郑伟,姚庆栋,张明,刘鹏,张子男,周莉,李东晓

DOI: https://doi.org/10.3969/j.issn.1007-0249.2004.05.006

2004-01-01

Abstract:Reduction of the power consumption of microprocessors has now become one of the most critical design concerns. On-chip cache memories dominate the chip area and the power consumption in microprocessor chips. This paper describes an architectural design technique, using Read/Write buffers to reduce the on-chip cache memories accesses activity, hence significantly reduce the power consumption of the whole chip because of the low power consumption characteristic of buffer compared with cache. In MD32 design, this technique normally reduces instruction cache access or data cache access by 20~40% showed by the simulation results of multimedia test benches.

Xingjian Zhang,Ziqi Yuan,Rui Chang,Yajin Zhou

DOI: https://doi.org/10.1109/seed51797.2021.00014

2021-01-01

Abstract:Cache side-channel attacks can leak critical information from the target programs. The cache randomization methodology has proven to be an efficient way to mitigate such attacks. However, existing works do not take the cache hierarchy into consideration, failing to address the issue that different levels of caches have different performance and security requirements. In this work, we propose and implement a hybrid randomization scheme, named H(2)Cache, to mitigate cache side-channel attacks. H(2)Cache leverages two randomization approaches and applies them to different levels of caches. It strengthens the security of cache modules, while satisfying the performance and resource utilization requirements. Specifically, we design a table-based randomization method for the L1 cache, which uses a hashed virtual index to look up the actual cache set index. The L2 cache in H(2)Cache takes a computation-based randomization function to calculate the cache set index. We have implemented a prototype of H(2)Cache and extensively evaluated it using a self-designed RISC-V processor on the FPGA platform. We demonstrate the security of H(2)Cache through simulated attack programs and quantitative analysis. Meanwhile, the evaluation results of performance and resource utilization have shown its efficacy.

Pengfei Guo,Yingjian Yan,Fan Zhang,Chunsheng Zhu,Lichao Zhang,Zibin Dai

DOI: https://doi.org/10.1016/j.cose.2023.103255

2023-04-10

Abstract:Cryptographic devices are vulnerable to side-channel attacks, which have attracted broad attention in the hardware security field. The side-channel analysis framework proposed at Eurocrypt 2009 has been widely adopted in academia, containing key elements such as points of interest, leakage models, distinguishers, and security metrics. This classical framework, however, is not intuitively compatible with recent micro-architectural attacks such as cache attacks, therefore, few attempts have been made to link them. In this paper, we extend the classical side-channel analysis framework and migrate its ideas to access-driven cache attacks. We find that cache attacks can be effectively incorporated into this framework. Specifically, we propose a leakage model called cache access pattern vector according to the cache timing leakage characteristics. Furthermore, we propose data preprocessing schemes such as noise reduction, dimensionality reduction, and vector expansion to implement efficient attacks. Subsequently, we proposed seven distinguishers in three categories: difference of means-based analysis, vector distance-based analysis, and mutual information-based analysis. Moreover, we attacked the last round of the AES fast software implementation algorithm based on the Chipyard platform. According to the experimental results, all proposed methods can successfully extract the key, and five of them are comparable to mainstream cache analysis in attack efficiency. Finally, we evaluate the five efficient distinguishers under three different cache micro-architectures using guessing entropy. Based on the experimental environment of this paper, vector distance-based distinguishers have the best attack efficiency, and the difference of mean-based analysis has the worst. Surprisingly, the most general mutual information-based attacks can achieve excellent medium results in a few attack rounds without the help of static analysis tools. Meanwhile, the experimental results demonstrate that cache micro-architecture directly impacts the attack effect, in which the smaller cache line size benefits the attacks, while the random replacement policy increases the noise and difficulty of the attacks.

computer science, information systems

Hossein Hosseinzadeh,Mihailo Isakov,Mostafa Darabi,Ahmad Patooghy,Michel A. Kinsy

