Skip to main content
SpringerLink
Log in

Survey of Microarchitectural Side and Covert Channels, Attacks, and Defenses

  • Published:
Journal of Hardware and Systems Security Aims and scope Submit manuscript

Abstract

Over the last two decades, side and covert channel research has shown a variety of ways of exfiltrating information for a computer system. Processor microarchitectural timing-based side and covert channel attacks have emerged as some of the most clever attacks, and ones which are difficult to deal with, without impacting system performance. Unlike electromagnetic or power-based channels, microarchitectural timing-based side and covert channel do not require physical proximity to the target device. Instead, only malicious or cooperating spy applications need to be co-located on the same machine as the victim. And in some attacks even co-location is not needed, only timing of the execution of the victim application, as measured by a remote attacker, can lead to information leaks. This survey extracts the key features of the processor’s microarchitectural functional units which make the channels possible, presents an analysis and categorization of the variety of microarchitectural side and covert channels others have presented in literature, and surveys existing defense proposals. With advent of cloud computing and ability to launch microarchitectural side and covert channels even across virtual machines, understanding of these channels is critical for cybersecurity.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5

Similar content being viewed by others

References

  1. Aciiçmez O. (2007) Yet another microarchitectural attack: exploiting i-cache. In: Proceedings of the Workshop on Computer Security Architecture. ACM, pp 11–18

  2. Acıiçmez O, Brumley BB, Grabher P (2010) New results on instruction cache attacks. In: Proceedings of the Workshop on Cryptographic Hardware and Embedded Systems. Springer, pp 110–124

  3. Acıiçmez O, Koç ÇK (2006) Trace-driven cache attacks on AES (short paper). In: Information and Communications Security. Springer, pp 112–121

  4. Acıiçmez O, Koç ÇK, Seifert JP (2006) Predicting secret keys via branch prediction. In: Topics in Sryptology–CT-RSA 2007. Springer, pp 225–242

  5. Aciiçmez O, Koç CK, Seifert JP (2007) On the power of simple branch prediction analysis. In: Proceedings of the ACM Symposium on Information, Computer and Communications Security. ACM, pp 312–320

  6. Acıiçmez O, Schindler W, Koç ÇK (2006) Cache based remote timing attack on the aes. In: Topics in Cryptology–CT-RSA 2007. Springer, pp 271–286

  7. Aciicmez O, Seifert JP (2007) Cheap hardware parallelism implies cheap security. In: Proceedings of the Workshop on Fault Diagnosis and Tolerance in Cryptography. IEEE, pp 80– 91

  8. Aga MT, Aweke ZB, Austin T (2017) When good protections go bad: exploiting anti-DoS measures to accelerate rowhammer attacks. In: Proceedings of the International Symposium on Hardware Oriented Security and Trust. IEEE, pp 8–13

  9. Aviram A, Hu S, Ford B, Gummadi R (2010) Determining timing channels in compute clouds. In: Proceedings of the workshop on cloud computing security, CCSW ’10. ACM, New York, pp 103–108. https://doi.org/10.1145/1866835.1866854

  10. Bartolini DB, Miedl P, Thiele L (2016) On the capacity of thermal covert channels in multicores. In: Proceedings of the European conference on computer systems. ACM, p 24

  11. Bernstein DJ (2005) Cache-timing attacks on aes

  12. Bogdanov A, Eisenbarth T, Paar C, Wienecke M (2010) Differential cache-collision timing attacks on aes with applications to embedded cpus. In: Topics in cryptology–CT-RSA, vol 10. Springer, pp 235–251

  13. Bonneau J, Mironov I (2006) Cache-collision timing attacks against aes. In: Proceedings of the workshop on cryptographic hardware and embedded systems. Springer, pp 201–215

  14. Brumley BB, Hakala RM (2009) Cache-timing template attacks. In: Advances in cryptology–ASIACRYPT 2009. Springer, pp 667–684

  15. Burns J, Gaudiot JL (2002) Smt layout overhead and scalability. IEEE Trans Parallel Distrib Syst 13 (2):142–155. https://doi.org/10.1109/71.983942

    Article  Google Scholar 

  16. Championship branch prediction (2014). http://www.jilp.org/cbp2014/, accessed August 2015

  17. Chen J, Venkataramani G (2014) Cc-hunter: uncovering covert timing channels on shared processor hardware. In: Proceedings of the international symposium on microarchitecture. IEEE Computer Society, pp 216–228

