A Survey of Microarchitectural Side-channel Vulnerabilities, Attacks, and Defenses in Cryptography

@article{Lou2021ASO,
  title={A Survey of Microarchitectural Side-channel Vulnerabilities, Attacks, and Defenses in Cryptography},
  author={Xiaoxuan Lou and Tianwei Zhang and Jun Jiang and Yinqian Zhang},
  journal={ACM Computing Surveys (CSUR)},
  year={2021},
  volume={54},
  pages={1 - 37}
}
Side-channel attacks have become a severe threat to the confidentiality of computer applications and systems. One popular type of such attacks is the microarchitectural attack, where the adversary exploits the hardware features to break the protection enforced by the operating system and steal the secrets from the program. In this article, we systematize microarchitectural side channels with a focus on attacks and defenses in cryptographic applications. We make three contributions. (1) We… 

Figures and Tables from this paper

SoK: Analysis of Root Causes and Defense Strategies for Attacks on Microarchitectural Optimizations

This work identifies the four root causes of timing-based side-channel attacks: determinism, sharing, access violation, information violation and information through systematic analysis and provides a framework for analysing non-transient and transient attacks, which highlights the similarities.

Branch Different - Spectre Attacks on Apple Silicon

This paper focuses on the ARMv8-based Apple CPUs and demonstrates a reliable Spectre attack, and systematically evaluates alternative high-resolution timing primitives, as timers used for microarchitectural attacks on other ARM CPUs are unavailable.

Cache Refinement Type for Side-Channel Detection of Cryptographic Software

Evaluation results confirm the capability of CaType in identifying side channel defects with great precision, efficiency, and scalability.

Rosita++: Automatic Higher-Order Leakage Elimination from Cryptographic Code

This work proposes statistical and software-based tools to allow high-performance higher-order leakage detection and uses the code rewrite engine of Rosita to eliminate detected leakage, the first automated tool for detecting and eliminating higher- order leakage from cryptographic implementations.

Breaking and Fixing Speculative Load Hardening

This paper demonstrates, for the first time, that variable-time arithmetic instructions leak secret information even if they are executed only speculatively, and extends strong SLH to include protections also against this kind of leakage, and implements the resulting full protection in LLVM.

A Formal Methodology for Verifying Side-Channel Vulnerabilities in Cache Architectures

This paper designs an entropy-based noninterference reasoning framework with two unwinding conditions to assess the information leakage of the cache designs and uses this methodology to assess eight state-of-the-art cache architectures to demonstrate reliability as well as safety.

SoK: Design Tools for Side-Channel-Aware Implementations

This SoK classify approaches to automated leakage detection based on the model's source of truth on two main parameters: whether the model includes measurements from a concrete device and the abstraction level of the device specification used for constructing the model.

Leaking Control Flow Information via the Hardware Prefetcher

This work presents AfterImage, a new side-channel that exploits the Intel Instruction Pointer-based stride prefetcher, and is the first to publicly demonstrate a methodology that is both algorithm-agnostic and also able to leak kernel data into userspace.

UC-Check: Characterizing Micro-operation Caches in x86 Processors and Implications in Security and Performance

This paper finds out modern uop caches suffer from (1) security vulnerability and (2) severe cache contention between co-located SMT cores, and proposes a logical uop cache allocation technique to alleviate the cache contention problem.

Write Me and I’ll Tell You Secrets – Write-After-Write Effects On Intel CPUs

It is shown how Write+Write can be used for rapid construction of eviction sets on current cache architectures and how Write-After-Write effects can be leveraged to efficiently synchronize covert channel communication across CPU cores.

References

SHOWING 1-10 OF 246 REFERENCES

Survey of Microarchitectural Side and Covert Channels, Attacks, and Defenses

This survey extracts the key features of the processor’s microarchitectural functional units which make the channels possible, presents an analysis and categorization of the variety of microarch Architectural side and covert channels others have presented in literature, and surveys existing defense proposals.

TimeWarp: Rethinking timekeeping and performance monitoring mechanisms to mitigate side-channel attacks

The approach is to limit the fidelity of fine grain timekeeping and performance counters, making it difficult for an attacker to distinguish between different microarchitectural events, thus thwarting attacks.

MicroWalk: A Framework for Finding Side Channels in Binaries

This work develops a software framework named MicroWalk for side-channel analysis of binaries which can be extended to support new classes of leakage and proposes a novel technique based on Dynamic Binary Instrumentation and Mutual Information Analysis to efficiently find microarchitectural leakages in software binaries.

Side-channel vulnerability factor: A metric for measuring information leakage

SVF quantifies patterns in attackers' observations and measures their correlation to the victim's actual execution patterns and in doing so captures systems' vulnerability to side-channel attacks, providing a quantitative approach to secure computer architecture.

Understanding contention-based channels and using them for defense

A general mathematical study of microarchitectural channels using information theory and a novel way of detecting intelligent adversaries that try to hide while running covert channel eavesdropping attacks is introduced.

May the Fourth Be With You: A Microarchitectural Side Channel Attack on Several Real-World Applications of Curve25519

It is found that the resulting interactions of the point at infinity, order-2, and order-4 elements in the Montgomery ladder scalar-by-point multiplication routine create side channel leakage that allows us to recover the private key in as few as 11 attempts to access such malicious files.

New cache designs for thwarting software cache-based side channel attacks

The results show that the new cache designs with built-in security can defend against cache-based side channel attacks in general-rather than only specific attacks on a given cryptographic algorithm-with very little performance degradation and hardware cost.

Constant-Time Callees with Variable-Time Callers

This work discloses a vulnerability in OpenSSL 1.0.1u that recovers ECDSA private keys for the standardized elliptic curve P-256 despite the library featuring both constant-time curve operations and modular inversion with microarchitecture attack mitigations and proposes a new approach of extracting a variable number of nonce bits from these sequences.

Single Trace Attack Against RSA Key Generation in Intel SGX SSL

This work identifies a critical vulnerability in the RSA key generation procedure of Intel SGX SSL (and the underlying OpenSSL library) that allows to recover secret keys from observations of a single execution and urges for careful re-evaluation of cryptographic libraries with respect to single trace attacks, especially if they are intended for shielded execution environments such as IntelSGX.

Practical Timing Side Channel Attacks against Kernel Space ASLR

This paper shows that an adversary can implement a generic side channel attack against the memory management system to deduce information about the privileged address space layout and can successfully circumvent kernel space ASLR on current operating systems.
...