A survey of Microarchitectural Side-channel Vulnerabilities, Attacks, and Defenses in Cryptography
Download 176.24 Kb.
|
- Navigate this page:
- What we do not cover.
Threat ModelWhat we cover. The target of our surveyed works is microarchitectural side-channel attacks. Microarchitecture is defined as the hardware implementation of an Instruction Set Architecture (ISA). We mainly focus on the x86 ISA (e.g., Intel and AMD) due to its wide adoption in modern PCs and servers, although some techniques can also be extended to the ARM processors [87, 128]. Some works may need the processor to have additional hardware features, such as Intel SGX [28, 51, 85, 92, 126, 138, 139, 176, 180, 198, 207, 222], Intel TSX [61, 108], and AMD’s cache-way predictor [129]. We will mention the requirements when discussing these works. We consider the attacker as a normal user in the target system without root privileges. She can launch a malicious program on the same machine as the victim program, but cannot control the scheduling of the attacking process or the victim. One exception is the TEE scenario, where the attacker can be the OS that has the privilege to schedule all processes, but cannot introspect into the victim’s protected memory. In remote timing attacks, the attacker can only query the victim cryptographic program remotely without launching the malicious program on the host machine. What we do not cover. The following attacks and scenarios are out of the scope of this article: Physical side-channel attacks: These require the attacker to be physically local to the target system to collect the physical signals (e.g., power consumption [47], electromagnetic radiation [78], acoustic emission [79]) during the execution. Network side-channel attacks: An adversary can exploit the network application features (e.g., response messages, packet pattern, and size) as side channels to attack the network services pro- tected by the cryptographic protocols, including RSA padding oracle attacks [23] and CBC-MAC padding oracle attacks [202]. These network attacks have fundamentally di$erent causes from microarchitectural attacks, and hence are not summarized in this article. Note that we still con- sider the timing attacks that analyze the information leaked from the microarchitectural states of a remote machine. Transient execution attacks: Meltdown [130] and Spectre [120] attacks were demonstrated to bypass the protection schemes in OSes, followed by many variants [39, 41, 43, 107, 175, 192]. Al- though side-channel techniques are used in such attacks as a tool to leak secrets, these attacks target all data in the protected memory region instead of only cryptographic secrets. Invasive attacks: Following the most conventional microarchitectural side-channel attacks, we assume the attacker can only passively spy the behaviors of the victim, rather than actively compro- mising the integrity of the victim data. For instance, Rowhammer [118], an inherent vulnerability in modern high-density memory modules, can induce bit flips in the adjacent rows by frequently accessing a memory row. Fault attacks can also be achieved via physical means (e.g., laser in- jection) [66]. Although such active attacks can break cryptographic ciphers (e.g., RSA [19], AES [233]), we do not elaborate relevant works about Rowhammer [74, 116, 134, 147] and fault attacks [96, 114, 168, 186] in this article. Note that RAMbleed [123] is an exception, as it does not interfere with the victim data. Attacks against non-cryptographic applications: At the application level, attacks exist to iden- tify keystrokes [182] and application states/activities [185]. At the system level, adversaries may infer host configurations [173] and memory layout information [98]. We do not systematize these attacks. Table 1. Side-channel ANack Vectors in Hardware Download 176.24 Kb. Share with your friends:
|