可信执行环境软件侧信道攻击研究综述

doi:10.13328/j.cnki.jos.006501

微信服务号

微信订阅号

2025年4月7日 1:52 星期一

首页 > 过刊浏览>2023年第34卷第1期 >381-403. DOI:10.13328/j.cnki.jos.006501

PDF HTML阅读 XML下载导出引用引用提醒

可信执行环境软件侧信道攻击研究综述
DOI:
                        10.13328/j.cnki.jos.006501
                    
CSTR:
                        
                    
作者:
                        杨帆杨帆
首都师范大学 信息工程学院, 北京 100048
在期刊界中查找
在百度中查找
在本站中查找
张倩颖张倩颖
首都师范大学 信息工程学院, 北京 100048;高可靠嵌入式系统北京市工程研究中心(首都师范大学), 北京 100048;计算机体系结构国家重点实验室(中国科学院 计算技术研究所), 北京 100190
在期刊界中查找
在百度中查找
在本站中查找
施智平施智平
首都师范大学 信息工程学院, 北京 100048;电子系统可靠性技术北京市重点实验室(首都师范大学), 北京 100048
在期刊界中查找
在百度中查找
在本站中查找
关永关永
首都师范大学 信息工程学院, 北京 100048;北京成像理论与技术高精尖创新中心(首都师范大学), 北京 100048
在期刊界中查找
在百度中查找
在本站中查找

                    
作者单位:
作者简介:杨帆(1998－), 男, 硕士生, 主要研究领域为嵌入式操作系统安全, 侧信道攻击.;张倩颖(1986－), 女, 博士, 副教授, CCF专业会员, 主要研究领域为操作系统安全, 形式化验证.;施智平(1974－), 男, 博士, 教授, 博士生导师, CCF高级会员, 主要研究领域为形式化验证, 视觉信息处理.;关永(1966－), 男, 博士, 教授, 博士生导师, CCF专业会员, 主要研究领域为高可靠嵌入式系统, 形式化验证.
通讯作者:张倩颖,E-mail:qyzhang@cnu.edu.cn
中图分类号:
基金项目:国家自然科学基金(61802375, 61602325, 61876111, 61877040); 北京市教委科技计划一般项目(KM201910028005); 中国科学院计算技术研究所计算机体系结构国家重点实验室开放课题(CARCH201920); 交叉科学研究院项目(19530012005)

Survey on Software Side-channel Attacks in Trusted Execution Environment

Author:

YANG Fan
YANG Fan
College of Information Engineering, Capital Normal University, Beijing 100048, China
在期刊界中查找
在百度中查找
在本站中查找
ZHANG Qian-Ying
ZHANG Qian-Ying
College of Information Engineering, Capital Normal University, Beijing 100048, China;Beijing Engineering Research Center of High Reliable Embedded System (Capital Normal University), Beijing 100048, China;State Key Laboratory of Computer Architecture (Institute of Computing Technology, Chinese Academy of Sciences), Beijing 100190, China
在期刊界中查找
在百度中查找
在本站中查找
SHI Zhi-Ping
SHI Zhi-Ping
College of Information Engineering, Capital Normal University, Beijing 100048, China;Beijing Key Laboratory of Electronic System Reliability Technology (Capital Normal University), Beijing 100048, China
在期刊界中查找
在百度中查找
在本站中查找
GUAN Yong
GUAN Yong
College of Information Engineering, Capital Normal University, Beijing 100048, China;Beijing Advanced Innovation Center for Imaging Theory and Technology (Capital Normal University), Beijing 100048, China
在期刊界中查找
在百度中查找
在本站中查找

Affiliation:

Fund Project:

摘要

图/表

访问统计

参考文献 [109]

相似文献 [20]

引证文献

资源附件

文章评论

摘要:

