Skip to content

Latest commit

 

History

History
3525 lines (3174 loc) · 186 KB

comparch.micro.channels.md

File metadata and controls

3525 lines (3174 loc) · 186 KB

C++ links: computer architecture - microarchitectural channels

See also: Computer Architecture

  • Leakage channels: side channels (accidental), covert channels (deliberate).
  • Storage channels (functional behavior), timing channels (temporal behavior).
  • Timing-based channels (operations timing), access-based channels (direct information access), trace-based channels (program execution measurement).

Contents



General

General: 2024

General: 2023

General: 2022

General: 2021

General: 2020

General: 2019

General: 2018

General: 2017

General: 2016

General: 2015

General: 2014

General: 2009

General: 1973


Defense, Mitigation, Protection

Defense: Branch Predictor

  • BRB: Mitigating Branch Predictor Side-Channels
  • Half&Half: Demystifying Intel’s Directional Branch Predictors for Fast, Secure Partitioned Execution
    • IEEE Security & Privacy (Oakland) 2023
    • Hosein Yavarzadeh, Mohammadkazem Taram, Shravan Narayan, Deian Stefan, Dean Tullsen
    • https://cseweb.ucsd.edu/~tullsen/halfandhalf.pdf
    • Our approach incurs more than an order of magnitude lesser overhead than other state-of-the-art defenses. This result is enabled by a comprehensive reverse engineering of the branch predictors on three high-end Intel processor families, revealing for the first time the structures and index functions of all tables in the predictor. Our analysis reveals the unexpected result that despite hundreds of bits used to index the branch prediction tables in these processors, a single bit of the branch address is used without modification as an independent bit of the index function of every table in the predictor. Thus, two branches that differ in this single bit can never influence each other.

    • Observation 1. Global history records the history footprint of the last 93 taken branches, whether they are conditional or unconditional. Not-taken branches do not affect the history.

    • Observation 2. In the Skylake microarchitecture, the following bits are used to update the PHR:

      • Branch Address [18:3] : 16 bits
      • Branch Target Address [5:0] : 6 bits
    • Observation 3. The PHR is updated in two steps whenever a branch is taken by:

      1. Shift two bits to the left: PHR = PHR << 2
      1. XOR the 16-bit footprint into the PHR: PHR[15:0] = PHR[15:0] ⊕ footprint
    • Observation 4. The 12 lower bits of the PC are used as input to the index and/or tag hash functions. Other microbenchmarks confirmed that all of these 12 lower bits of the PC are involved in either the index or tag hash functions.

    • Observation 5. There are 3 PHTs in the CBP, each of which is a 4-way set associative table. Only one bit of the PC is used to index the PHTs (PC[5] on Alder Lake, Tiger Lake, Ice Lake, Skylake and Cascade Lake, PC[4] on Haswell and Ivy Bridge).

    • Observation 6. Each PHT is indexed by a 9-bit index function, using eight bits derived from global history, and a single bit of the PC which is not combined with any other bits. This same bit is also used (without being combined) for the base predictor.

    • Observation 7. We found that 13 lower bits of the branch address (PC[12:0]) are used to index to the base predictor.

Defense: Cache

Defense: Cache: 2024

Defense: Cache: 2023

Defense: Cache: 2022

Defense: Cache: 2021

Defense: Cache: 2020

Defense: Cache: 2019

Defense: Cache: 2018

Defense: Cache: 2017

Defense: Cache: 2016

Defense: Cache: 2013

Defense: DRAM

Defense: Floating Point Unit (FPU)

Defense: Hardware Design & Verification

Defense: Hardware Design & Verification: 2024

Defense: Hardware Design & Verification: 2023

Defense: Hardware Design & Verification: 2022

Defense: Power

  • PARAM: A Microprocessor Hardened for Power Side-Channel Attack Resistance
    • IEEE International Symposium on Hardware Oriented Security and Trust (HOST) 2020
    • Muhammad Arsath K F, Vinod Ganesan, Rahul Bodduna, Chester Rebeiro
    • https://arxiv.org/abs/1911.08813

