这篇博客本来只是随手记录的一些笔记，但貌似由于过于biased而产生了不好的影响。再加上距上次更新也有大半年过去了，我的认知又丰富了一点 ;) 所以打算重新整理一下。

声明：我的研究方向主要在x86上的side-channels attacks & architectural attacks，如果对其他方向 (ARM/Rowhammer/GPU/ML-Based/…)，其他会议/期刊(非四大安全会/期刊/体系结构会议如MICRO/ISCA/HPCA/…) 的papers有忽略，欢迎提醒/指正/补充。Just drop me a mail (ruiyi.zhang [AT] cispa.de) or open an issue. 感谢.

只是入门的话，并不需要看完每一篇paper，只需要对某一方向有大致的了解就可以了。

Opinions (and lack of them) are my own :)

微架构安全有哪些研究方向：

处理器(CPU):

按时间线分类

侧信道(side channels) -> 瞬态执行攻击(Transient Execution Attacks) -> 架构安全(Architectural Security)

按victim分类

可信执行环境(Trusted Execution Environment - TEE), 加密算法(Cryptography)

按attacker分类

TEE (Attacker可以是privileged的hypervisor) <- side channels / transient execution attacks 需要普通用户的执行权限 -> Microarchitectural Attacks from browser (需要的权限最少)

防御

侧信道:

侧信道泄露metadata而不是直接泄露data，例如侧信道可以让攻击者知道内存里的某个地址是否刚刚被access了，而不能直接知道这个地址里的值具体是多少。

[15 S&P] Prime+Probe: Last-Level Cache Side-Channel Attacks are Practical

[16 DIMVA] Flush+Flush: A Fast and Stealthy Cache Attack

[21 CCS] Prime+Scope: Overcoming the Observer Effect for High-Precision Cache Contention Attacks

[22 S&P] Adversarial Prefetch: New Cross-Core Cache Side Channel Attacks

[22 USENIX] HyperDegrade: From GHz to MHz Effective CPU Frequencies

Frontend

[21 ISCA] I See Dead μops: Leaking Secrets via Intel/AMD Micro-Op Caches

跟某一指令相关的

TSX

[17 USENIX] Prime+Abort: A Timer-Free High-Precision L3 Cache Attack using Intel TSX

Software Prefetcher

[22 USENIX] AMD Prefetch Attacks through Power and Time

UMWAIT

[23 USENIX] (M)WAIT for It: Bridging the Gap between Microarchitectural and Architectural Side Channels

跟其他结构相关的

Directory

[19 S&P] Attack Directories, Not Caches:Side-Channel Attacks in a Non-Inclusive World

Ring

[21 USENIX] Lord of the Ring(s): Side Channel Attacks on the CPU On-Chip Ring Interconnect Are Practical

TLB

[22 USENIX] Binoculars: Contention-Based Side-Channel Attacks Exploiting the Page Walker

[22 USENIX] TLB;DR: Enhancing TLB-based Attacks with TLB Desynchronized Reverse Engineering

ROB

[22 USENIX] SecSMT: Securing SMT Processors against Contention-Based Covert Channels

Mesh

[22 USENIX] Don’t Mesh Around: Side-Channel Attacks and Mitigations on Mesh Interconnects

Prefetcher

[23 USENIX] BunnyHop: Exploiting the Instruction Prefetcher

Execution Port

[22 ESORICS] CPU Port Contention Without SMT

Transient Execution Attacks:

侧信道作为TEA的building block，直接leak data

[19 S&P] Meltdown: Reading Kernel Memory from User Space

[18 USENIX] Spectre Attacks: Exploiting Speculative Execution

Microarchitectural Data Sampling (MDS)

跟Meltdown / Spectre 相比，MDS Attacks leak的是in-flight data (就是这个data正在被其他user/hyperthreading使用，存在某一个element里，如line-fill buffer / load buffer / store buffer…)

[18 USENIX] FORESHADOW: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution

[19 S&P] RIDL: Rogue In-Flight Data Load

[19 CCS] Fallout: Leaking Data on Meltdown-resistant CPUs

[19 CCS] ZombieLoad: Cross-Privilege-Boundary Data Sampling

[19 USENIX] A Systematic Evaluation of Transient Execution Attacks and Defenses

[20 S&P] LVI: Hijacking Transient Execution through Microarchitectural Load Value Injection 他们的预告片很有趣

[21 USENIX] Rage Against the Machine Clear: A Systematic Analysis of Machine Clears and Their Implications for Transient Execution Attacks

GDS

[23 USENIX] Downfall: Exploiting Speculative Data Gathering

RFDS RFDS-Intel

More Spectre..