DOI: https://doi.org/10.1109/MWSCAS.2017.8053051

2017-10-25

Abstract:Side channel attacks are a major class of attacks to crypto-systems. Attackers collect and analyze timing behavior, I/O data, or power consumption in these systems to undermine their effectiveness in protecting sensitive information. In this work, we propose a new cache architecture, called Janus, to enable crypto-systems to introduce randomization and uncertainty in their runtime timing behavior and power utilization profile. In the proposed cache architecture, each data block is equipped with an on-off flag to enable/disable the data block. The Janus architecture has two special instructions in its instruction set to support the on-off flag. Beside the analytical evaluation of the proposed cache architecture, we deploy it in an ARM-7 processor core to study its feasibility and practicality. Results show a significant variation in the timing behavior across all the benchmarks. The new secure processor architecture has minimal hardware overhead and significant improvement in protecting against power analysis and timing behavior attacks.

Cryptography and Security

He Yong,Xiao Bin,Chen Zhanglong,Tu Shiliang

DOI: https://doi.org/10.3969/j.issn.1000-386X.2009.08.083

2009-01-01

Abstract:In the design of embedded microprocessors,cache has greatly improved the performance while becomes the main source of power consumption.In this paper it proposes a non-uniform dynamically reconfigurable low power cache structure,accompanied by a dynamic reconfiguration algorithm named Dynamic associatively Selection(DAS) algorithm,the power consumption is lowered through the cache's dynamical reconfiguration.Simulation based on MiBench show that the cache structure proposed in this paper consumes less power than conventional one with better performance,the average hit rate of instruction and data cache is increased by 2.1% and 1.4% respectively,and the average energy consumption of memory system decreases by 8.1%.

ZHANG Yu-hong,WANG Jie-bing,YAN Xiao-lang,WANG Le-yu

DOI: https://doi.org/10.3785/j.issn.1008-973x.2005.10.014

2005-01-01

Abstract:To decrease the power of RISC processor data cache where load/store addressing modes dominated by displacement addressing mode and multiple-register mode,the novel method fully utilizes the locality information of base address in load/store instruction.A way-select table and a way-valid table are maintained to deselect certain ways of tag and data RAM in qualified situations.The method is applicable to set-associative cache with multiple ways,and is also applicable to lockable cache.This method was implemented in a 200 MHz high-performance low-power reduced instruction set computer(RISC) processor in a(0.18) μm TSMC technology.The data cache power can be saved by about 30% with some wellknown benchmark programs.While keeping the same performance,this method can be implemented with low hardware cost.

Shuai Wang,Jun Han,Wei Huang,JunBao Liu,Xiaoyang Zeng

2010-01-01

Abstract:This paper presents a low power security ASIP which also achieve high performance and flexibility. Our efforts for reducing the power are focused on the following three aspects. First, the Instruction Rom is divided into two parts, one of which can be power gated. Second, the clock-gating method is used to cool the registers in the Register File unit. At last, the operator latchs are added in front of the EXE stage so that the idle function units can avoid unnecessary switches. The experimental result shows that the proposed approaches reduce the power of the core part of security ASIP and the whole design including storage elements by 30% and 16% on average respectively.

Xiao Liu,Mark Zwolinski,Basel Halak

2024-05-30

Abstract:Many cache designs have been proposed to guard against contention-based side-channel attacks. One well-known type of cache is the randomized remapping cache. Many randomized remapping caches provide fixed or over protection, which leads to permanent performance degradation, or they provide flexible protection, but sacrifice performance against strong contention-based attacks. To improve the secure cache design, we extend an existing secure cache design, CEASER-SH cache, and propose the SEA cache. The novel cache configurations in both caches are logical associativity, which allows the cache line to be placed not only in its mapped cache set but also in the subsequent cache sets. SEA cache allows each user or each process to have a different local logical associativity. Hence, only those users or processes that request extra protection against contention-based attacks are protected with high logical associativity. Other users or processes can access the cache with lower latency and higher performance. Compared to a CEASER-SH cache with logical associativity of 8, an SEA cache with logical associativity of 1 for normal protection users and 16 for high protection users has a Cycles Per Instruction penalty that is about 0.6% less for users under normal protections and provides better security against contention-based attacks. Based on a 45nm technology library, and compared to a conventional cache, we estimate the power overhead is about 20% and the area overhead is 3.4%.