Defense: SMT

Defense: Software

Defense: Software: 2024

  • Switchpoline: A Software Mitigation for Spectre-BTB and Spectre-BHB on ARMv8

Defense: Software: 2023

Defense: Software: 2022

Defense: Software: Compilation and Programming Languages

Defense: Software: Compilation and Programming Languages: 2024

Defense: Software: Compilation and Programming Languages: 2023

Defense: Software: Compilation and Programming Languages: 2022

Defense: Speculation

Defense: Speculation: 2024

Defence: Speculation: 2023

  • HIDFIX: Efficient Mitigation of Cache-based Spectre Attacks through Hidden Rollbacks
  • Okapi: Efficiently Safeguarding Speculative Data Accesses in Sandboxed Environments
    • arXiv 2023
    • Philipp Schmitz, Tobias Jauch, Alex Wezel, Mohammad R. Fadiheh, Thore Tiemann, Jonah Heller, Thomas Eisenbarth, Dominik Stoffel, Wolfgang Kunz
    • https://arxiv.org/abs/2312.08156
  • SafeBet: Secure, Simple, and Fast Speculative Execution
  • SpecTerminator: Blocking speculative side channels based on instruction classes on RISC-V

Defense: Speculation: 2022

Defense: Speculation: 2021

Defense: Speculation: 2020

Defense: Speculation: 2019

Defense: Speculation: 2018

Defense: TLB


Arithmetic Logic Unit (ALU)


Branch Predictor

Branch Predictor: 2024

Branch Predictor: 2023

Branch Predictor: 2022


Cache

Cache: 2025

Cache: 2024

Cache: 2023

Cache: 2022

Cache: 2021

Cache: 2020

Cache: 2019

  • Attack Directories, Not Caches: Side Channel Attacks in a Non-Inclusive World
    • IEEE Symposium on Security and Privacy (SP) 2019
    • Mengjia Yan, Read Sprabery, Bhargava Gopireddy, Christopher Fletcher, Roy Campbell, Josep Torrellas
    • http://iacoma.cs.uiuc.edu/iacoma-papers/ssp19.pdf
    • http://iacoma.cs.uiuc.edu/iacoma-papers/PRES/present_ssp19.pdf
    • http://iacoma.cs.uiuc.edu/iacoma-papers/PRES/present_HASP18.pptx
      • "We design the first cross-core Prime+Probe attack on non-inclusive caches."
      • "Using our Eviction Sets, we reverse engineer the directory structure in Skylake-X, and identify vulnerabilities in directory design that can be leveraged by cache-based side channel attacks."
      • "Based on our EV construction results, we are able to reverse engineer part of the slice hash function in the Intel Skylake-X processor. Our goal here is to show that the slice hash function is not a simple XOR operation of selected physical address bits. This design is significantly different from the one in previous Intel processors such as SandyBridge and IvyBridge. Considering that all of the previous works on reverse-engineering slice hash functions, rely on the use of a simple XOR hash function, our results identify the need for more advanced reverse-engineering approaches."
  • Cache-based Side Channels: Modern Attacks and Defenses
  • The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS Implementations
    • IEEE Symposium on Security & Privacy 2019
    • Eyal Ronen, Robert Gillham, Daniel Genkin, Adi Shamir, David Wong, Yuval Yarom
    • vhttps://eprint.iacr.org/2018/1173
    • https://eyalro.net/project/cat.html
  • Unveiling your keystrokes: A Cache-based Side-channel Attack on Graphics Libraries

Cache: 2018

Cache: 2017

Cache: 2016

Cache: 2015

Cache: 2007-2014

Cache: Data-Direct I/O (DDIO)


DRAM

DRAM: 2023

DRAM: 2014-2020


Electromagnetic (EM) Emanations

Electromagnetic (EM) Emanations: 2025

Electromagnetic (EM) Emanations: 2021

Electromagnetic (EM) Emanations: 2002-2020


Floating Point Unit (FPU)


FPGA

FPGA remote attacks

(through (partial) access on configuration/bitstream)

FPGA local attacks

(with physical access or within close proximity)

FPGA attacks countermeasures


Frontend


GPU

GPU: 2024

GPU: 2023

GPU: 2021

GPU: 2019

  • Exploiting Bank Conflict-based Side-channel Timing Leakage of GPUs
  • GPUGuard: Mitigating Contention Based Side and Covert Channel Attacks on GPUs
  • Side Channel Attacks on GPUs

