Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
97 tokens/sec
GPT-4o
53 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Do Not Trust Power Management: A Survey on Internal Energy-based Attacks Circumventing Trusted Execution Environments Security Properties (2405.15537v3)

Published 24 May 2024 in cs.CR, cs.AR, and cs.ET

Abstract: Over the past few years, several research groups have introduced innovative hardware designs for Trusted Execution Environments (TEEs), aiming to secure applications against potentially compromised privileged software, including the kernel. Since 2015, a new class of software-enabled hardware attacks leveraging energy management mechanisms has emerged. These internal energy-based attacks comprise fault, side-channel and covert channel attacks. Their aim is to bypass TEE security guarantees and expose sensitive information such as cryptographic keys. They have increased in prevalence in the past few years. Popular TEE implementations, such as ARM TrustZone and Intel SGX, incorporate countermeasures against these attacks. However, these countermeasures either hinder the capabilities of the power management mechanisms or have been shown to provide insufficient system protection. This article presents the first comprehensive knowledge survey of these attacks, along with an evaluation of literature countermeasures. We believe that this study will spur further community efforts towards this increasingly important type of attacks.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (60)
  1. V. Costan, I. Lebedev, and S. Devadas, “Sanctum: Minimal hardware extensions for strong software isolation,” in 25th USENIX Security Symposium (USENIX Security 16).   Austin, TX: USENIX Association, Aug. 2016, pp. 857–874.
  2. D. Lee, D. Kohlbrenner, S. Shinde, K. Asanović, and D. Song, “Keystone: an open framework for architecting trusted execution environments,” in Proceedings of the Fifteenth European Conference on Computer Systems, ser. EuroSys ’20.   New York, NY, USA: Association for Computing Machinery, 2020.
  3. D. Schrammel, M. Waser, L. Lamster, M. Unterguggenberger, and S. Mangard, “Spear-v: Secure and practical enclave architecture for risc-v,” in Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security, ser. ASIA CCS ’23.   New York, NY, USA: Association for Computing Machinery, 2023, p. 457–468.
  4. A. Tang, S. Sethumadhavan, and S. Stolfo, “CLKSCREW: Exposing the perils of Security-Oblivious energy management,” in 26th USENIX Security Symposium (USENIX Security 17).   Vancouver, BC: USENIX Association, Aug. 2017, pp. 1057–1074.
  5. Y. Wang, R. Paccagnella, E. T. He, H. Shacham, C. W. Fletcher, and D. Kohlbrenner, “Hertzbleed: Turning power Side-Channel attacks into remote timing attacks on x86,” in 31st USENIX Security Symposium (USENIX Security 22).   Boston, MA: USENIX Association, Aug. 2022, pp. 679–697.
  6. K. Murdock, D. Oswald, F. D. Garcia, J. Van Bulck, D. Gruss, and F. Piessens, “Plundervolt: Software-based fault injection attacks against intel sgx,” in Proceedings of the 41st IEEE Symposium on Security and Privacy (S&P’20), 2020.
  7. J. Haj-Yahya, L. Orosa, J. S. Kim, J. G. Luna, A. Yaglikci, M. Alser, I. Puddu, and O. Mutlu, “Ichannels: Exploiting current management mechanisms to create covert channels in modern processors,” in 2021 ACM/IEEE 48th Annual International Symposium on Computer Architecture (ISCA).   Los Alamitos, CA, USA: IEEE Computer Society, jun 2021, pp. 985–998.
  8. S. Pinto and N. Santos, “Demystifying arm trustzone: A comprehensive survey,” ACM Comput. Surv., vol. 51, no. 6, jan 2019.
  9. S. Fei, Z. Yan, W. Ding, and H. Xie, “Security vulnerabilities of sgx and countermeasures: A survey,” ACM Comput. Surv., vol. 54, no. 6, jul 2021.
  10. G. Dessouky, A.-R. Sadeghi, and E. Stapf, “Enclave computing on risc-v: A brighter future for security?” in 1st International Workshop on Secure RISC-V Architecture Design Exploration (SECRISC-V), April 2020.
  11. D. Gruss, C. Maurice, and S. Mangard, “Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript,” in Detection of Intrusions and Malware, and Vulnerability Assessment, J. Caballero, U. Zurutuza, and R. J. Rodríguez, Eds.   Cham: Springer International Publishing, 2016, pp. 300–321.
