<p>For the past decades, covert and side channels have posed significant threats to user privacy in computing systems, targeting almost every component. In this paper, we present SideLink, an attack that exploits the NVLink bus for covert communication and information leakage. NVLink is a high-bandwidth interconnect in NVIDIA GPU systems that has become essential for AI workloads in data centers. Despite its high bandwidth, we show that NVLink exhibits measurable contention characteristics that enable both covert and side-channel attacks. We evaluate SideLink across NVIDIA’s Hopper (H200), Ampere (A100), and Volta (V100) architectures, achieving covert channel bandwidths of 8.29 Kbps, 9.90 Kbps, and 6.33 Kbps respectively with negligible error rates, demonstrating the attack’s viability across multiple GPU and NVLink generations. Furthermore, we implement an application fingerprinting side-channel attack, collecting a dataset of NVLink latency traces from dual-GPU applications including hashing and crypto-mining workloads. By evaluating multiple machine learning models, we achieve a maximum accuracy of 96.2%. To mitigate these threats, we propose and evaluate temporal and spatial partitioning countermeasures for NVLink, analyzing their effectiveness and performance overhead. In cloud environments where shared resources facilitate attacker-victim cohabitation, our work exposes vulnerabilities and provides defensive strategies to safeguard user privacy in modern computing infrastructures.</p>

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

SideLink: Exposing NVLink to Covert- and Side-Channel Attacks

  • Issa Baddour,
  • Dip Sankar Banerjee,
  • Somitra Kumar Sanadhya

摘要

For the past decades, covert and side channels have posed significant threats to user privacy in computing systems, targeting almost every component. In this paper, we present SideLink, an attack that exploits the NVLink bus for covert communication and information leakage. NVLink is a high-bandwidth interconnect in NVIDIA GPU systems that has become essential for AI workloads in data centers. Despite its high bandwidth, we show that NVLink exhibits measurable contention characteristics that enable both covert and side-channel attacks. We evaluate SideLink across NVIDIA’s Hopper (H200), Ampere (A100), and Volta (V100) architectures, achieving covert channel bandwidths of 8.29 Kbps, 9.90 Kbps, and 6.33 Kbps respectively with negligible error rates, demonstrating the attack’s viability across multiple GPU and NVLink generations. Furthermore, we implement an application fingerprinting side-channel attack, collecting a dataset of NVLink latency traces from dual-GPU applications including hashing and crypto-mining workloads. By evaluating multiple machine learning models, we achieve a maximum accuracy of 96.2%. To mitigate these threats, we propose and evaluate temporal and spatial partitioning countermeasures for NVLink, analyzing their effectiveness and performance overhead. In cloud environments where shared resources facilitate attacker-victim cohabitation, our work exposes vulnerabilities and provides defensive strategies to safeguard user privacy in modern computing infrastructures.