为保护计算设备中安全敏感程序运行环境的安全, 研究人员提出了可信执行环境(TEE)技术, 通过对硬件和软件进行隔离为安全敏感程序提供一个与通用计算环境隔离的安全运行环境. 侧信道攻击从传统的需要昂贵设备发展到现在仅基于微体系结构状态就能通过软件方式获取机密信息的访问模式, 从而进一步推测出机密信息. TEE架构仅提供隔离机制, 无法抵抗这类新出现的软件侧信道攻击. 深入调研了ARM TrustZone、Intel SGX和AMD SEV这3种TEE架构的软件侧信道攻击及相应防御措施, 并探讨其攻击和防御机制的发展趋势. 首先, 介绍了ARM TrustZone、Intel SGX和AMD SEV的基本原理, 并详细阐述了软件侧信道攻击的定义以及缓存侧信道攻击的分类、方法和步骤; 之后从处理器指令执行的角度, 提出一种TEE攻击面分类方法, 利用该方法对TEE软件侧信道攻击进行分类, 并阐述了软件侧信道攻击与其他攻击相结合的组合攻击; 然后详细讨论TEE软件侧信道攻击的威胁模型; 最后全面总结业界对TEE软件侧信道攻击的防御措施, 并从攻击和防御两方面探讨TEE软件侧信道攻击未来的研究趋势.

关键词:可信执行环境(TEE);隔离架构;ARM TrustZone;Intel SGX;AMD SEV;软件侧信道攻击

Abstract:

In order to protect the security of the execution environment of security-sensitive programs in computing devices, researchers have proposed the trusted execution environment (TEE) technology, which provides security-sensitive programs with a secure execution environment isolated from the rich computing environment by hardware and software isolations. Side-channel attacks have evolved from traditional attacks requiring expensive equipment to now attacks using software to infer confidential information from its access mode obtained through microarchitecture states. The TEE architecture only provides an isolation mechanism and cannot resist this kind of emerging software side-channel attacks. This study thoroughly investigates the software side-channel attacks and corresponding defense mechanisms of three TEE architectures: ARM TrustZone, Intel SGX, and AMD SEV, and discusses the development trends of the attacks and defense mechanisms. First, this study introduces the basic principles of ARM TrustZone, Intel SGX, and AMD SEV, and then elaborates on the definition of software side-channel attacks and the classification, methods, and steps of cache side-channel attacks. Second, from the perspective of processor instruction execution, a TEE attack surface classification method is proposed to classify TEE software side-channel attacks, and the attacks combining software side-channel attacks and other attacks are explained. Third, the threat model of TEE software side-channel attacks is discussed in detail. Finally, the industry’s defense mechanisms against TEE software side-channel attacks are comprehensively summarized, and some future research trends of TEE software side-channel attacks are discussed from two aspects: attack and defense.

Key words:trusted execution environment (TEE);isolation architecture;ARM TrustZone;Intel SGX;AMD SEV;software side-channel attack

参考文献

[1] Kocher P, Jaffe J, Jun B, Rohatgi P. Introduction to differential power analysis. Journal of Cryptographic Engineering, 2011, 1(1):5-27.[doi:10.1007/s13389-011-0006-y]

[2] Mangard S, Oswald E, Popp T. Power Analysis Attacks:Revealing the Secrets of Smart Cards. Berlin:Springer, 2007. 5-6.

[3] Standaert FX. Introduction to side-channel attacks. In:Verbauwhede IMR, ed. Secure Integrated Circuits and Systems. Boston:Springer, 2010. 27-42.

[4] Joy PG, Prabhu M, Shanmugalakshmi R. Side channel attack-survey. International Journal of Advanced Scientific Research and Review, 2011, 1(4):54-57.

[5] Pongaliur K, Abraham Z, Liu AX, Xiao L, Kempel L. Securing sensor nodes against side channel attacks. In:Proc. of the 11th IEEE High Assurance Systems Engineering Symp. Nanjing:IEEE, 2008. 353-361.

[6] Agrawal D, Archambeault B, Rao JR, Rohatgi P. The EM side-channel(s). In:Proc. of the 4th Int'l Workshop on Cryptographic Hardware and Embedded Systems. California:Springer, 2002. 29-45.

[7] Kocher P, Jaffe J, Jun B. Differential power analysis. In:Proc. of the 19th Annual Int'l Cryptology Conf. California:Springer, 1999. 388-397.

[8] Kocher PC. Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In:Proc. of the 16th Annual Int'l Cryptology Conf. California:Springer, 1996. 104-113.

[9] ARM Limited. ARM security technology-Building a secure system using TrustZone technology. Technical Report, Cambridge:ARM, 2009.

[10] Mukhtar MA, Bhatti MK, Gogniat G. Architectures for security:A comparative analysis of hardware security features in Intel SGX and ARM TrustZone. In:Proc. of the 2nd Int'l Conf. on Communication, Computing and Digital systems (C-CODE). Islamabad:IEEE, 2019. 299-304.

