一种缓存感知的统一化Spectre攻击检测  

作　　者：刘慧敏[1] 严飞[1] 张立强[1] 欧长海 LIU Huimin;YAN Fei;ZHANG Liqiang;OU Changhai(Key Laboratory of Aerospace Information Security and Trusted Computing,Ministry of Education,School of Cyber Science and Engineering,Wuhan University,Wuhan 430072,Hubei,China)

机构地区：[1]空天信息安全与可信计算教育部实验室,武汉大学国家网络安全学院,湖北武汉430072

出　　处：《武汉大学学报（理学版）》2024年第4期441-452,共12页Journal of Wuhan University:Natural Science Edition

基　　金：国家重点研发计划项目(2022YFB3103804);国家自然科学基金(62102290);湖北省重大研究计划项目(2023BAA027);湖北省重点研发计划(2020BAA003,2021BAA027)。

摘　　要：推测执行攻击及其变种正在不断被推出,攻击在缓存中留下痕迹,再通过缓存侧信道将敏感信息泄露出去。然而,现有的针对Spectre攻击的检测对于Spectre攻击及各类变种的代码模式和防御手段分析不足,存在误报和漏报的情况。针对这一问题,提出了一种改进的缓存感知的动态分析方法,以识别多种Spectre攻击。基于攻击原理及代码模式特征对Spectre攻击多种变体进行分析建模,并提出了一种基于最近最少使用替换策略的抽象缓存模型;基于对Spectre攻击及缓存的建模实现了一个缓存感知的Spectre漏洞动态分析检测工具。通过分析建模、缓存状态感知和追踪实现了更全面和准确的检测。在一组微基准及常用的密码库上进行了实验,准确地检测出所有微基准样本中的Spectre漏洞,并在多个加密算法中检测到缓存侧信道及Spectre漏洞。实验结果表明,本文所实现的方法具有较好的检测能力。Spectre attack and its variants have been released continuously,leaving traces in the cache and then leaking sensitive information through the cache side-channel attacks.However,existing detection methods for Spectre attacks are insufficient for analyzing of the attack code patterns and existing defenses,resulting in false positives and negatives.This paper proposed an improved cache-aware dynamic analysis method to address this issue to identify various Spectre attacks.This paper analyzed and modeled variants of Spectre attacks based on the attack principle and code pattern characteristics,and improved the formal cache model based on the least recently used replacement policy,finally implemented a cache-aware dynamic analysis and detection tool for Spectre vulnerability based on the modeling of Spectre attacks and cache.Through experiments conducted on a set of microbenchmarks and commonly used cryptographic libraries,Spectre gadgets were accurately detected in all microbenchmark samples.Additionally,cache side-channel and Spectre vulnerabilities were identified in several cryptographic algorithms.In the end,the experimental results showed that the method proposed in this paper has a good detection capability.

关 键 词：Spectre攻击 缓存侧信道 侧信道检测 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]