  18. Costan V, Devadas S Intel sgx explained. IACR Cryptology ePrint Archive , number= 086, pages= 1–118, year= 2016,

  19. Demme J, Martin R, Waksman A, Sethumadhavan S (2012) Side-channel vulnerability factor: a metric for measuring information leakage. In: ACM SIGARCH computer architecture news, vol 40. IEEE Computer Society, pp 106–117

  20. Demme J, Martin R, Waksman A, Sethumadhavan S (2013) A quantitative, experimental approach to measuring processor side-channel security. IEEE Micro 33:68–77

    Article  Google Scholar 

  21. Demme J, Maycock M, Schmitz J, Tang A, Waksman A, Sethumadhavan S, Stolfo S (2013) On the feasibility of online malware detection with performance counters. ACM SIGARCH Computer Architecture News 41:559–570

    Article  Google Scholar 

  22. Domnitser L, Jaleel A, Loew J, Abu-Ghazaleh N, Ponomarev D (2012) Non-monopolizable caches: low-complexity mitigation of cache side channel attacks. ACM Transactions on Architecture and Code Optimization (TACO) 8(4):35

    Google Scholar 

  23. Evtyushkin D, Ponomarev D, Abu-Ghazaleh N (2015) Covert channels through branch predictors: a feasibility study. In: Proceedings of the workshop on hardware and architectural support for security and privacy. ACM, p 5

  24. Evtyushkin D, Ponomarev D, Abu-Ghazaleh N (2016) Understanding and mitigating covert channels through branch predictors. ACM Transactions on Architecture and Code Optimization 13(1):10

    Article  Google Scholar 

  25. Freiling FC, Schinzel S (2011) Future challenges in security and privacy for academia and industry. In: Proceedings of the international information security conference. pp 41–55

  26. Gandolfi K, Mourtel C, Olivier F (2001) Electromagnetic analysis: concrete results. In: Proceedings of the workshop on cryptographic hardware and embedded systems. Springer, pp 251–261

  27. Gianvecchio S, Wang H (2007) Detecting covert timing channels: an entropy-based approach. In: Proceedings of the conference on computer and communications security. ACM, pp 307–316

  28. Gold B, Linde R, Cudney P (1984) Kvm/370 in retrospect. In: Proceedings of the symposium on security and privacy. IEEE, pp 13–13

  29. Grabher P, Großschädl J, Page D (2007) Cryptographic side-channels from low-power cache memory. In: Cryptography and coding. Springer, pp 170–184

  30. Gray III JW (1993) On introducing noise into the bus-contention channel. In: Proceedings of the symposium on research in security and privacy. IEEE, pp 90–98

  31. Gray III JW (1994) Countermeasures and tradeoffs for a class of covert timing channels. Hong Kong University of Science and Technology

  32. Gullasch D, Bangerter E, Krenn S (2011) Cache games–bringing access-based cache attacks on aes to practice. In: Proceedings of the symposium on security and privacy. IEEE, pp 490–505

  33. Henricksen M, Yap WS, Yian CH, Kiyomoto S, Tanaka T (2010) Side-channel analysis of the k2 stream cipher. In: Proceedings of the information security and privacy. Springer, pp 53–73

  34. Hu WM (1991) Reducing timing channels with fuzzy time. In: Proceedings of the symposium on research in security and privacy. IEEE, pp 8–20

  35. Hu WM (1992) Lattice scheduling and covert channels. In: Proceedings of the symposium on research in security and privacy. IEEE, pp 52–61

  36. Hunger C, Kazdagli M, Rawat A, Dimakis A, Vishwanath S, Tiwari M (2015) Understanding contention-based channels and using them for defense. In: Proceedings of the international symposium on high performance computer architecture. IEEE, pp 639–650

  37. Kemmerer RA (1983) Shared resource matrix methodology: an approach to identifying storage and timing channels. ACM Transactions on Computer Systems (TOCS) 1(3):256–277

    Article  Google Scholar 

  38. Kocher P, Genkin D, Gruss D, Haas W, Hamburg M, Lipp M, Mangard S, Prescher T, Schwarz M, Yarom Y (2018) Spectre attacks: exploiting speculative execution arXiv e-prints

  39. Kocher P, Jaffe J, Jun B (1999) Differential power analysis. In: Advances in cryptology–CRYPTO-99. Springer, pp 388–397

  40. Kocher PC (1996) Timing attacks on implementations of diffie-hellman, rsa, dss, and other systems. In: Advances in cryptology–CRYPTO-96. Springer, pp 104–113

  41. Kong J, Aciiçmez O, Seifert JP, Zhou H (2009) Hardware-software integrated approaches to defend against software cache-based side channel attacks. In: Proceedings of the international symposium on high performance computer architecture. IEEE, pp 393–404