[11] Pinto S, Santos N. Demystifying ARM trustzone:A comprehensive survey. ACM Computing Surveys, 2019, 51(6):130.[doi:10.1145/3291047]

[12] Kaplan D, Powell J, Woller T. AMD memory encryption. White Paper, Santa Clara:AMD, 2016.

[13] Ge Q, Yarom Y, Cock D, Heiser G. A survey of microarchitectural timing attacks and countermeasures on contemporary hardware. Journal of Cryptographic Engineering, 2018, 8(1):1-27.[doi:10.1007/s13389-016-0141-6]

[14] Irazoqui G, Inci MS, Eisenbarth T, Sunar B. Wait a minute! A fast, cross-VM attack on AES. In:Proc. of the 17th Int'l Symp. on Research in Attacks, Intrusions and Defenses. Gothenburg:Springer, 2014. 299-319.

[15] Green M, Rodrigues-Lima L, Zankl A, Irazoqui G, Heyszl J, Eisenbarth T. AutoLock:Why cache attacks on ARM are harder than you think. In:Proc. of the 26th USENIX Security Symp. Vancouver:USENIX Association, 2017. 1075-1091.

[16] Cho H, Zhang PH, Kim D, Park J, Lee CH, Zhao ZM, Doupé A, Ahn GJ. Prime+Count:Novel cross-world covert channels on ARM TrustZone. In:Proc. of the 34th Annual Computer Security Applications Conf. San Juan:ACM, 2018. 441-452.

[17] Lyu Y, Mishra P. A survey of side-channel attacks on caches and countermeasures. Journal of Hardware and Systems Security, 2018, 2(1):33-50.[doi:10.1007/s41635-017-0025-y]

[18] Lipp M. Cache attacks on ARM[MS. Thesis]. Graz:University of Technology, 2016.

[19] Tromer E, Osvik DA, Shamir A. Efficient cache attacks on AES, and countermeasures. Journal of Cryptology, 2010, 23(1):37-71.[doi:10.1007/s00145-009-9049-y]

[20] van Schaik S, Giuffrida C, Bos H, Razavi K. Malicious management unit:Why stopping cache attacks in software is harder than you think. In:Proc. of the 27th USENIX Security Symp. Baltimore:USENIX Association, 2018. 937-954.

[21] Zhang N, Sun K, Shands D, Lou WJ, Hou YT. TruSpy:Cache side-channel information leakage from the secure world on ARM devices. Cryptology ePrint Archive, 2016. 980.

[22] Lipp M, Gruss D, Spreitzer R, Maurice C, Mangard S. ARMageddon:Cache attacks on mobile devices. In:Proc. of the 25th USENIX Security Symp. Austin:USENIX Association, 2016. 549-564.

[23] Yarom Y, Benger N. Recovering OpenSSL ECDSA nonces using the Flush+Reload cache side-channel attack. Cryptology ePrint Archive, 2014. 140.

[24] Ristenpart T, Tromer E, Shacham H, Savage S. Hey, you, get off of my cloud:Exploring information leakage in third-party compute clouds. In:Proc. of the 16th ACM Conf. on Computer and Communications Security. Chicago:ACM, 2009. 199-212.

[25] Neve M, Seifert JP. Advances on access-driven cache attacks on AES. In:Proc. of the 13th Int'l Workshop on Selected Areas in Cryptography. Montreal:Springer, 2006. 147-162.

[26] Gullasch D, Bangerter E, Krenn S. Cache games-Bringing access-based cache attacks on AES to practice. In:Proc. of the 32nd IEEE Symp. on Security and Privacy. Oakland:IEEE, 2011. 490-505.

[27] Liu FF, Yarom Y, Ge Q, Heiser G, Lee RB. Last-level cache side-channel attacks are practical. In:Proc. of the 36th IEEE Symp. on Security and Privacy. San Jose:IEEE, 2015. 605-622.

[28] Yarom Y, Falkner K. Flush+Reload:A high resolution, low noise, L3 cache side-channel attack. In:Proc. of the 23rd USENIX Security Symp. San Diego:USENIX, 2014. 719-732.

[29] Gruss D, Maurice C, Wagner K, Mangard S. Flush+Flush:A fast and stealthy cache attack. In:Proc. of the 13th Int'l Conf. on Detection of Intrusions and Malware, and Vulnerability Assessment. San Sebastián:Springer, 2016. 279-299.