Cryptography and Security,Hardware Architecture

Jizhong Shen,Liang Geng,Fan Zhang

DOI: https://doi.org/10.1049/el.2017.2415

2017-01-01

Electronics Letters

Abstract:Side-channel analysis (SCA) is a powerful technique to reveal the secrets using detectable physical leakages from logic elements, which brings severe security threats to modern circuits. To alleviate this problem, applying cell-level countermeasure is usually a suitable solution, which is mainly implemented as dual-rail precharge logic. Mace et al. has the proposed dynamic current mode logic (DyCML) scheme as a novel technology to resist SCA, whose power consumption is constant regardless of the data processed. However, the DyCML-based sequential elements are still in blank field. So, we have implemented a novel flip-flop compatible with DyCML, whose enhanced security has been proved by corresponding simulations.

Qi Chen,Dongyan Zhao,Liang Liu,Xuesong Yan,Yidong Yuan,Xige Zhang,Hongmei Wu,Zhe Wang

DOI: https://doi.org/10.1016/j.csi.2021.103569

IF: 3.721

2022-01-01

Computer Standards & Interfaces

Abstract:Side-channel attacks (SCAs) have become a significant threat nowadays to cryptographic devices, especially central processing units (CPUs). Based on the implementation of AES-128, the side-channel information leakage analysis is carried out in a 32-bit CPU microarchitecture in this work. Correlation power analysis (CPA) results show that it is obvious to reveal the secret key by using only 30 power traces based on the net-list simulation. Three flexibly configurable hardware-based countermeasures are proposed to prevent information leakage in the arithmetic and logic unit (ALU), register file (RF) and load/store unit (LSU), respectively, which are the most sensitive components according to our analysis. The proposed countermeasures have different protection effects on the CPU since the required trace number to reveal the secret key has increased from 30 to 100 similar to 120,000. Moreover, the anti-attack capability of the CPU is improved by 4000 times using the three countermeasures simultaneously. The proposed countermeasures can be freely combined while considering the CPU security and implementation overhead. In practice, the anti-attack capability of the CPU can be further improved when the proposed countermeasures are implemented in real-world measurements, because additional noise will be introduced during the measurements.

Pengfei Guo,Yingjian Yan,Junjie Wang,Jingxin Zhong,Yanjiang Liu,Jinsong Xu

DOI: https://doi.org/10.1016/j.cose.2023.103480

IF: 5.105

2023-09-13

Computers & Security

Abstract:Caches are key microarchitectural components of modern processors to improve memory access speed. However, attackers can readily implement timing side-channel attacks by exploiting the inherent time difference between cache hits and misses, which brings serious security threats to computer systems. In recent years, cache attacks have achieved fruitful consequences regarding attack techniques, targets, and platforms. At the same time, in order to measure the cache vulnerability, researchers have been looking at verifying the security policies and have proposed a variety of evaluation metrics. However, there are certain limitations in the current metrics, such as harsh assumptions, the distinguishing ability cannot be maintained all the time, the false positive and false negative noises can not be explicitly quantified, other tools are needed, and the verification environment is difficult to reproduce. To face these issues, we proposed a set of evaluation metrics, which includes the highest score (HS), minimum rounds to disclosure (MRD), and key score scissors differential (KSSD); we give the formal expressions in practice and theoretical, respectively. In order to facilitate the accurate reproduction of the experimental environment and results, we build a dual-core RISC-V bare-metal system based on the open-source framework Chipyard. On this basis, we conduct comprehensive evaluations to exploit vulnerabilities within the RISC-V cache architecture to verify the validity of the metrics suite. Furthermore, we compared the metrics with the commonly used success rate (SR) and guessing entropy (GE). The comparison results show that our proposed metrics suite can accurately depict the effects of attacks. Moreover, KSSD can maintain discrimination and converge quickly; MRD has more practical guidance; HS can specifically describe false negative noises. Finally, we perform a theoretical evaluation of AES algorithms with different T-table implementations using the proposed metrics, analyze the system's false positive and false negative noises, and suggest how the number of cache evictions can be determined under the random replacement policy.

