在現今 x86 處理器中，前端微架構負責將 CISC 指令解碼為 μop
指令，以在後端微架構流水線中執行。然而，這個轉換過程涉及複雜
的硬體。為了減少指令解碼的執行時間以及頻繁使用指令的功耗，微
操作緩存被用來存儲已解碼的 μop 指令，避免解碼過程。在這篇論文
中，我們定量地檢驗了與微操作緩存相關的一種潛在的隱蔽通道。首
先，我們利用 Micro-operation Cache 的幾個特性確認隱蔽通道中
的時間差異的來源確實與 Micro-operation Cach 有關。然後，我們
實現了一個概念驗證 (POC)，在 Micro-operation Cache 中實現了
這個隱蔽通道，用於秘密數據傳輸。最後，在實驗結果中，這個隱蔽
通道的數據傳輸速率明顯快於其他微架構側通道攻擊。由於對 Micro-operation Cache 沒有有效的對抗措施，我們期望未來將更多的關注
引向微架構級別的安全增強技術。

In modern x86 processors, the front-end micro-architecture decodes x86 instructions into $\mu$op instructions for execution in the back-end micro-architecture pipeline.
However, this translation process involves complex steps and hardware.
To reduce the runtime of instruction decoding as well as the power consumption of frequently used instructions, the micro-operation cache (micro-op cache) is employed to store decoded $\mu$op instructions, bypassing the decoding process.
This thesis quantitatively examines a potential covert channel associated with the micro-op cache.
Initially, we leverage several characteristics of the micro-op cache to confirm that the source of the timing differences in the covert channel is indeed related to the micro-op.
After that, we implement a proof of concept (POC) to realize this covert channel in the micro-op for secret data transmission.
Finally, in the experimental results, the data transfer rate of this covert channel is notably faster compared to other existing micro-architectural side-channel attacks.
Since there are no efficient countermeasures for the micro-op,
we expect to bring more attention to micro-architecture-level security enhancement techniques.

[1] Kocher, P., Horn, J., Fogh, A., Genkin, D., Gruss, G., Haas, W., Hamburg,
M., Lipp, M., Mangard, S., Prescher, T., Schwarz, M., and Yarom, Y.,”Spectre
attacks: Exploiting speculative execution.” In SP (2019). A preprint was pub-
lished in 2018 as arXiv:1801.01203.
[2] M. Lipp, M. Schwarz, D. Gruss, T. Prescher, W. Haas, A. Fogh, J. Horn, S.
Mangard, P. Kocher, D. Genkin, Y. Yarom, and M. Hamburg, “Meltdown:
Reading Kernel Memory from User Space,” in USENIX Security Symposium
(to appear), 2018.
[3] J. Fustos, M. Bechtel, and H. Yun, “SpectreRewind: Leaking secrets to past
instructions,” in arXiv 2003.12208, 2020.
[4] Y. Yarom and K. Falkner, “Flush+Reload: A High Resolution, Low Noise, L3
Cache Side-Channel Attack,” in USENIX Security Symposium, 2014.
[5] 64-ia-32-architectures-optimization-manual, 2012
[6] x86 Processor Microarchitectures, https://www.agner.org/optimize/microarchitecture.pdf
[7] Andreas Abel and Jan Reineke. 2019. uops. info: Characterizing latency,
throughput, and port usage of instructions on intel microarchitectures. In Pro-
ceedings of the Twenty-Fourth International Conference on Architectural Sup-
port for Programming Languages and Operating Systems. 673–686.
[8] Standard Performance Evaluation Corporation, “SPEC CPU R 2006,”
https://www.spec.org/cpu2006/.
[9] Jagadish B. Kotra, John Kalamatianos, “Improving the Utilization of Micro-
operation Caches in x86 Processors,” in micro, 2020.
[10] 7-Zip LZMA Benchmark, https://www.7-cpu.com
[11] How Zen’s Op Cache Affects Performance,
https://chipsandcheese.com/2021/07/03/how-zen-2s-op-cache-affects-
performance
[12] Vladimir Kiriansky, Ilia Lebedev, Saman Amarasinghe, Srinivas Devadas, and
Joel Emer, ”DAWG: A Defense Against Cache Timing Attacks in Speculative
Execution Processors,” In MICRO, 2018.
[13] Khasawneh, K. N., Koruyen, E. M., SONG, C., Evtyushkin, D., Ponomarev,
D., and Abu-Ghazalen, N., ” SafeSpec: Banishing the Spectre of a Meltdown
with Leakage-Free Speculation,” arXiv:1806.05179 (2018).
[14] Khasawneh, K. N., Koruyen, E. M., SONG, C., Evtyushkin, D., Ponomarev,
D., and Abu-Ghazalen, N., ” SafeSpec: Banishing the Spectre of a Meltdown
with Leakage-Free Speculation,” DAC (2019).
[15] VArnaldo Carvalho de Melo, ” The new linux ‘perf’ tools,” In Slides from Linux
Kongress, 2010.
[16] Xida Ren, Logan Moody, Mohammadkazem Taram, Matthew Jordan, Dean
M. Tullsen, Ashish Venkat, ”I See Dead μops: Leaking Secrets via Intel/AMD
Micro-Op Caches,” ISCA, 2021.
[17] Intel Security Guidance, https://www.intel.com/content/www/us/en/developer/topic-
technology/software-security-guidance/processors-affected-consolidated-
product-cpu-model.html