| 引用本文: |
-
杨毅,吴凭飞,邱朋飞,王春露,赵路坦,张锋巍,王博,吕勇强,王海霞,汪东升.Arm架构的分支预测器隐蔽信道研究[J].信息安全学报,已采用 [点击复制]
- Yang Yi,Wu Pingfei,Qiu Pengfei,Wang Chunlu,Zhao Lutan,Zhang Fengwei,Wang Bo,Lyu Yongqiang,Wang Haixia,Wang Dongsheng.Covert Channel of Branch Predictor on Arm Processor[J].Journal of Cyber Security,Accept [点击复制]
|
|
| |
|
|
| 本文已被:浏览 844次 下载 0次 |
|
| Arm架构的分支预测器隐蔽信道研究 |
|
杨毅1, 吴凭飞2, 邱朋飞1, 王春露1, 赵路坦3, 张锋巍4, 王博5, 吕勇强6, 王海霞6, 汪东升2
|
|
|
| (1.北京邮电大学可信分布式计算与服务教育部重点实验室;2.清华大学计算机科学与技术系;3.中国科学院信息工程研究所;4.南方科技大学计算机科学与工程系;5.飞腾信息技术有限公司;6.清华大学北京信息科学与技术国家研究中心) |
|
| 摘要: |
| 隐蔽信道是一种在不违背计算机当前安全策略的前提下,在进程间传递信息的攻击方式。共两个进程参与到隐蔽信道的构建中:木马进程和间谍进程,具有高权限的木马进程通过隐蔽信道向低权限的间谍进程传递信息以完成攻击。隐蔽信道的传输介质种类很多,如时间、功耗、温度等。在现代处理器中,分支预测器作为重要的微架构组件,有效提高了处理器的流水线效率,但由于分支预测器在核内的多进程间共享,使得其存在被用于构建隐蔽信道的风险。目前Intel x86架构已被发现存在基于分支预测器的隐蔽信道攻击,但是Arm架构是否存在相似的攻击还没有得到充分的研究。本文中,我们成功在Arm架构的实际硬件平台上构建了三种基于分支预测器的隐蔽信道。首先我们在Arm架构下设计并实现了类似于x86架构下的基于分支预测器的隐蔽信道CC和RSC,其次我们发现了一个新的基于分支预测组件BTB的隐蔽信道BTBC。我们评估并分析了隐蔽信道参数对信道性能的影响及其成因,并给出参数设置建议。在Cortex-A53及Cortex-A72两种核心上,我们对三种隐蔽信道的信号特性、传输速率和误码率进行了测试和对比分析。实验表明在实际的Arm架构硬件平台下,BTBC的传输信号边缘清晰,震荡幅度小。在连续传输数据时表现出与CC和RSC近似的信道性能,并且在两种核心上均可以低误码率进行数据传输,其在200bps的传输速率下,仅有2%的误码率。最后我们还给出了对于此类隐蔽信道的防御措施。 |
| 关键词: Arm架构 分支预测器 隐蔽信道 |
| DOI: |
| 投稿时间:2023-02-07修订日期:2023-04-27 |
| 基金项目: |
|
| Covert Channel of Branch Predictor on Arm Processor |
|
Yang Yi1, Wu Pingfei2, Qiu Pengfei1, Wang Chunlu1, Zhao Lutan3, Zhang Fengwei4, Wang Bo5, Lyu Yongqiang6, Wang Haixia6, Wang Dongsheng2
|
| (1.Ministry of Education Key Laboratory of Trustworthy Distributed Computing and Service, Beijing University of Posts and Telecommunications;2.Department of Computer Science and Technology, Tsinghua University;3.Institute of Information Engineering, Chinese Academy of Sciences;4.Department of Computer Science and Engineering, Southern University of Science and Technology;5.Phytium Technology Co. Ltd.;6.Beijing National Research Center for Information Science and Technology, Tsinghua University) |
| Abstract: |
| The covert channel is an attack that transmits information between processes which is not allowed under the current secu-rity policy. Two processes are involved in constructing the covert channel: trojan and spy. The trojan process with high privilege transmits information to the spy process with low privilege through the covert channel to complete the entire attack. There are many types of transmission media for covert channels, such as time, power consumption, temperature, and so on. In modern processors, the branch predictor is an important microarchitecture component, which effectively improves pipeline efficiency. However, since the branch predictor is shared among multiple processes in single core, it has the potential risk of constructing covert channel. At present, the Intel x86 architecture has been found to have covert channel attacks based on branch predictors, but whether there are similar attacks on the Arm architecture has not been fully studied. In this paper, we successfully build three branch predictor based covert channels on the actual hardware platform of the Arm architecture. First, we design and implement a branch predictor based covert channel CC and RSC similar to the x86 architecture under the Arm architecture, and second, we discover a new covert channel BTBC based on the branch prediction component BTB. We evaluate and analyze the impact of covert channel parameters on channel performance and its causes, and give recommendations for parameter settings. On the two cores of Cortex-A53 and Cor-tex-A72, we test and compare the signal characteristics, transmission rate and SER of three covert channels. The result shows that transmission signal of BTBC has clear edges and small oscillation amplitude. BTBC has similar channel performance to CC and RSC under the actual Arm architecture hardware platform, and can transmit data with a low SER on both cores. When the transmission capacity is 200bps, the SER is only 2%. Finally, we also give the defense measures against such covert channels. |
| Key words: Arm architecture branch predictor covert channel |
|
|
|
|
|