computer science, information systems

Zhe Zhou,Xiaoyu Cheng,Yang Sun,Fang Jiang,Fei Tong,Yuxing Mao,Ruilin Wang

DOI: https://doi.org/10.1109/trustcom56396.2022.00166

2022-01-01

Abstract:Modern processors make use of optimization techniques such as cache and speculation mechanisms to greatly improve performance. But recent research has found that these techniques can also be exploited by attackers to perform powerful side-channel attacks. A large number of powerful cache-based attacks have been replicated and enhanced over Intel X86- and ARM-based architectures, but there is a relative lack of research on RISC-V-based architectures. Xuantie-910 and BOOM are both RISC-V-based processors. So far, cache-side channels in the unprivileged case of Xuantie-910 have not been proven, while cache attacks against BOOM are proliferating. There are two types of caches, including physically-indexed physically-tagged (PIPT) cache (adopted by Xuantie-910) and virtually-indexed physically-tagged (VIPT) cache (adopted by BOOM), corresponding to two different cache addressing forms. VIPT has higher addressing performance than PIPT, since it can directly obtain cache line index from virtual address. In this paper, we study Xuantie-910 and BOOM to explore the impact of cache design on the security of RISC-V-based microarchitecture. Specifically, we compare the impact of their cache addressing forms on precise flushing of cache lines at specified locations, which plays an important role in cache side-channel attacks. Experimental results show that for the VIPT cache in BOOM, the location-specified cache lines can be accurately flushed, and Spectre attack can be successfully carried out by using the cache side-channel. On the other hand, for the PIPT cache in Xuantie-910, it is impossible for attackers to directly and accurately flush the specified location of cache without affecting performance, which hinders the success of cache side-channel attacks. This provides us with an insight that one can adopt a VIPT-based cache with a mechanism similar to PIPT for preventing the accurate access of cache line index, which can not only keep the advantage of high-performance addressing in VIPT but also improve chip security.

HUANG Wei,HAN Jun,WANG Shuai,ZENG Xiao-yang

DOI: https://doi.org/10.3969/j.issn.1000-3428.2011.24.040

2011-01-01

Abstract:(Abstract )This paper presents a design scheme with low power consumption oriented to security domain called Application Specific Instruction/set Processor(ASIP) which also achieves high performance and flexibility. The instruction Read Only Memory(ROM) is divided into two parts, one of which can be power gated in some cases. The clock/gating method is used to cool the registers in the register file unit. The operator latches are added in front of the EXE stage so that the idle function units can avoid unnecessary switches. Experimental results show the scheme reduces the power of the core part of security ASIP and the whole design including storage elements by 30 % and 16 % on average respectively. (Key words )encryption algorithm; low/power; Application Specific Instruction/set Processor(ASIP); encryption computing unit DOI: 10.3969/j.issn.1000/3428.2011.24.040

XIANG Xiao-yan,CHEN Zhi-jian,MENG Jian-yi,YAN Xiao-lang

DOI: https://doi.org/10.3785/j.issn.1008-973X.2013.07.012

2013-01-01

Abstract:The behavior of cache accessing was analyzed.A new low power instruction cache accessing method that links the current cache line and its adjacent cache lines was proposed.When a direct jump between cache lines occurs,the adjacent cache line links are reused to get the accurate way information of the target line.Then the accesses of tag array are reduced and tag lookups are avoided to reduce the dynamic power consumption.When a cache line is evicted,only its adjacent cache line links should be checked and invalidated to keep the correctness of the links.Experiment results show that dynamic power consumption can be reduced by 6% on average with the new method compared to the traditional way memorization instruction cache.