  42. Lampson BW (1973) A note on the confinement problem. Commun ACM 16(10):613–615

    Article  Google Scholar 

  43. Leander G, Zenner E, Hawkes P (2009) Cache timing analysis of lfsr-based stream ciphers. In: Cryptography and coding. Springer, pp 433–445

  44. Lipp M, Schwarz M, Gruss D, Prescher T, Haas W, Mangard S, Kocher P, Genkin D, Yarom Y, Hamburg M (2018) Meltdown arXiv e-prints

  45. Martin R, Demme J, Sethumadhavan S (2012) Timewarp: rethinking timekeeping and performance monitoring mechanisms to mitigate side-channel attacks. In: ACM SIGARCH computer architecture news, vol 40. IEEE Computer Society, pp 118–129

  46. Miłós G, Murray DG, Hand S, Fetterman MA (2009) Satori: enlightened page sharing. In: Proceedings of the USENIX annual technical conference. pp 1–1

  47. Neve M, Seifert JP (2007) Advances on access-driven cache attacks on aes. In: Proceedings of the selected areas in cryptography. Springer, pp 147–162

  48. Neve M, Seifert JP, Wang Z (2006) A refined look at Bernstein’s aes side-channel analysis. In: Proceedings of the ACM symposium on information, computer and communications security. ACM, pp 369–369

  49. Oberg J, Meiklejohn S, Sherwood T, Kastner R (2013) A practical testing framework for isolating hardware timing channels. In: Proceedings of the conference on design, automation and test in Europe. EDA Consortium, pp 1281–1284

  50. DoD 5200.28-STD (1983) Department of Defense Trusted Computer System Evaluation Criteria (DoD 5200.28-STD), 1983. Available online http://csrc.nist.gov/publications/history/dod85.pdf

  51. Osvik DA, Shamir A, Tromer E (2006) Cache attacks and countermeasures: the case of aes. In: Topics in cryptology–CT-RSA 2006. Springer, pp 1–20

  52. Page D (2002) Theoretical use of cache memory as a cryptanalytic side-channel. IACR Cryptology ePrint Archive 2002:169

    Google Scholar 

  53. Page D (2005) Partitioned cache architecture as a side-channel defence mechanism. IACR Cryptology ePrint Archive 2005:280

    Google Scholar 

  54. Percival C (2005) Cache missing for fun and profit

  55. Rebeiro C, Mukhopadhyay D, Takahashi J, Fukunaga T (2009) Cache timing attacks on clefia. In: Progress in cryptology–INDOCRYPT 2009. Springer, pp 104–118

  56. Ristenpart T, Tromer E, Shacham H, Savage S (2009) Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: Proceedings of the conference on computer and communications security. ACM, pp 199–212

  57. Saltaformaggio B, Xu D, Zhang X (2013) Busmonitor: a hypervisor-based solution for memory bus covert channels. In: Proceedings of EuroSec

  58. Sanchez D, Kozyrakis C (2010) The zcache: decoupling ways and associativity. In: Proceedings of the international symposium on microarchitecture. IEEE, pp 187–198

  59. Shen JP, Lipasti MH (2013) Modern processor design: fundamentals of superscalar processors. Waveland Press Inc., Long Grove IL, USA

    Google Scholar 

  60. Suzaki K, Iijima K, Yagi T, Artho C (2011) Software side channel attack on memory deduplication. SOSP Poster

  61. Tang A, Sethumadhavan S, Stolfo SJ (2014) Unsupervised anomaly-based malware detection using hardware features. In: Research in attacks, intrusions and defenses. Springer, pp 109– 129

  62. Tiri K, Acıiçmez O, Neve M, Andersen F (2007) An analytical model for time-driven cache attacks. In: Proceedings of the fast software encryption. Springer, pp 399–413

  63. Tiwari M, Li X, Wassel HM, Chong FT, Sherwood T (2009) Execution leases: a hardware-supported mechanism for enforcing strong non-interference. In: Proceedings of the international symposium on microarchitecture. ACM, pp 493–504

  64. Tromer E, Osvik DA, Shamir A (2010) Efficient cache attacks on aes, and countermeasures. J Cryptol 23(1):37–71

    Article  MathSciNet  MATH  Google Scholar 

  65. Tsunoo Y, Saito T, Suzaki T, Shigeri M, Miyauchi H (2003) Cryptanalysis of des implemented on computers with cache. In: Proceedings of the workshop on cryptographic hardware and embedded systems. Springer, pp 62–76

