Design And Implementation Of Automatic Mining System For Processor Side Channel Attack Based On PMU

The research of Side Channel Attack(SCA)is widely used in the recovery of keys of encryption algorithms.In recent years,the transient execution vulnerability combined with cache side channel attack has caused serious damage to processor security.This further expands the reach of side-channel attacks.Most previous studies used coarse-grained time information to construct side-channel attacks manually,ignoring the ability of Performance Monitoring Unit(PMU)to provide various architecturelevel and micro-architecture-level hardware interaction information.In addition to recording the microar-chitecture behavior triggered by normally submitted instructions,this paper also found that the PMU also has a certain ability to record-the behavior triggered by transient instructions.Therefore,this paper conducts research on side channel attacks based on PMU.The main innovations and achievements are as follows:(1)For the attack scenarios of cache side channel and transient side channel,an automatic mining system for processor side channel attack based on PMU is designed.This system automatically conducts black-box mining tests on processors,and successfully mines monitoring events that can record cache behavior and microarchitecture behavior during transient execution,and develops them into two new side-channel attacks:PMULeaker cache side-channel attack and PMUSpill transient side-channel attacks.(2)The PMULeaker cache side-channel attack uses the PMU to monitor the cache hits and misses triggered by data loading instructions,in order to speculate that the victim process running in Intel Software Guard Extensions(SGX)inadvertently leaks private data into the cache.The PMULeaker attack successfully recovered the key of the AES encryption algorithm running in SGX,and combined with the Specter attack successfully leaked the private data stored in SGX.(3)The PMUSpill transient side-channel attack constructs a code segment that associates the behavior of the micro-architecture during transient execution with private data,and infers private data through PMU monitoring the behavior of the microarchitecture during transient execution.Combined with the Foreshadow vulnerability,PMUSpill successfully leaked the private data protected in SGX,verifying the effectiveness of the attack.