  12. D. R. Dipta and B. Gulmezoglu, “Df-sca: Dynamic frequency side channel attacks are practical,” in Proceedings of the 38th Annual Computer Security Applications Conference, ser. ACSAC ’22.   New York, NY, USA: Association for Computing Machinery, 2022, p. 841–853.
  13. M. Lipp, A. Kogler, D. Oswald, M. Schwarz, C. Easdon, C. Canella, and D. Gruss, “Platypus: Software-based power side-channel attacks on x86,” in 2021 IEEE Symposium on Security and Privacy (SP), 2021, pp. 355–371.
  14. E. M. Benhani and L. Bossuet, “Dvfs as a security failure of trustzone-enabled heterogeneous soc,” in 2018 25th IEEE International Conference on Electronics, Circuits and Systems (ICECS), 2018, pp. 489–492.
  15. H. Mantel, J. Schickel, A. Weber, and F. Weber, “How secure is green it? the case of software-based energy side channels,” in Computer Security, J. Lopez, J. Zhou, and M. Soriano, Eds.   Cham: Springer International Publishing, 2018, pp. 218–239.
  16. ARM, “Power and Performance Management using Arm SCMI Specification,” 2019.
  17. S. Weiser, M. Werner, F. Brasser, M. Malenko, S. Mangard, and A.-R. Sadeghi, “TIMBER-V: Tag-Isolated Memory Bringing Fine-grained Enclaves to RISC-V,” in Proceedings 2019 Network and Distributed System Security Symposium.   San Diego, CA: Internet Society, 2019.
  18. R. Bahmani, F. Brasser, G. Dessouky, P. Jauernig, M. Klimmek, A.-R. Sadeghi, and E. Stapf, “CURE: A security architecture with CUstomizable and resilient enclaves,” in 30th USENIX Security Symposium (USENIX Security 21).   USENIX Association, Aug. 2021, pp. 1073–1090.
  19. S. Zhang, A. Tang, Z. Jiang, S. Sethumadhavan, and M. Seok, “Blacklist core: Machine-learning based dynamic operating-performance-point blacklisting for mitigating power-management security attacks,” in Proceedings of the International Symposium on Low Power Electronics and Design, ser. ISLPED ’18.   New York, NY, USA: Association for Computing Machinery, 2018.
  20. R. Schone, T. Ilsche, M. Bielert, M. Velten, M. Schmidl, and D. Hackenberg, “Energy efficiency aspects of the amd zen 2 architecture,” in 2021 IEEE International Conference on Cluster Computing (CLUSTER).   Los Alamitos, CA, USA: IEEE Computer Society, sep 2021, pp. 562–571.
  21. M. Schweikhardt and M. Hahn, “DFS for mixed criticality real time scenarios on 11th generation intel core processors,” Mar. 2022.
  22. P. Bose, A. Buyuktosunoglu, J. A. Darringer, M. S. Gupta, M. B. Healy, H. Jacobson, I. Nair, J. A. Rivers, J. Shin, A. Vega, and A. J. Weger, “Power management of multi-core chips: Challenges and pitfalls,” in 2012 Design, Automation & Test in Europe Conference & Exhibition (DATE), 2012, pp. 977–982.
  23. Intel, “Intel® 64 and IA-32 Architectures Software Developer’s Manual. Vol. 3, part 15.4,” 2021.
  24. K. Gomina, J.-B. Rigaud, P. Gendrier, P. Candelier, and A. Tria, “Power supply glitch attacks: Design and evaluation of detection circuits,” in 2014 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST), 2014, pp. 136–141.
  25. A. Shameli-Sendi, “Understanding linux kernel vulnerabilities,” Journal of Computer Virology and Hacking Techniques, vol. 17, 12 2021.
  26. J. Osborn and D. Challener, “Trusted platform module evolution,” John Hopkins APL Technical Digest, vol. 32, pp. 536–543, 09 2013.
  27. M. Sabt, M. Achemlal, and A. Bouabdallah, “Trusted execution environment: What it is, and what it is not,” in 2015 IEEE Trustcom/BigDataSE/ISPA, vol. 1, 2015, pp. 57–64.
  28. J.-E. Ekberg, K. Kostiainen, and N. Asokan, “Trusted execution environments on mobile devices,” in Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, ser. CCS ’13.   New York, NY, USA: Association for Computing Machinery, 2013, p. 1497–1498.
