diff options
| author | Iru Cai <mytbk920423@gmail.com> | 2019-05-01 18:20:28 +0800 |
|---|---|---|
| committer | Iru Cai <mytbk920423@gmail.com> | 2019-05-01 18:20:28 +0800 |
| commit | 59ebb50b73ea4f32a7f4eaec327604b1ee68eb6e (patch) | |
| tree | 50bb01c6412924beeba81b7d5d8129a63dd44a7f | |
| parent | c79b4d4861bfc2a83769094d83da6440d5a4babd (diff) | |
| download | dissertation-59ebb50b73ea4f32a7f4eaec327604b1ee68eb6e.tar.xz | |
update
| -rw-r--r-- | chap/chap2.tex | 19 | ||||
| -rw-r--r-- | chap/chap3.tex | 44 | ||||
| -rw-r--r-- | thesis.bib | 21 |
3 files changed, 76 insertions, 8 deletions
diff --git a/chap/chap2.tex b/chap/chap2.tex index 7470ae6..ec9c53f 100644 --- a/chap/chap2.tex +++ b/chap/chap2.tex @@ -99,4 +99,23 @@ store 指令地址不同,并推测式执行这个 load 指令,将其地址 则处理器需要重新执行这个 load 和之后的指令。在推测式执行的过程中,瞬时 指令可以泄露这个地址中的旧值。 +\section{Meltdown 和 Spectre 的其他形式} + +在研究 Meltdown 和 Spectre 攻击的过程中,研究者还发现了一起其他的攻击 +形式,它们基于已有的 Meltdown 和 Spectre 攻击,使用不同的利用方式。 + +\subsection{MeltdownPrime 和 SpectrePrime} + +MeltdownPrime 和 SpectrePrime \supercite{meltdownprime} 是一种使用 +Prime+Probe 方式进行 Meltdown 和 Spectre 攻击的形式。通过利用缓存一致 +性协议的缓存行失效机制,可以达到和 Flush+Reload 方式的同等精度。 + +\subsection{NetSpectre} + +NetSpectre \supercite{netspectre} 是通过网络使用 Spectre 的攻击方法。 + +\subsection{SgxPectre} + +\supercite{sgxpectre} + % vim:ts=4:sw=4 diff --git a/chap/chap3.tex b/chap/chap3.tex index b0cd193..5859187 100644 --- a/chap/chap3.tex +++ b/chap/chap3.tex @@ -72,10 +72,50 @@ TLB 添加了影子结构,推测式执行的指令对缓存和 TLB 修改临 \subsubsection{Context-Sensitive Fencing} -\supercite{context-sensitive-fencing} +Context-Sensitive Fencing(CSF)\supercite{context-sensitive-fencing} 是 +一种微码级防御多种类型 Spectre 攻击的方法。它基于 Context-Sensitive +Decoding (CSD)\supercite{context-sensitive-decoding},一种微码翻译机制 +的扩展,用于动态按需自定义微操作指令流。CSF 利用 CSD,在微指令流中注入 +fence 等微码,阻止不安全指令的推测式执行。为了降低 fence 的性能开销, +CSF 还提出了3种新的用于防御 Spectre 的 fence. + + +CSF 由以下几个关键部件组成: +\begin{itemize} +\item 微码自定义机制 CSD:使处理器精确地在指令流中插入 fence,减轻推测 + 式执行中不期望的副作用 +\item 译码级信息流追踪(DLIFT)框架:用于检测潜在不安全的执行模式,触 + 发微码自定义机制 +\item 错误训练防御:用于保护分支预测器、返回地址栈等部件 +\end{itemize} + +CSF 防御 Spectre 的开销在 8\% 以下。 \subsubsection{Conditional Speculation} \supercite{conditional-speculation} -% vim:ts=4:sw=4 +% \begin{comment} +% +% MI6: Secure Enclave in a Speculative Out-of-Order processor +% +% abs: 一个考虑了Spectre等攻击设计的enclave方案 +% +% +% Data Oblivious ISA(OISA)是一种 ISA 扩展,用于阻止信息通过侧信道泄露。 +% 设计原则: +% \begin{itemize} +% \item ISA的安全性和微架构无关 +% \item ISA不会阻止现代微处理器的优化技术 +% \end{itemize} +% +% OISA有以下组件: +% \begin{itemize} +% \item 动态跟踪敏感数据:使用DIFT跟踪程序运行时私密数据在处理器中的传 +% 播。所有数据都有 confidential/public 标记,标签在读取操作数时必须 +% 解析 +% \item 指令定义操作数可以接受 public 还是 public/confidential 数据 +% \end{itemize} +% \end{comment} +% +% % vim:ts=4:sw=4 @@ -34,13 +34,22 @@ year = {2019}, } +@misc{meltdownprime, + title={MeltdownPrime and SpectrePrime: Automatically-Synthesized Attacks Exploiting Invalidation-Based Coherence Protocols}, + author={Caroline Trippel and Daniel Lustig and Margaret Martonosi}, + year={2018}, + eprint={1802.03802}, + archivePrefix={arXiv}, + primaryClass={cs.CR} +} + @inproceedings{foreshadow, author = {Van Bulck, Jo and Minkin, Marina and Weisse, Ofir and Genkin, Daniel and Kasikci, Baris and Piessens, Frank and Silberstein, Mark and Wenisch, Thomas F. and Yarom, Yuval and Strackx, Raoul}, title = {Foreshadow: Extracting the Keys to the {Intel SGX} Kingdom with Transient Out-of-Order Execution}, booktitle = {Proceedings of the 27th {USENIX} Security Symposium}, year = {2018}, - month = {August}, + month = Aug, publisher = {{USENIX} Association}, note={See also technical report Foreshadow-NG~\cite{weisse2018foreshadowNG}} } @@ -162,7 +171,7 @@ title={Speculative Load Hardening}, author={Chandler Carruth}, year={2018}, - month={March}, + month=Mar, url={https://releases.llvm.org/8.0.0/docs/SpeculativeLoadHardening.html} } @@ -203,7 +212,7 @@ pages={428-441}, keywords={cache storage;cryptography;microprocessor chips;multiprocessing systems;parallel architectures;program compilers;speculative execution invisible;side channel attacks;speculative execution attacks;microarchitectural state;hardware speculation attacks;InvisiSpec blocks microarchitectural;multiprocessor data cache hierarchy;unsafe speculative loads;speculative buffer;futuristic attacks;Spectre attacks;execution slowdown;memory consistency;Hardware;Load modeling;Receivers;Coherence;Security;Monitoring;Transient analysis;hardware security;speculation;side channel;memory hierarchy}, doi={10.1109/MICRO.2018.00042}, ISSN={}, -month={Oct},} +month=Oct,} @INPROCEEDINGS{dawg, author={V. {Kiriansky} and I. {Lebedev} and S. {Amarasinghe} and S. {Devadas} and J. {Emer}}, @@ -216,7 +225,7 @@ pages={974-987}, keywords={cache storage;security of data;cache timing attacks;dynamically allocated way guard;Intels Cache Allocation Technology;memory caches;generic mechanism;cache state covert channel;entire attack surface;patch specific attacks;existing defense mechanisms;exfiltration channel;cache tag state;speculative processor architectures;channel attacks;speculative execution processors;cache subsystem;minimal modifications;service mechanisms;set associative structure;DAWG;Receivers;Program processors;Security;Transmitters;Metadata;Hardware;cache partitioning;side channel attacks;speculative execution}, doi={10.1109/MICRO.2018.00083}, ISSN={}, -month={Oct},} +month=Oct,} @inproceedings{context-sensitive-fencing, title={Context-Sensitive Fencing: Securing Speculative Execution via Microcode Customization}, @@ -354,7 +363,7 @@ This thesis highlights two aspects of the BOOM design: its industry-competitive keywords={cache storage;computer architecture;microprocessor chips;program diagnostics;security of data;trusted page buffer;cachehit based hazard filter;conditional speculation;spectre vulnerabilities;false security hazards;unsafe instructions;safe instructions;classic out-of-order pipeline;suspect speculation flags;security-dependent instructions;potential security risk;speculative memory instructions;security dependence;software transparent defense mechanism;security consideration;speculative execution;spectre attacks;out-of-order execution;Security;Hazards;Out of order;Microprocessors;Registers;Spectre vulnerabilities defense;Security dependence;Speculative execution side-channel vulnerabilities}, doi={10.1109/HPCA.2019.00043}, ISSN={2378-203X}, - month={Feb},} + month=Feb,} % looks useful... @INPROCEEDINGS{poisonivy, @@ -368,7 +377,7 @@ This thesis highlights two aspects of the BOOM design: its industry-competitive keywords={cryptography;PoisonIvy;safe speculation;secure memory;encryption;integrity trees;physical attacks;integrity verification latency;address-based side-channels;memory intensive workloads;Radiation detectors;Program processors;Encryption;Toxicology;Metadata}, doi={10.1109/MICRO.2016.7783741}, ISSN={}, - month={Oct}, + month=Oct, } % related article |