[30] Gülmezoğlu B, Inci MS, Irazoqui G, Eisenbarth T, Sunar B. A faster and more realistic Flush+Reload attack on AES. In:Proc. of the 6th Int'l Workshop on Constructive Side-channel Analysis and Secure Design. Berlin:Springer, 2015. 111-126.

[31] 苗新亮, 蒋烈辉, 常瑞. 访问驱动下的Cache侧信道攻击研究综述. 计算机研究与发展, 2020, 57(4):824-835.[doi:10.7544/issn1000-1239.2020.20190581]

Miao XL, Jiang LH, Chang R. Survey of access-driven cache-based side channel attack. Journal of Computer Research and Development, 2020, 57(4):824-835 (in Chinese with English abstract).[doi:10.7544/issn1000-1239.2020.20190581]

[32] Schwarz M, Weiser S, Gruss D, Maurice C, Mangard S. Malware guard extension:Using SGX to conceal cache attacks. In:Proc. of the 14th Int'l Conf. on Detection of Intrusions and Malware, and Vulnerability Assessment. Bonn:Springer, 2017. 3-24.

[33] Bruinderink LG, Hülsing A, Lange T, Yarom Y. Flush, Gauss, and Reload-A cache attack on the bliss lattice-based signature scheme. In:Proc. of the 18th Int'l Conf. on Cryptographic Hardware and Embedded Systems. Santa Barbara:Springer, 2016. 323-345.

[34] Disselkoen C, Kohlbrenner D, Porter L, Tullsen D. Prime+Abort:A timer-free high-precision L3 cache attack using Intel TSX. In:Proc. of the 26th USENIX Security Symp. Vancouver:USENIX Association, 2017. 51-67.

[35] Ge JQ, Gao N, Tu CY, Xiang J, Liu ZY. More secure collaborative APIs resistant to Flush+Reload and Flush+Flush attacks on ARMv8-A. In:Proc. of the 26th Asia-Pacific Software Engineering Conf. (APSEC). Putrajaya:IEEE, 2019. 410-417.

[36] Briongos S, Malagón P, Moya JM, Eisenbarth T. Reload+Refresh:Abusing cache replacement policies to perform stealthy cache attacks. In:Proc. of the 29th USENIX Security Symp. Berkeley:USENIX Association, 2020. 1967-1984.

[37] Korpershoek JJ. Profiling encryption algorithms using ARM-based cache eviction attacks[MS. Thesis]. Enschede:University of Twente, 2020.

[38] Brumley BB, Hakala RM. Cache-timing template attacks. In:Proc. of the 15th Int'l Conf. on the Theory and Application of Cryptology and Information Security. Tokyo:Springer, 2009. 667-684.

[39] Zhang YQ, Juels A, Reiter MK, Ristenpart T. Cross-VM side channels and their use to extract private keys. In:Proc. of the 19th ACM Conf. on Computer and Communications Security. Raleigh:ACM, 2012. 305-316.

[40] Acıiçmez O, Koç ÇK. Trace-driven cache attacks on AES (short paper). In:Proc. of the 8th Int'l Conf. on Information and Communications Security. Raleigh:Springer, 2006. 112-121.

[41] 张倩颖, 赵世军. 抗电路板级物理攻击的操作系统防御技术研究. 软件学报, 2020, 31(10):3120-3146. http://www.jos.org.cn/1000-9825/6067.htm

Zhang QY, Zhao SJ. Survey of research on protection mechanisms of operating system against board level physical attacks. Ruan Jian Xue Bao/Journal of Software, 2020, 31(10):3120-3146 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/6067.htm

[42] Schwarz M, Gruss D. How trusted execution environments fuel research on microarchitectural attacks. IEEE Security & Privacy, 2020, 18(5):18-27.[doi:10.1109/MSEC.2020.2993896]

[43] Canella C, van Bulck J, Schwarz M, Lipp M, von Berg B, Ortner P, Piessens F, Evtyushkin D, Gruss D. A systematic evaluation of transient execution attacks and defenses. In:Proc. of the 28th USENIX Security Symp. Santa Clara:USENIX Association, 2019. 249-266.

[44] Lipp M, Schwarz M, Gruss D, Prescher T, Haas W, Fogh A, Horn J, Mangard S, Kocher P, Genkin D, Yarom Y, Hamburg M. Meltdown:Reading kernel memory from user space. In:Proc. of the 27th USENIX Security Symp. Baltimore:USENIX Association, 2018. 973-990.