Varients请查transient.fall

绕过Spectre Mitigation

[20 CCS] Speculative Probing: Hacking Blind in the Spectre Era

[21 CCS] Exorcising Spectres with Secure Compilers

[22 USENIX] Branch History Injection: On the Effectiveness of Hardware Mitigations Against Cross-Privilege Spectre-v2 Attacks

[22 USENIX] Retbleed: Arbitrary Speculative Code Execution with Return Instructions

[23 USENIX] Breaking and Fixing Speculative Load Hardening

[23 USENIX] Inception: Exposing New Attack Surfaces with Training in Transient Execution

[24 USENIX] GhostRace: Exploiting and Mitigating Speculative Race Conditions

找Spectre Gadgets

[21 NDSS] SpecTaint: Speculative Taint Analysis for Discovering Spectre Gadgets

[22 NDSS] Kasper: Scanning for Generalized Transient Execution Gadgets in the Linux Kernel

[24 USENIX] InSpectre Gadget: Inspecting the Residual Attack Surface of Cross-privilege Spectre v2

Architectual Vulnerability:

芯片厂商把这些内部发现的bugs叫做Errata

[22 USENIX] ÆPIC Leak: Architecturally Leaking Uninitialized Data from the Microarchitecture

Zenbleed & Reptar by GPZ的Tavis Ormandy

[24 USENIX] CacheWarp: Software-based Fault Injection using Selective State Reset

Fault Attacks

[19 CCS / 20 Asian HOST] VoltJockey: Breaching TrustZone by Software-Controlled Voltage Manipulation over Multi-core Frequencies

[20 S&P] Plundervolt: Software-based Fault Injection Attacks against Intel SGX

[20 USENIX] V0LTpwn: Attacking x86 Processor Integrity from Software

可信执行环境(TEE)

TEE是芯片厂商设计的一种安全功能。与加密算法一样，是Side Channels常见的攻击对象。此外，TEE的threadt model允许attacker具有priviledge权限，所以有一些新的攻击面。

这里不推荐paper了。

对于Intel SGX，推荐阅读SGX-STEP作者Dr. Jo Van Bulck的PhD Thesis - Microarchitectural Side-Channel Attacks for Privileged Software Adversaries

对于AMD SEV，推荐阅读Dr. Mengyuan Li的PhD Thesis - Understanding and Exploiting Design Flaws of AMD Secure Encrypted Virtualization

我对ARM TEE并不熟悉，但SUSTech 张锋巍老师的组好像有不少相关工作

加密算法

To mitigate side-channels attacks, many cryptographic libraries have to implement a constant-time version.

[23 CCS] A Systematic Evaluation of Automated Tools for Side-Channel Vulnerabilities Detection in Cryptographic Libraries

[24 USENIX] GoFetch: Breaking Constant-Time Cryptographic Implementations Using Data Memory-Dependent Prefetchers

防御

[20 NDSS] ConTExT: A Generic Approach for Mitigating Spectre

[21 USENIX]ScatterCache: Thwarting Cache Attacks via Cache Set Randomization

还有一些用PMC/Power Consumption来检测攻击的paper

Formal Methods

Prof. JAN REINEKE 和 Prof. Marco Guarnieri做了不少这个方向的工作。

[20 S&P] SPECTECTOR: Principled Detection of Speculative Information Flows

[21 S&P] Hardware-Software Contracts for Secure Speculation

[22 CCS] Automatic Detection of Speculative Execution Combinations

[23 S&P] Hide and Seek with Spectres: Efficient discovery of speculative information leaks with random testing

