CHARACTERIZATION OF HARDWARE ATTACK VECTORS

CHARACTERIZATION OF HARDWARE ATTACK VECTORS

We characterize the attack vectors of side-channel techniques from the level in the computer sys- tem and the category of side-channel information, as summarized in Table 1.

1. InstructIon Level

We first consider the instruction-level attacks, which aim to identify when and what instructions are issued by the victim program. Based on the instruction trace, the adversary can infer the cryp- tographic secrets. Modern processors normally contain numerous arithmetic or logical functional units to perform designated computation. To launch an instruction-level attack, the adversary must share the same CPU core and the target functional units with the victim process. The contention on these units can leak information of issued instructions from the victim to the adversary.
Multiply instruction. Multiplication is a fundamental operation in cryptographic applications. Hardware multiplier units are implemented in the CPU core to accelerate the computation. Wang et al. [212] demonstrated that processes running on the same core can interfere with the multi- plier units, and the adversarial process is able to identify the multiply instruction of the victim based on the timing di$erence. Aciicmez et al. [6] designed a side-channel attack against the RSA implementation in OpenSSL by distinguishing the multiplications from square operations.
Floating point instruction. Another type of arithmetic operations is computation on floating point numbers. Such operations usually have large internal states, and are accelerated by the Floating Point Unit (FPU). Thus, FPU context switch can cause longer computation time. Ad- ditionally, floating point instructions with di$erent operands also have distinguishable execution times, which can leak sensitive information [12]. However, this technique is limited to applications with floating point instructions for critical operations, which are relatively rare in cryptographic applications.


²If the SMT is enabled, then the attacker and victim programs only need to share the physical core, instead of the logical core. An attacker in a di$erent logical core from the victim but the same physical core can monitor the victim concurrently without interrupting it. This setting improves the success rate of side-channel attacks and is commonly adopted by these works.