Xiangyu Li,Chaoqun Yang,Jiangsha Ma,Yongchang Liu,Shujuan Yin

DOI: https://doi.org/10.1109/tvlsi.2017.2752212

2017-01-01

IEEE Transactions on Very Large Scale Integration (VLSI) Systems

Abstract:Energy-efficient countermeasures to side-channel attacks are required for Internet of Things hardware. This paper proposes a special hiding technique for the substitution operation in block ciphers, which equalizes the power consumption of a circuit by appropriate feedforward compensation and is called power-aware hiding (PAH). A hybrid application configuration, in which PAH is applied to the S-boxes while the left linear operations are protected with a general masking method, is proposed as well. This solution not only has higher energy efficiency but can also be implemented automatically in a semicustom manner. The Advanced Encryption Standard VLSI adopting this solution was implemented and manufactured in 180-nm technology as a demonstration. The implementation issues regarding the countermeasures are discussed in this paper. Testing shows that the chip has a throughput up to 1.175 Gb/s with 18.1-mW power consumption and its number of measurements to disclosure is 13.4 million.

FANG Liang,XIAO Bin,CHAI Yi-fei,CHEN Zhang-long,TU Shi-liang

DOI: https://doi.org/10.3969/j.issn.1000-7024.2006.20.050

2006-01-01

Abstract:With the advances in semiconductor technology,there is an impact on chip design that the power management has become a design constraint due to increase in power density.Because on-chip cache is one of the main sources of CPU,low-power cache architecture can effectively reduce the power consumption of CPU.The design of low-power cache is researched.The approaches frequently used in low-power cache design,the architecture of a low-power re-configurable data cache and the corresponding re-configuration algorithm are introduced.A new algorithm— low-high boundary(LHB) algorithm for reconfiguration is given.The experimental result show that LHB algorithm is better than the original algorithm in both performance and power consumption.

Mengming Li,Kai Bu,Chenlu Miao,Kui Ren

DOI: https://doi.org/10.1109/tdsc.2024.3354991

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Cache side-channel attacks remain a stubborn source of cross-core secret leakage. Such attacks exploit the timing difference between cache hits and misses. Most defenses thus choose to prevent cache evictions. Given that two possible types of evictions—flush-based and conflict-based—use different architectural features, these defenses have to integrate hybrid defense strategies, incur OS modification, and sacrifice performance to completely throttle cache side-channel attacks. In this paper, we present TreasureCache against cache side-channel attacks without modifying OS or sacrificing performance. Instead of preventing cache evictions with various costs, we advocate to allow cache evictions as is and hide exploitable evictions in our specialized small eviction-hidden buffer. The buffer guarantees a fast hit time comparative to LLC hits. This instantly closes the timing gap between accessing exploitable blocks when they are in and out of the LLC. Moreover, with the help of our buffer, we no longer have to disable flush instructions or shared memory. A lightweight constant-time flush instruction can help TreasureCache to prevent both flush-based and conflict-based side-channel attacks. We validate TreasureCache security and performance through extensive experiments. With a hardware overhead of less than 0.5%, TreasureCache reduces the secret-leakage resolution by about 1,000 times without introducing any performance slowdown.