[23 CCS] Specification and Verification of Side-channel Security for Open-source Processors via Leakage Contracts

Attack from browser

[19 NDSS] JavaScript Template Attacks: Automatically Inferring Host Information for Targeted Exploits

[18 NDSS] JavaScript Zero: Real JavaScript and Zero Side-Channel Attacks

[17 ESORICS] Practical Keystroke Timing Attacks in Sandboxed JavaScript

[17 FC] Fantastic Timers and Where to Find Them: High-Resolution Microarchitectural Attacks in JavaScript

[16 DIMVA] Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript

[15 ESORICS] Practical Memory Deduplication Attacks in Sandboxed Javascript

内存(DRAM):

侧信道

[16 USENIX] DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks

Rowhammer

不是很熟，看过一些，没复现过。

[14 ISCA] Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors

[16 CCS] Drammer: Deterministic Rowhammer Attacks on Mobile Platforms

[16 USENIX] Flip Feng Shui: Hammering a Needle in the Software Stack

[18 S&P] Another Flip in the Wall of Rowhammer Defenses

19 RowHammer: A Retrospective

[20 S&P] TRRespass: Exploiting the Many Sides of Target Row Refresh

[21 USENIX] SMASH: Synchronized Many-sided Rowhammer Attacks From JavaScript

[22 S&P] BLACKSMITH: Scalable Rowhammering in the Frequency Domain

[24 USENIX] ZenHammer: Rowhammer Attacks on AMD Zen-based Platforms

图形处理器(GPU):

感觉GPU上目前主要还是侧信道攻击，但我对这个方向不太了解

OLD VERSION

在过去十年间，越来越多的测信道(side channel)攻击被研究人员发现。在2017年Meltdown和Spectre的出现之后，Microarchitecture安全这一领域在工业界和学术界都受到了更广泛的关注。新的防御措施和攻击变种交替更迭，硬件上频频更新的优化策略又会带来哪些安全问题？只要各家芯片厂商的官方文档一天不完全公开 (Intel Manual虽有5000+页但还是冰山一角)，只要researcher还得将CPU们当作一个个“可信”的黑盒，那这个领域就还有很多安全问题值得探究 :)

在选”Software-based Microarchitecture Attacks”作为PhD的研究方向之后，我花了很长时间才真正入门(读Manual，读各个小方向的paper，复现，and 被老板和同事们带xD)。这一方面是因为这些过于底层的细节确实晦涩，二是中文互联网上有用的信息较少。本文打算尽可能简短地(我很懒)概括我读过的一些paper，做一点小小的贡献。

PS: 以防各位天才们通过side channel分析出我/我们组正在under review / TODO 的ideas，相关的paper可能会被跳过。

[14 USENIX] FLUSH+RELOAD: a High Resolution, Low Noise, L3 Cache Side-Channel Attack

经典side channel，理解modern CPU的Cache Architecture的好机会。Attacker需要有跟victim的shared memory。Attacker用clflush指令flush一个cache line，等待，再timing一次这个address的memory access，通过这个时间差异(cache hit/miss)来判断victime有没有在waiting period access the cache line。

[15 S&P] Prime+Probe: Last-Level Cache Side-Channel Attacks are Practical

跟F+R相比，P+P不需要shared memory，不需要clflush指令，用在cloud env里更方便。相反它需要提前构建一个eviction set，access其中的所有address来把目标cacheline“挤”出去。但构建eviction set，需要理解如何计算phys addr => cache index & cache slice。

[16 DIMVA] Flush+Flush: A Fast and Stealthy Cache Attack

Target在或不在cache中，对flush的timing也有影响。有一点像F+R的替代版，但更stealthy。

[15 USENIX] Cache Template Attacks: Automating Attacks on Inclusive Last-Level Caches

教你如何将上述三种side channels用于实践。去复现。

[16 USENIX] DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks

不仅cache有hit/miss，DRAM的shared across processors的row buffer也有hit/miss。本文presents了一个很快的covert channel，还给了一个逆向dram arch的工具。读完还能理解下rowhammer。【去读。(1) Open Source! (2) 我乐于找机会给老板涨citation】

