Covert channels are communication channels used by attackers to transmit information from a compromised system when the access control policy of the system does not allow doing so. Previous work has shown that CPU frequency scaling can be used as a covert channel to transmit information between otherwise isolated processes. Modern systems either try to save power or try to operate near their power limits in order to maximize performance, so they implement mechanisms to vary the frequency based on load. Existing covert channels based on this approach are either easily thwarted by software countermeasures or only work on completely idle systems. In this paper, we show how the automatic frequency scaling provided by Intel Turbo Boost can be used to construct a covert channel that is both hard to prevent without significant performance impact and can tolerate significant background system load. As Intel Turbo Boost selects the maximum CPU frequency based on the number of active cores, our covert channel modulates information onto the maximum CPU frequency by placing load on multiple additional CPU cores. Our prototype of the covert channel achieves a throughput of up to 61 bit/s on an idle system and up to 43 bit/s on a system with 25% utilization.

中文翻译：

---

TurboCC：具有 Intel Turbo Boost 的实用的基于频率的隐蔽通道

隐蔽通道是攻击者在系统访问控制策略不允许的情况下用于从受感染系统传输信息的通信通道。先前的工作表明，CPU 频率缩放可用作隐蔽通道，以在其他孤立的进程之间传输信息。现代系统要么尝试节省功率，要么尝试在其功率极限附近运行以最大限度地提高性能，因此它们实施了根据负载改变频率的机制。基于这种方法的现有隐蔽通道要么很容易被软件对策阻止，要么只能在完全空闲的系统上工作。在本文中，我们展示了如何使用 Intel Turbo Boost 提供的自动频率缩放来构建一个隐蔽通道，该通道既难以在不显着性能影响的情况下阻止，又可以承受大量后台系统负载。由于 Intel Turbo Boost 根据活动内核的数量选择最大 CPU 频率，我们的隐蔽通道通过将负载放置在多个额外的 CPU 内核上来将信息调制到最大 CPU 频率上。我们的隐蔽通道原型在空闲系统上实现了高达 61 位/秒的吞吐量，在使用率为 25% 的系统上实现了高达 43 位/秒的吞吐量。