[45] Kocher P, Horn J, Fogh A, Genkin D, Gruss D, Hass W, Hamburg M, Lipp M, Mangard S, Prescher T, Schwarz M, Yarom Y. Spectre attacks:Exploiting speculative execution. In:Proc. of the 40th IEEE Symp. on Security and Privacy (SP). San Francisco:IEEE, 2019. 1-19.

[46] 吴晓慧, 贺也平, 马恒太, 周启明, 林少锋. 微架构瞬态执行攻击与防御方法. 软件学报, 2020, 31(2):544-563. http://www.jos.org.cn/1000-9825/5979.htm

Wu XH, He YP, Ma HT, Zhou QM, Lin SF. Microarchitectural transient execution attacks and defense methods. Ruan Jian Xue Bao/Journal of Software, 2020, 31(2):544-563 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/5979.htm

[47] van Bulck J, Minkin M, Weisse O, Genkin D, Kasikci B, Piessens F, Silberstein M, Wenisch TF, Yarom Y, Strackx R. Foreshadow:Extracting the keys to the Intel SGX kingdom with transient out-of-order execution. In:Proc. of the 27th USENIX Security Symp. Baltimore:USENIX Association, 2018. 991-1008.

[48] Schwarz M, Lipp M, Moghimi D, van Bulck J, Stecklina J, Prescher T, Gruss D. ZombieLoad:Cross-privilege-boundary data sampling. In:Proc. of the 26th ACM SIGSAC Conf. on Computer and Communications Security. London:ACM, 2019. 753-768.

[49] van Schaik S, Milburn A, Österlund S, Frigo P, Maisuradze G, Razavi K, Bos H, Giuffrida C. RIDL:Rogue in-flight data load. In:Proc. of the 40th IEEE Symp. on Security and Privacy (SP). San Francisco:IEEE, 2019. 88-105.

[50] van Schaik S, Kwong A, Genkin D, Yarom Y. SGAxe:How SGX fails in practice. 2020. https://sgaxeattack.com/

[51] Koruyeh EM, Khasawneh KN, Song CY, Abu-Ghazaleh N. Spectre returns! Speculation attacks using the return stack buffer. In:Proc. of the 12th USENIX Workshop on Offensive Technologies. Baltimore:USENIX Association, 2018. 1-12.

[52] Evtyushkin D, Riley R, Abu-Ghazaleh N, Ponomarev D. BranchScope:A new side-channel attack on directional branch predictor. In:Proc. of the 23rd Int'l Conf. on Architectural Support for Programming Languages and Operating Systems. Williamsburg:ACM, 2018. 693-707.

[53] Chen GX, Chen SC, Xiao Y, Zhang YQ, Lin ZQ, Lai TH. SgxPectre:Stealing Intel secrets from SGX enclaves via speculative execution. In:Proc. of the 4th IEEE European Symp. on Security and Privacy (EuroS&P). Stockholm:IEEE, 2019. 142-157.

[54] van Bulck J, Moghimi D, Schwarz M, Lippi M, Minkin M, Genkin D, Yarom Y, Sunar B, Gruss D, Piessens F. LVI:Hijacking transient execution through microarchitectural load value injection. In:Proc. of the 41st IEEE Symp. on Security and Privacy (SP). San Francisco:IEEE, 2020. 54-72.

[55] Ryan K. Hardware-backed heist:Extracting ECDSA keys from Qualcomm's TrustZone. In:Proc. of the 26th ACM SIGSAC Conf. on Computer and Communications Security. London:ACM, 2019. 181-194.

[56] Lee S, Shih MW, Gera P, Kim T, Kim H, Peinado M. Inferring fine-grained control flow inside SGX enclaves with branch shadowing. In:Proc. of the 26th USENIX Security Symp. Vancouver:USENIX Association, 2017. 557-574.

[57] Nilsson A, Bideh PN, Brorsson J. A survey of published attacks on Intel SGX. arXiv:2006.13598, 2020.

[58] Bhattacharya S, Maurice C, Bhasin S, Mukhopadhyay D. Branch prediction attack on blinded scalar multiplication. IEEE Transactions on Computers, 2019, 69(5):633-648.[doi:10.1109/TC.2019.2958611]

[59] Tan Y, Wei JZ, Guo W. The micro-architectural support countermeasures against the branch prediction analysis attack. In:Proc. of the 13th IEEE Int'l Conf. on Trust, Security and Privacy in Computing and Communications. Beijing:IEEE, 2014. 276-283.