[17 USENIX] Prime+Abort: A Timer-Free High-Precision L3 Cache Attack using Intel TSX

相比于P+P，P+A依赖于Intel的TSX，可以理解成blockchain里的transaction。当victim event发生后，transaction abort，不然就commit。这样可以不依赖timer。但TSX这个功能因为安全性问题太多已经被Intel弃用。

[19 S&P] Meltdown: Reading Kernel Memory from User Space

Meltdown & Spectre之前大家对于side channel还只是停留在break cryptography，transient execution attacks之后开启了一个新研究纪元。因CPU的out-of-order execution特性，指令会被乱序执行，依序retired(commit, visible)。当访问inaccessible的memory时，CPU需要去检查权限(读页表等等)。这一步骤对于CPU来说很慢，所以CPU会假设它能够读到这个value，并以此接着执行，当权限结果返回时(报错)，所有状态回滚，user没法architecturally看见不可访问的数据(registers/memory…)，但这个traces会留在microarchitecture(e.g., cache)里。 Attacker可以用side channel作为building block将这个值泄漏出来。作者们把这类攻击叫做transient execution attack。【去读。(1) nb! (2) 我乐于找机会给老板涨citation】

[18 USENIX] Spectre Attacks: Exploiting Speculative Execution

相比于out-of-order execution, Spectre attack speculative execution。例如当CPU遇到in/direct branch，确定判断条件这个步骤很慢，CPU需要预测一个branch来执行(根据一些microarchitectural elements)。所以Spectre需要找到特定的gadget, 在错误预测分支后，leak secret，revert，再用side channel 读出secret。【去读。(1) nb! (2) 我乐于找机会给老板涨citation】

[19 USENIX] A Systematic Evaluation of Transient Execution Attacks and Defenses

标题总结完了。各种variants和defenses。有个mind map https://transient.fail/ 【去读/复现。(1) open source! (2) 我乐于找机会给老板涨citation】

MDS的众多paper暂且跳过(懒)。可查 https://mdsattacks.com/

[19 S&P] Attack Directories, Not Caches:Side-Channel Attacks in a Non-Inclusive World

Intel的server CPU还有AMD的CPU一般用的是non-inclusive L3 cache，这样有些cache attacks没有办法简单地port过来。作者逆向了一个directory的结构，成功在non-inclusive caches实现了cache attacks。 Solid work.

[21 USENIX] Osiris: Automated Discovery of Microarchitectural Side Channels

找新的side channel是个枯燥的工作，一般需要researcher读很多手册，做实验测试，很麻烦。Osiris是一个fuzzing-based的框架，自动地找x86 instruction里的timing side channel。【去读/复现。(1) 很好复现!really good work！ (2) 都xx鸽们.jpg】

[21 CCS] Prime+Scope: Overcoming the Observer Effect for High-Precision Cache Contention Attacks

P+P每次都得access一长串addrs怎么办？P+S可以把它简化到每次reset只需要access一个地址。作者还开源了一个工具来自动寻找这样的prime pattern (for P+P & P+S)。结果。 Novel work!

[21 USENIX] Lord of the Ring(s): Side Channel Attacks on the CPU On-Chip Ring Interconnect Are Practical

L3 cache 是multi-processors共享的，可以把它们看成一个环。作者present了一种由ring之间contention引起的timing-based side channel。

[22 USENIX]Don’t Mesh Around: Side-Channel Attacks and Mitigations on Mesh Interconnects

Contention-based attacks on the on-chip mesh interconnect used in server-class Intel processors.

[22 S&P] Adversarial Prefetch: New Cross-Core Cache Side Channel Attacks

Prefetch instructions 也可以用来做side channel attacks。文中还分析了各种prefetch指令与cache coherence state之间的关系。

[22 USENIX] AMD Prefetch Attacks through Power and Time

Prefetch instructions 可以用来infer TLB state，Timing和Power上都有差距。

[22 USENIX] Rapid Prototyping for Microarchitectural Attacks

一个很好的框架/库来实施各种各样的microarchitectural attacks。