Guangyuan Hu,Ruby B. Lee

2023-06-05

Abstract:Hardware caches are essential performance optimization features in modern processors to reduce the effective memory access time. Unfortunately, they are also the prime targets for attacks on computer processors because they are high-bandwidth and reliable side or covert channels for leaking secrets. Conventional cache timing attacks typically leak secret encryption keys, while recent speculative execution attacks typically leak arbitrary illegally-obtained secrets through cache timing channels. While many hardware defenses have been proposed for each class of attacks, we show that those for conventional (non-speculative) cache timing channels do not work for all speculative execution attacks, and vice versa. We maintain that a cache is not secure unless it can defend against both of these major attack classes. We propose a new methodology and framework for covering such relatively large attack surfaces to produce a Speculative and Timing Attack Resilient (STAR) cache subsystem. We use this to design two comprehensive secure cache architectures, STAR-FARR and STAR-NEWS, that have very low performance overheads of 5.6% and 6.8%, respectively. To the best of our knowledge, these are the first secure cache designs that cover both non-speculative cache side channels and cache-based speculative execution attacks. Our methodology can be used to compose and check other secure cache designs. It can also be extended to other attack classes and hardware systems. Additionally, we also highlight the intrinsic security and performance benefits of a randomized cache like a real Fully Associative cache with Random Replacement (FARR) and a lower-latency, speculation-aware version (NEWS).

Cryptography and Security,Hardware Architecture

Han Wang,Ming Tang,Ke Xu,Quancheng Wang

DOI: https://doi.org/10.23919/date58400.2024.10546529

2024-01-01

Abstract:In the modern CPU architecture, enhancements such as the Line Fill Buffer (LFB) and Super Queue (SQ), which are designed to track pending cache requests, have significantly boosted performance. To exploit this structure, we deliberately engineered blockages in the L2 to L1d route by controlling LFB conflict and triggering prefetch prediction failures, while consciously dismissing other plausible influencing factors. This approach was subsequently extended to the L3 to L2 and L2 to L1i pathways, resulting in three potent covert channels, termed L2CC, L3CC, and LiCC, with capacities of 10.02 Mbps, 10.37 Mbps, and 1.83 Mbps, respectively. Strikingly, the capacities of L2CC and L3CC surpass those of earlier non-shared-memory-based covert channels, reaching a level comparable to their shared memory-dependent equivalents. Leveraging this congestion further facilitated the extraction of key bits from RSA and EdDSA designs. Coupled with SpectreV1 and V2, our covert channels effectively evade the majority of traditional Spectre defenses. Their confluence with Branch Prediction (BP) Timing assaults additionally undercuts balanced branch protections, hence broad-ening their capability to infiltrate a wide range of cryptography libraries. Index

Pavitra Bhade,Joseph Paturel,Olivier Sentieys,Sharad Sinha

DOI: https://doi.org/10.1145/3663673

2024-06-12

ACM Transactions on Embedded Computing Systems

Abstract:Cache Side-Channel Attacks (CSCAs) have been haunting most processor architectures for decades now. Existing approaches to mitigation of such attacks have certain drawbacks, namely software mishandling, performance overhead, and low throughput due to false alarms. Hence, “mitigation only when detected” should be the approach to minimize the effects of such drawbacks. We propose a novel methodology of fine-grained detection of timing-based CSCA using a hardware-based detection module. We discuss the design, implementation, and use of our proposed detection module in processor architectures. Our approach successfully detects attacks that flush secret victim information from cache memory like Flush+Reload, Flush+Flush, Prime+Probe, Evict+Probe, and Prime+Abort, commonly known as cache timing attacks. Detection is on time with minimal performance overhead. The parameterizable number of counters used in our module allows detection of multiple attacks on multiple sensitive locations simultaneously. The fine-grained nature ensures negligible false alarms, severely reducing the need for any unnecessary mitigation. The proposed work is evaluated by synthesizing the entire detection algorithm as an attack detection block, Edge-CaSCADe, in a RISC-V processor as a target example. The detection results are checked under different workload conditions with respect to the number of attackers and the number of victims having RSA-, AES-, and ECC-based encryption schemes like ECIES, and on benchmark applications like MiBench and Embench. More than 98% detection accuracy within 2% of the beginning of an attack can be achieved with negligible false alarms. The detection module has an area and power overhead of 0.9% to 2% and 1% to 2.1% for the targeted RISC-V processor core without cache for one to five counters, respectively. The detection module does not affect the processor critical path and hence has no impact on its maximum operating frequency.

computer science, software engineering, hardware & architecture