Privilege Mode Switching Boundary

Modern computer systems have evolved from basic page table isolation to kernel page table isolation in order to isolate the memory of individual modules, which not only allows the memory of individual processes to be isolated, but also the memory of the kernel and the user to be isolated. In this paper, we introduce a side-channel attack at the boundary of privileged mode, which utilizes the chaotic execution strategy of the CPU instruction pipeline and the timing before the kernel page table is switched to leak the kernel data into the micro-architecture and extract it using the cache side-channel to break the kernel page-table isolation mechanism in an ingenious way. This special micro-architecture-side channel does not depend on any software vulnerability and is OS independent. Using this attack, the kernel memory can be read freely in the user process space, affecting a large number of cloud service computer users as well as personal computer users.