[60] Evtyushkin D, Ponomarev D, Abu-Ghazaleh N. Jump over ASLR:Attacking branch predictors to bypass ASLR. In:Proc. of the 49th Annual IEEE/ACM Int'l Symp. on Microarchitecture (MICRO). Taipei:IEEE, 2016. 1-13.

[61] Acıiçmez O, Gueron S, Seifert JP. New branch prediction vulnerabilities in OpenSSL and necessary software countermeasures. In:Proc. of the 11th IMA Int'l Conf. on Cryptography and Coding. Cirencester:Springer, 2007. 185-203.

[62] Agosta G, Breveglieri L, Pelosi G, Koren I. Countermeasures against branch target buffer attacks. In:Proc. of the 4th Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC). Vienna:IEEE, 2007. 75-79.

[63] Wang WH, Chen GX, Pan XR, Zhang YQ, Wang XF, Bindschaedler V, Tang HX, Gunter CA. Leaky cauldron on the dark land:Understanding memory side-channel hazards in SGX. In:Proc. of the 24th ACM SIGSAC Conf. on Computer and Communications Security. Dallas:ACM, 2017. 2421-2434.

[64] Gras B, Razavi K, Bos H, Giuffrida C. Translation leak-aside buffer:Defeating cache side-channel protections with TLB attacks. In:Proc. of the 27th USENIX Security Symp. Baltimore:USENIX Association, 2018. 955-972.

[65] 王鹃, 樊成阳, 程越强, 赵波, 韦韬, 严飞, 张焕国, 马婧. SGX技术的分析和研究. 软件学报, 2018, 29(9):2778-2798. http://www.jos.org.cn/1000-9825/5594.htm

Wang J, Fan CY, Cheng YQ, Zhao B, Wei T, Yan F, Zhang HG, Ma J. Analysis and research on SGX technology. Ruan Jian Xue Bao/Journal of Software, 2018, 29(9):2778-2798 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/5594.htm

[66] Götzfried J, Eckert M, Schinzel S, Müller T. Cache attacks on Intel SGX. In:Proc. of the 10th European Workshop on Systems Security. Belgrade:ACM, 2017. 1-6.

[67] Moghimi A, Irazoqui G, Eisenbarth T. Cachezoom:How SGX amplifies the power of cache attacks. In:Proc. of the 19th Int'l Conf. on Cryptographic Hardware and Embedded Systems. Taipei:Springer, 2017. 69-90.

[68] Hähnel M, Cui WD, Peinado M. High-resolution side channels for untrusted operating systems. In:Proc. of the 2017 USENIX Annual Technical Conf. Santa Clara:USENIX Association, 2017. 299-312.

[69] Irazoqui G, Eisenbarth T, Sunar B. S$A:A shared cache attack that works across cores and defies VM sandboxing and its application to AES. In:Proc. of the 36th IEEE Symp. on Security and Privacy. San Jose:IEEE, 2015. 591-604.

[70] Spreitzer R, Moonsamy V, Korak T, Mangard S. Systematic classification of side-channel attacks:A case study for mobile devices. IEEE Communications Surveys & Tutorials, 2018, 20(1):465-488.[doi:10.1109/COMST.2017.2779824]

[71] Crane S, Homescu A, Brunthaler S, Larsen P, Franz M. Thwarting cache side-channel attacks through dynamic software diversity. In:Proc. of the 22nd Annual Network and Distributed System Security Symp. San Diego:NDSS, 2015. 1-14.

[72] Szefer J. Survey of microarchitectural side and covert channels, attacks, and defenses. Journal of Hardware and Systems Security, 2019, 3(3):219-234.[doi:10.1007/s41635-018-0046-1]

[73] van Schaik S, Minkin M, Kwong A, Genkin D, Yarom Y. CacheOut:Leaking data on Intel CPUs via cache evictions. In:Proc. of the 42nd IEEE Symp. on Security and Privacy (SP). San Francisco:IEEE, 2021. 339-354.

[74] Brasser F, Müller U, Dmitrienko A, Kostiainen K, Capkun S, Sadeghi AR. Software grand exposure:SGX cache attacks are practical. In:Proc. of the 11th USENIX Workshop on Offensive Technologies. Vancouver:USENIX Association, 2017. 1-12.

[75] Xu YZ, Cui WD, Peinado M. Controlled-channel attacks:Deterministic side channels for untrusted operating systems. In:Proc. of the 36th IEEE Symp. on Security and Privacy. San Jose:IEEE, 2015. 640-656.