  29. L. Yan, Y. Guo, X. Chen, and H. Mei, “A study on power side channels on mobile devices,” in Proceedings of the 7th Asia-Pacific Symposium on Internetware, ser. Internetware ’15, 2015, p. 30–38.
  30. A. M. Shuvo, T. Zhang, F. Farahmandi, and M. Tehranipoor, “A Comprehensive Survey on Non-Invasive Fault Injection Attacks,” Sensors, 2022.
  31. D. G. Mahmoud, S. Hussein, V. Lenders, and M. Stojilović, “FPGA-to-CPU undervolting attacks,” in 2022 Design, Automation & Test in Europe Conference & Exhibition (DATE), 2022, pp. 999–1004.
  32. P. Qiu, D. Wang, Y. Lyu, and G. Qu, “Voltjockey: Breaching trustzone by software-controlled voltage manipulation over multi-core frequencies,” in Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, ser. CCS ’19.   New York, NY, USA: Association for Computing Machinery, 2019, p. 195–209.
  33. ——, “Voltjockey: Breaking sgx by software-controlled voltage-induced hardware faults,” in 2019 Asian Hardware Oriented Security and Trust Symposium (AsianHOST), 2019, pp. 1–6.
  34. Z. Kenjar, T. Frassetto, D. Gens, M. Franz, and A.-R. Sadeghi, “V0LTpwn: Attacking x86 processor integrity from software,” in 29th USENIX Security Symposium (USENIX Security 20).   USENIX Association, Aug. 2020, pp. 1445–1461.
  35. S. Noubir, M. Mendez Real, and S. Pillement, “Towards malicious exploitation of energy management mechanisms,” in 2020 Design, Automation & Test in Europe Conference & Exhibition (DATE), 2020, pp. 1043–1048.
  36. A. Rabich, “Software-based Undervolting Faults in AMD Zen Processors,” Ph.D. dissertation, Aug. 2020.
  37. Y. Qin and C. Yue, “Website fingerprinting by power estimation based side-channel attacks on android 7,” in 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE), 2018, pp. 1030–1039.
  38. Y. Michalevsky, A. Schulman, G. A. Veerapandian, D. Boneh, and G. Nakibly, “PowerSpy: Location tracking using mobile device power analysis,” in 24th USENIX Security Symposium (USENIX Security 15).   Washington, D.C.: USENIX Association, Aug. 2015, pp. 785–800.
  39. C. Liu, A. Chakraborty, N. Chawla, and N. Roggel, “Frequency throttling side-channel attack,” in Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, ser. CCS ’22.   New York, NY, USA: Association for Computing Machinery, 2022, p. 1977–1991.
  40. H. Taneja, J. Kim, J. J. Xu, S. Van Schaik, D. Genkin, and Y. Yarom, “Hot pixels: frequency, power, and temperature attacks on gpus and arm socs,” in Proceedings of the 32nd USENIX Conference on Security Symposium, ser. SEC ’23.   USA: USENIX Association, 2023.
  41. Y. Wang, R. Paccagnella, A. Wandke, Z. Gang, G. Garrett-Grossman, C. W. Fletcher, D. Kohlbrenner, and H. Shacham, “Dvfs frequently leaks secrets: Hertzbleed attacks beyond sike, cryptography, and cpu-only data,” in 2023 IEEE Symposium on Security and Privacy (SP), 2023, pp. 2306–2320.
  42. A. Kogler, J. Juffinger, L. Giner, L. Gerlach, M. Schwarzl, M. Schwarz, D. Gruss, and S. Mangard, “Collide+Power: Leaking Inaccessible Data with Software-based Power Side Channels,” in USENIX Security, 2023.
  43. M. Yue, W. H. Robinson, L. Watkins, and C. Corbett, “Constructing timing-based covert channels in mobile networks by adjusting cpu frequency,” in Proceedings of the Third Workshop on Hardware and Architectural Support for Security and Privacy, ser. HASP ’14.   New York, NY, USA: Association for Computing Machinery, 2014.
  44. M. Alagappan, J. Rajendran, M. Doroslovački, and G. Venkataramani, “DFS covert channels on multi-core platforms,” in 2017 IFIP/IEEE International Conference on Very Large Scale Integration (VLSI-SoC), 2017, pp. 1–6.
