Shared-memory system-on-chips (SM-SoC) are ubiquitously employed by a wide-range of mobile computing platforms, including edge/IoT devices, autonomous systems and smartphones. In SM-SoCs, system-wide shared physical memory enables a convenient and financially-feasible way to make data accessible by dozens of processing units (PUs), such as CPU cores and domain specific accelerators. In this study, we investigate vulnerabilities that stem from the shared use of physical memory in such systems. Due to the diverse computational characteristics of the PUs they embed, SM-SoCs often do not employ a shared last level cache (LLC). While the literature proposes covert channel attacks for shared memory systems, high-throughput communication is currently possible by either relying on an LLC or privileged/physical access to the shared memory subsystem. In this study, we introduce a new memory-contention based covert communication attack, MC3, which specifically targets the shared system memory in mobile SoCs. Different from existing attacks, our approach achieves high throughput communication between applications running on CPU and GPU without the need for an LLC or elevated access to the system. We extensively explore the effectiveness of our methodology by demonstrating the trade-off between the channel transmission rate and the robustness of the communication. We demonstrate the utility of MC3 on NVIDIA Orin AGX, Orin NX, and Orin Nano up to a transmit rate of 6.4 kbps with less than 1% error rate.

翻译：共享内存片上系统（SM-SoC）已广泛应用于各类移动计算平台，包括边缘/物联网设备、自主系统和智能手机。在SM-SoC中，系统级共享物理内存为数十个处理单元（如CPU核心和领域专用加速器）提供了一种便捷且经济高效的数据访问方式。本研究探讨此类系统中因物理内存共享使用而产生的安全漏洞。由于SM-SoC内嵌处理单元的计算特性各异，这类系统通常不配置共享末级缓存（LLC）。尽管现有文献已提出针对共享内存系统的隐蔽信道攻击，但当前实现高吞吐量通信仍需依赖LLC或对共享内存子系统的特权/物理访问权限。本研究提出一种新型基于内存争用的隐蔽通信攻击方法MC3，专门针对移动SoC中的共享系统内存。与现有攻击不同，我们的方法能在运行于CPU和GPU的应用程序间实现高吞吐量通信，且无需LLC支持或系统特权访问权限。我们通过深入分析信道传输速率与通信鲁棒性之间的权衡关系，全面验证了该方法的有效性。在NVIDIA Orin AGX、Orin NX和Orin Nano平台上，MC3实现了最高6.4 kbps的传输速率，且误码率低于1%。