  66. Uhlig R, Neiger G, Rodgers D, Santoni AL, Martins FC, Anderson AV, Bennett SM, Kagi A, Leung FH, Smith L (2005) Intel virtualization technology. Computer 38(5):48–56

    Article  Google Scholar 

  67. Varadarajan V, Kooburat T, Farley B, Ristenpart T, Swift MM (2012) Resource-freeing attacks: improve your cloud performance (at your neighbor’s expense). In: Proceedings of the conference on computer and communications security. ACM, pp 281– 292

  68. Wang W, Chen G, Pan X, Zhang Y, Wang X, Bindschaedler V, Tang H, Gunter CA (2017) Leaky cauldron on the dark land: understanding memory side-channel hazards in sgx. In: Proceedings of the conference on computer and communications security. ACM, pp 2421–2434

  69. Wang Y, Ferraiuolo A, Suh GE (2014) Timing channel protection for a shared memory controller. In: Proceedings of the international symposium on high performance computer architecture. IEEE, pp 225–236

  70. Wang Y, Suh GE (2012) Efficient timing channel protection for on-chip networks. In: Proceedings of the international symposium on networks on chip. IEEE, pp 142–151

  71. Wang Z, Lee RB (2006) Covert and side channels due to processor architecture. In: Proceedings of the annual computer security applications conference. IEEE, pp 473–482

  72. Wang Z, Lee RB (2007) New cache designs for thwarting software cache-based side channel attacks. In: ACM SIGARCH computer architecture news, vol 35. ACM, pp 494–505

  73. Wang Z, Lee RB (2008) A novel cache architecture with enhanced performance and security. In: Proceedings of the international symposium on microarchitecture. IEEE, pp 83–93

  74. Wassel HM, Gao Y, Oberg JK, Huffmire T, Kastner R, Chong FT, Sherwood T (2013) Surfnoc: a low latency and provably non-interfering approach to secure networks-on-chip. ACM SIGARCH Computer Architecture News 41(3):583–594

    Article  Google Scholar 

  75. Winter J (2012) Experimenting with arm trustzone–or: how i met friendly piece of trusted hardware. In: Proceedings of the international conference on trust, security and privacy in computing and communications. IEEE, pp 1161–1166

  76. Wray JC (1991) An analysis of covert timing channels. In: Proceedings of the symposium on research in security and privacy. IEEE, pp 2–7

  77. Wu W, Zhai E, Jackowitz D, Wolinsky DI, Gu L, Ford B (2015) Warding off timing attacks in deterland. arXiv:1504.07070

  78. Wu Z, Xu Z, Wang H (2012) Whispers in the hyper-space: high-speed covert channel attacks in the cloud. In: Proceedings of the USENIX security symposium. pp 159–173

  79. Xu Y, Bailey M, Jahanian F, Joshi K, Hiltunen M, Schlichting R (2011) An exploration of l2 cache covert channels in virtualized environments. In: Proceedings of the workshop on cloud computing security. ACM, pp 29–40

  80. Yarom Y, Falkner KE (2013) Flush + reload: a high resolution, low noise, l3 cache side-channel attack. IACR Cryptology ePrint Archive 2013:448

    Google Scholar 

  81. Zenner E (2009) A cache timing analysis of hc-256. In: Proceedings of the selected areas in cryptography. Springer, pp 199–213

  82. Zhang Y, Juels A, Oprea A, Reiter MK (2011) Homealone: co-residency detection in the cloud via side-channel analysis. In: Proceedings of the symposium on security and privacy. IEEE, pp 313–328

  83. Zhang Y, Juels A, Reiter MK, Ristenpart T (2012) Cross-vm side channels and their use to extract private keys. In: Proceedings of the conference on computer and communications security. ACM, pp 305–316

Download references

Acknowledgments

The author would like to thank Bryan Ford and Dmitry Evtyushkin for suggesting recent work to add this survey. The author would also like to thank the anonymous reviewers for their feedback and comments.

Funding

This work has been supported in part by grants 1651945, 1716541, and 1524680 from the United States’ National Science Foundation. This work has further been supported in part through grant by Semiconductor Research Corporation (SRC).

Author information

Authors and Affiliations

  1. Department of Electrical Engineering, Yale University, 10 Hillhouse Ave., New Haven, CT, 06510, USA

    Jakub Szefer

Authors
  1. Jakub Szefer
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jakub Szefer.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Szefer, J. Survey of Microarchitectural Side and Covert Channels, Attacks, and Defenses. J Hardw Syst Secur 3, 219–234 (2019). https://doi.org/10.1007/s41635-018-0046-1

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s41635-018-0046-1

Keywords

Search

Navigation