  45. S. K. Khatamifard, L. Wang, A. Das, S. Kose, and U. R. Karpuzcu, “Powert channels: A novel class of covert communication exploiting power management vulnerabilities,” in 2019 IEEE International Symposium on High Performance Computer Architecture (HPCA), 2019, pp. 291–303.
  46. P. Miedl, X. He, M. Meyer, D. B. Bartolini, and L. Thiele, “Frequency scaling as a security threat on multicore systems,” IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, vol. 37, no. 11, pp. 2497–2508, 2018.
  47. M. Kalmbach, M. Gottschlag, T. Schmidt, and F. Bellosa, “TurboCC: A practical frequency-based covert channel with intel turbo boost,” 2020.
  48. A. Kogler, D. Gruss, and M. Schwarz, “Minefield: A software-only protection for SGX enclaves against DVFS attacks,” in 31st USENIX Security Symposium (USENIX Security 22).   Boston, MA: USENIX Association, Aug. 2022, pp. 4147–4164.
  49. J. Huang, J. Ye, X. Ye, D. Wang, D. Fan, H. Li, X. Li, and Z. Zhang, “Instruction vulnerability test and code optimization against dvfs attack,” in 2019 IEEE International Test Conference in Asia (ITC-Asia), 2019, pp. 49–54.
  50. Intel, “Running Average Power Limit Energy Reporting CVE-2020-8694, CVE-2020-8695,” Feb. 2022.
  51. N. Mishra, R. A. Mool, and A. Chakraborty, “Plug Your Volt: Protecting Intel Processors against Dynamic Voltage Frequency Scaling based Fault Attacks,” 2023.
  52. J. Juffinger, S. Kalinin, D. Gruss, and F. Mueller, “Suit: Secure undervolting with instruction traps,” in Proceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 2, ser. ASPLOS ’24.   New York, NY, USA: Association for Computing Machinery, 2024, p. 1128–1145.
  53. Z. Tao, R. Sun, and J. Dong, “Software countermeasures against DVFS fault attack for AES,” in 2023 10th International Conference on Dependable Systems and Their Applications (DSA), 2023, pp. 575–582.
  54. M. Werner, R. Schilling, T. Unterluggauer, and S. Mangard, “Protecting risc-v processors against physical attacks,” in 2019 Design, Automation & Test in Europe Conference & Exhibition (DATE), 2019, pp. 1136–1141.
  55. J. Laurent, V. Beroulle, C. Deleuze, F. Pebay-Peyroula, and A. Papadimitriou, “Cross-layer analysis of software fault models and countermeasures against hardware fault attacks in a risc-v processor,” Microprocessors and Microsystems, vol. 71, p. 102862, 2019.
  56. S. Michelland, C. Deleuze, and L. Gonnord, “From low-level fault modeling (of a pipeline attack) to a proven hardening scheme,” in Compiler Construction (CC’24), Edinburgh (Scotland), United Kingdom, Mar. 2024.
  57. B. Yuce, N. F. Ghalaty, C. Deshpande, C. Patrick, L. Nazhandali, and P. Schaumont, “FAME: Fault-attack Aware Microprocessor Extensions for Hardware Fault Detection and Software Fault Response,” in Proceedings of the Hardware and Architectural Support for Security and Privacy 2016.   Seoul Republic of Korea: ACM, Jun. 2016, pp. 1–8.
  58. D. Hackenberg, T. Ilsche, R. Schöne, D. Molka, M. Schmidt, and W. E. Nagel, “Power measurement techniques on standard compute nodes: A quantitative comparison,” in 2013 IEEE International Symposium on Performance Analysis of Systems and Software (ISPASS), Apr. 2013, pp. 194–204.
  59. B. Rountree, D. H. Ahn, B. R. de Supinski, D. K. Lowenthal, and M. Schulz, “Beyond DVFS: A First Look at Performance under a Hardware-Enforced Power Bound,” in 2012 IEEE 26th International Parallel and Distributed Processing Symposium Workshops & PhD Forum, May 2012, pp. 947–953.
  60. E. De Mulder, S. Gummalla, and M. Hutter, “Protecting RISC-V against Side-Channel Attacks,” in Proceedings of the 56th Annual Design Automation Conference 2019.   Las Vegas NV USA: ACM, Jun. 2019, pp. 1–4.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (4)

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now