Boru Chen

Boru Chen

CS Ph.D. Student at Berkeley

Controlled Preemption: Amplifying Side-Channel Attacks from Userspace

Published in ASPLOS, 2025 (Full Paper | Code | bibtex)

@inproceedings{gofetch, title = {GoFetch: Breaking Constant-Time Cryptographic Implementations Using Data Memory-Dependent Prefetchers}, author = {Boru Chen and Yingchen Wang and Pradyumna Shome and Christopher W. Fletcher and David Kohlbrenner and Riccardo Paccagnella and Daniel Genkin}, booktitle = {USENIX Security}, year = {2024}, }
@inproceedings{peekawalk, author = { Wang, Alan and Chen, Boru and Wang, Yingchen and Fletcher, Christopher and Genkin, Daniel and Kohlbrenner, David and Paccagnella, Riccardo }, booktitle = { IEEE S\&P }, title = , year = {2025} }
@inproceedings{controlled-preemtion, author = {Zhu, Yongye and Chen, Boru and Zhao, Zirui Neil and Fletcher, Christopher W.}, title = {Controlled Preemption: Amplifying Side-Channel Attacks from Userspace}, year = {2025}, booktitle = {ASPLOS} }
@inproceedings{ustt, title = {µSTT: Microarchitecture Design for Speculative Taint Tracking}, author = {Boru Chen and Rutvik Choudhary and Kaustubh Khulbe and Archie Lee and Adam Morrison and Christopher W. Fletcher}, booktitle = {ICCD}, year = {2025}, }

Microarchitectural side channels are an ongoing threat in today’s systems. Yet, many side-channel methodologies suffer from low temporal resolution measurement, which can either preclude or significantly complicate an attack.

This paper introduces Controlled Preemption, an attack primitive enabling a single unprivileged (user-level) attacker thread to repeatedly preempt a victim thread after colocating with that victim thread on the same logical core. Between preemptions, the victim thread executes zero to several instructions—sufficiently few to enable high-resolution side channel measurements.

The key idea in Controlled Preemption is to exploit scheduler fairness heuristics. Namely, that modern thread schedulers give a thread A the ability to preempt another thread B until a fairness tripwire (signaling that A is starving B) fires. We show how this idea enables hundreds of short preemptions before tripping the fairness tripwire is robust to noise and applies to both the Linux CFS and EEVDF schedulers. We also develop a technique that helps colocate the attacker and victim threads onto the same logical core, an attacker capability overlooked by prior work.

Our evaluation tests Controlled Preemption in the context of several different victim programs, victim privilege levels (inside and outside of Intel SGX) and choices of side channel. In each attack, we demonstrate results that are competitive with prior work but make fewer assumptions (e.g., require only user-level privilege or require fewer colocated attacker threads).