[76] Shinde S, Chua ZL, Narayanan V, Saxena P. Preventing page faults from telling your secrets. In:Proc. of the 11th ACM on Asia Conf. on Computer and Communications Security. Xi'an:ACM, 2016. 317-328.

[77] Pessl P, Gruss D, Maurice C, Schwarz M, Mangard S. DRAMA:Exploiting DRAM addressing for cross-CPU attacks. In:Proc. of the 25th USENIX Security Symp. Washington:USENIX Association, 2016. 565-581.

[78] Wang MH, Zhang Z, Cheng YQ, Nepal S. DRAMDig:A knowledge-assisted tool to uncover DRAM address mapping. In:Proc. of the 57th ACM/IEEE Design Automation Conf. (DAC). San Francisco:IEEE, 2020. 1-6.

[79] Xiao Y, Zhang XK, Zhang YQ, Teodorescu R. One bit flips, one cloud flops:Cross-VM row hammer attacks and privilege escalation. In:Proc. of the 25th USENIX Security Symp. Washington:USENIX Association, 2016. 19-35.

[80] Lee D, Jung D, Fang IT, Tsai CC, Popa RA. An off-chip attack on hardware enclaves via the memory bus. In:Proc. of the 29th USENIX Security Symp. Berkeley:USENIX Association, 2020. 487-504.

[81] Koruyeh EM, Shirazi SHA, Khasawneh KN, Song CY, Abu-Ghazaleh N. SpecCFI:Mitigating spectre attacks using CFI informed speculation. In:Proc. of the 41st IEEE Symp. on Security and Privacy (SP). San Francisco:IEEE, 2020. 39-53.

[82] Deng SW, Xiong WJ, Szefer J. Secure TLBs. In:Proc. of the 46th ACM/IEEE Annual Int'l Symp. on Computer Architecture (ISCA). Phoenix:IEEE, 2019. 346-359.

[83] Kiriansky V, Lebedev I, Amarasinghe S, Devadas S, Emer J. DAWG:A defense against cache timing attacks in speculative execution processors. In:Proc. of the 51st Annual IEEE/ACM Int'l Symp. on Microarchitecture (MICRO). Fukuoka:IEEE, 2018. 974-987.

[84] Kim T, Peinado M, Mainar-Ruiz G. STEALTHMEM:System-level protection against cache-based side channel attacks in the cloud. In:Proc. of the 21st USENIX Security Symp. Bellevue:USENIX Association, 2012. 189-204.

[85] Wang ZH, Lee RB. New cache designs for thwarting software cache-based side channel attacks. ACM SIGARCH Computer Architecture News, 2007, 35(2):494-505.[doi:10.1145/1273440.1250723]

[86] Liu FF, Ge Q, Yarom Y, Mckeen F, Rozas C, Heiser G, Lee RB. CATalyst:Defeating last-level cache side channel attacks in cloud computing. In:Proc. of the 22nd IEEE Int'l Symp. on High Performance Computer Architecture (HPCA). Barcelona:IEEE, 2016. 406-418.

[87] Werner M, Unterluggauer T, Giner L, Schwarz M, Gruss D, Mangard S. Scattercache:Thwarting cache attacks via cache set randomization. In:Proc. of the 28th USENIX Security Symp. Santa Clara:USENIX Association, 2019. 675-692.

[88] Coppens B, Verbauwhede I, de Bosschere K, de Sutter B. Practical mitigations for timing-based side-channel attacks on modern x86 processors. In:Proc. of the 30th IEEE Symp. on Security and Privacy. Oakland:IEEE, 2009. 45-60.

[89] Hu WM. Reducing timing channels with fuzzy time. Journal of Computer Security, 1992, 1(3-4):233-254.[doi:10.3233/JCS-1992-13-404]

[90] Martin R, Demme J, Sethumadhavan S. Timewarp:Rethinking timekeeping and performance monitoring mechanisms to mitigate side-channel attacks. In:Proc. of the 39th Annual Int'l Symp. on Computer Architecture (ISCA). Portland:IEEE, 2012. 118-129.

[91] Zhou ZQ, Reiter MK, Zhang YQ. A software approach to defeating side channels in last-level caches. In:Proc. of the 23rd ACM SIGSAC Conf. on Computer and Communications Security. Vienna:ACM, 2016. 871-882.

