Modern systems execute numerous workloads in parallel, with tasks contending for the same shared resources, e.g., cache and memory bandwidth. To minimize the impact on workloads by "noisy neighbors", Intel and AMD released quality-of-service (QoS) extensions to enforce limits on such resources along with monitoring metrics. In this paper, we show that these well-intentioned quality-of-service extensions introduce new system-level cross-core side channels and amplify known attacks in confidential computing environments on modern AMD server CPUs, namely SEV-SNP. We demonstrate our attacks in the malicious or compromised hypervisor threat model attacking a SEV-SNP CVM. In these settings, we mount an MBM-based Bleichenbacher attack on RSA, inter-keystroke timing attacks (F1 score up to 96%) exploiting MBM, MBA, CAT, and CDP, a new MBA rate-limit-based side channel (up to 205 B/s), and a website fingerprinting attack (F1 score up to 72.10%) exploiting MBM, MBA, CAT, and CDP. We also evaluate a CAT-amplified Prime+Probe L3 covert channel with a maximum speedup of 2.27x. We conclude that this well-intentioned set of features requires mitigation, most likely requiring hardware changes.
European Symposium on Research in Computer Security (ESORICS)
2026-09-14
2026-06-24