GPU: 2018

GPU: 2017

GPU: 2016

GPU: 2014


Interconnect

Interconnect: 2022

Interconnect: 2021


Interrupts


Keyboard


Magnetic


Memory Bus


Memory Management Unit (MMU)

https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/processor-mmio-stale-data-vulnerabilities.html - https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/processor-mmio-stale-data-vulnerabilities.html - Device Register Partial Write (DRPW) (CVE-2022-21166) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21166 - Shared Buffers Data Read (SBDR) (CVE-2022-21123) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21123 - Shared Buffers Data Sampling (SBDS) (CVE-2022-21125) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21125 - Update to Special Register Data Sampling (SRBDS update) (CVE-2022-21127) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21127


Memory Order Buffer (MOB)


Micro-Op Cache

  • I See Dead µops: Leaking Secrets via Intel/AMD Micro-Op Caches
    • IEEE International Symposium on Computer Architecture (ISCA) 2021
    • Xida Ren, Logan Moody, Mohammadkazem Taram, Matthew Jordan, Dean M. Tullsen, Ashish Venkat
    • https://www.cs.virginia.edu/venkat/papers/isca2021a.pdf
    • "Modern Intel, AMD, and ARM processors translate complex instructions into simpler internal micro-ops that are then cached in a dedicated on-chip structure called the micro-op cache. This work presents an in-depth characterization study of the micro-op cache, reverse-engineering many undocumented features, and further describes attacks that exploit the micro-op cache as a timing channel to transmit secret information. In particular, this paper describes three attacks – (1) a same thread cross-domain attack that leaks secrets across the user-kernel boundary, (2) a cross-SMT thread attack that transmits secrets across two SMT threads via the micro-op cache, and (3) transient execution attacks that have the ability to leak an unauthorized secret accessed along a misspeculated path, even before the transient instruction is dispatched to execution, breaking several existing invisible speculation and fencing-based solutions that mitigate Spectre."
  • UC-Check: Characterizing Micro-operation Caches in x86 Processors and Implications in Security and Performance

Non-Volatile Memory (NVM)


Power

Power: 2024

Power: 2023

Power: 2022

Power: 2021

Power: 2020

  • PLATYPUS: Software-based Power Side-Channel Attacks on x86
    • 2020; IEEE Symposium on Security & Privacy (S&P) 2021
    • Moritz Lipp, Andreas Kogler, David Oswald, Michael Schwarz, Catherine Easdon, Claudio Canella, Daniel Gruss
    • https://platypusattack.com/

Power: 2019

Power: 2016-2018


Prefetch

Prefetch: 2023

Prefetch: 2022


Pseudo-Random Number Generator (PRNG)


Reorder Buffer (ROB)


Return Stack Buffer (RSB)


Scheduler

Scheduler: 2024

  • Remote Scheduler Contention Attacks

Scheduler: 2023


SMT

SMT: 2024

SMT: 2022

SMT: 2020

  • ABSynthe: Automatic Blackbox Side-channel Synthesis on Commodity Microarchitectures

SMT: 2019

SMT: 2005-2018


Solid-State Drive (SSD)

  • Secret Spilling Drive: Leaking User Behavior through SSD Contention

Speculation

Transient execution attacks
Classification tree - http://transient.fail/
Proof-of-Concept Repository - https://github.com/IAIK/transientfail/

Refined Speculative Execution Terminology
https://software.intel.com/security-software-guidance/insights/refined-speculative-execution-terminology

Speculation: 2025

Speculation: 2024

Speculation: 2023

Speculation: 2022

Speculation: 2021

Speculation: 2020


Store Buffer

  • Fallout: Reading Kernel Writes From User Space
    • 2019 arXiv
    • Marina Minkin, Daniel Moghimi, Moritz Lipp, Michael Schwarz, Jo Van Bulck, Daniel Genkin, Daniel Gruss, Frank Piessens, Berk Sunar, Yuval Yarom
    • https://arxiv.org/abs/1905.12701
    • CVE-2018-12126 - Microarchitectural Store Buffer Data Sampling (MSBDS) - Fallout

Superscalar


Thermal


Translation Lookaside Buffer (TLB)


Trusted Execution Environments (TEEs)

AMD Secure Encrypted Virtualization (SEV)

Arm TrustZone

Intel SGX

Intel SGX: Defense

RISC-V Physical Memory Protection (PMP)


TSX


Talks

Talks: 2022

Talks: 2021

Talks: 2020

Talks: 2019

Talks: 2018

Talks: 2017

Talks: 2016

Talks: 2015

Talks: 2014

Talks: 2009