[92] Chandra S, Karande V, Lin ZQ, Khan L, Kantarcioglu M, Thuraisingham B. Securing data analytics on SGX with randomization. In:Proc. of the 22nd European Symp. on Research in Computer Security. Oslo:Springer, 2017. 352-369.

[93] Seo J, Lee B, Kim S, Shih MW, Shin I, Han DS, Kim T. SGX-shield:Enabling address space layout randomization for SGX programs. In:Proc. of the 24th Annual Network and Distributed System Security Symp. San Diego:NDSS. 2017. 1-15.

[94] Gruss D, Lettner J, Schuster F, Ohrimenko O, Haller I, Costa M. Strong and efficient cache side-channel protection using hardware transactional memory. In:Proc. of the 26th USENIX Security Symp. Vancouver:USENIX Association, 2017. 217-233.

[95] Cho H, Park J, Kim D, Zhao ZM, Shoshitaishvili Y, Doupé A, Ahn GJ. SmokeBomb:Effective mitigation against cache side-channel attacks on the ARM architecture. In:Proc. of the 18th Int'l Conf. on Mobile Systems, Applications, and Services. Toronto:ACM, 2020. 107-120.

[96] Liu FF, Lee RB. Random fill cache architecture. In:Proc. of the 47th Annual IEEE/ACM Int'l Symp. on Microarchitecture. Cambridge:IEEE, 2014. 203-215.

[97] Wang Y, Ferraiuolo A, Zhang DF, Myers AC, Suh GE. SecDCP:Secure dynamic cache partitioning for efficient timing channel protection. In:Proc. of the 53rd Annual Design Automation Conf. Austin:ACM, 2016. 1-6.

[98] Dessouky G, Frassetto T, Sadeghi AR. HybCache:Hybrid side-channel-resilient caches for trusted execution environments. In:Proc. of the 29th USENIX Security Symp. Berkeley:USENIX Association, 2020. 451-468.

[99] Costan V, Lebedev I, Devadas S. Sanctum:Minimal hardware extensions for strong software isolation. In:Proc. of the 25th USENIX Security Symp. Washington:USENIX Association, 2016. 857-874.

[100] Fu YC, Bauman E, Quinonez R, Lin ZQ. Sgx-Lapd:Thwarting controlled side channel attacks via enclave verifiable page faults. In:Proc. of the 20th Int'l Symp. on Research in Attacks, Intrusions, and Defenses. Atlanta:Springer, 2017. 357-380.

[101] Shih MW, Lee S, Kim T, Peinado M. T-SGX:Eradicating controlled-channel attacks against enclave programs. In:Proc. of the 24th Annual Network and Distributed System Security Symp. San Diego:NDSS, 2017. 1-15.

[102] Chen SC, Zhang XK, Reiter MK, Zhang YQ. Detecting privileged side-channel attacks in shielded execution with Déjá Vu. In:Proc. of the 12th ACM on Asia Conf. on Computer and Communications Security. Abu Dhabi:ACM, 2017. 7-18.

[103] Dall F, De Micheli G, Eisenbarth T, Genkin D, Heninger N, Moghimi A, Yarom Y. Cachequote:Efficiently recovering long-term secrets of SGX EPID via cache attacks. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2018, (2):171-191.[doi:10.13154/tches.v2018.i2.171-191]

[104] Tang CR, Liu ZB, Ma CQ, Ge JQ, Tu CY. SecFlush:A hardware/software collaborative design for real-time detection and defense against Flush-based cache attacks. In:Proc. of the 21st Int'l Conf. on Information and Communications Security. Beijing:Springer, 2019. 251-268.

[105] Mukhtar MA, Bhatti MK, Gogniat G. IE-Cache:Counteracting eviction-based cache side-channel attacks through indirect eviction. In:Proc. of the 35th IFIP TC 11 Int'l Conf. on ICT Systems Security and Privacy Protection. Maribor:Springer, 2020. 32-45.

引用本文

杨帆,张倩颖,施智平,关永.可信执行环境软件侧信道攻击研究综述.软件学报,2023,34(1):381-403

复制

文章指标

点击次数:
下载次数:
HTML阅读次数:
引用次数:

历史

收稿日期:2021-03-07
最后修改日期:2021-05-31
录用日期:
在线发布日期: 2021-10-20
出版日期: 2023-01-06

微信服务号

微信订阅号

引用本文

分享

文章指标

历史

文章二维码

微信服务号

微信订阅号

引用本文

分享

微信扫一扫：分享

文章指标

历史

文章二维码