高级检索

    瞬态执行攻击综述

    Survey of Transient Execution Attacks

    • 摘要: 瞬态执行攻击利用处理器优化措施绕过安全检查,进而通过隐蔽信道传输并窃取敏感信息. 其中,Meltdown和Spectre攻击尤为知名,波及包括Intel,ARM,AMD在内的主流商用处理器. 尽管处理器制造商已采取相应防御措施,但相关变种攻击仍不断被研究人员发现并公之于众. 为深化对瞬态执行攻击的理解并实施有效防御,对各种隐蔽信道下的瞬态执行攻击进行了剖析. 首先,提炼出了瞬态执行攻击的共同特征,并系统性构建了全新的瞬态执行攻击模型. 其次,总结了现有研究中涉及的各类隐蔽信道,将瞬态执行攻击归纳总结为3类:乱序执行驱动的熔断型攻击、错误分支预测驱动的幽灵型攻击以及错误数据预测驱动的数据采样型攻击,并梳理了各类型攻击的核心要点及关联性. 其中,首次对数据采样型攻击进行了系统性归纳和整理. 接着,从隐蔽信道利用、攻击适用场景和微架构通用性3个维度分析和评估了各攻击变种的能力. 最后,结合上述针对处理器微架构和隐蔽信道的深入分析与总结,展望了瞬态执行攻击研究的未来研究方向,以期为后续研究工作提供有力支撑.

       

      Abstract: Transient execution attacks (TEAs) exploit processor optimizations to bypass security checks and exfiltrate sensitive information through covert channels. Among them, Meltdown and Spectre attacks have become prominent, affecting mainstream commercial processors such as Intel, ARM, and AMD. Despite the defensive measures implemented by processor manufacturers, variants of these attacks continue to be discovered and disclosed by researchers. To improve the understanding of TEAs and deploy robust defenses, this paper comprehensively analyzes TEAs under various covert channels. Initially, the common characteristics of TEAs are extracted, and a novel model for TEAs is systematically constructed. Subsequently, we summarize the various types of covert channels involved in existing research, classify the TEAs into three types: Meltdown type attacks driven by out-of-order execution (OoOE), Spectre type attacks driven by branch misprediction, and microarchitecture data sampling (MDS) type attacks driven by data misprediction, and delineate the key aspects and relationships of each type of attack. Notably, this paper systematically compiles and categorizes MDS type attacks for the first time. Then, the capabilities of each attack variant were meticulously analyzed and evaluated from three dimensions: covert channel, attack applicable scenarios, and microarchitecture immunity status, which aids security researchers in developing new, more destructive attack types based on the deficiencies of the existing attack-related research. Finally, combined with the above-mentioned comprehensive and in-depth analysis and summary of processor microarchitecture and covert channels, this paper anticipates the future trajectory of TEAs research, hoping to provide strong support for subsequent research work.

       

    /

    返回文章
    返回