A Survey of Processor Chip Security
-
摘要: 处理器芯片安全是信息安全的基石。长期以来,各种密码算法、应用程序和操作系统都以处理器作为可信基础。然而,随着摩尔定律的减缓,现代处理器在微架构设计中不断追求高性能和低功耗的目标,而忽视了安全性,导致近期安全漏洞频发。其中,以Meltdown和Spectre为代表的微架构时间信道漏洞备受关注,它们利用微架构状态变化引起的时间差异来突破基础的软硬件隔离,影响数十亿台主流CPU厂商的设备。此外,由于架构与微架构之间的界限变得模糊,催生了一系列新的攻击方式,使得时间信道从“硬件漏洞”发展为系统级安全问题。然而,现有文献主要基于硬件组件进行分类,掩盖了时序泄露的潜在共性,并限制了对软件信道分析的能力。本文对时间信道进行跨层综述,将基于硬件的和基于软件的泄漏统一在一个共同的抽象模型下。具体而言,我们首先分析了时间信道产生的4个基本条件,并根据核心泄露条件中共享可变状态的性质以及时间观测能力产生的机制将现有的软硬件攻击统一在一个分类模型下。基于该分类,我们全面回顾了近十年的攻击方法,系统地分析了它们的攻击步骤,并揭示了它们之间的共性。其次,基于阻断的泄露条件,我们对现有的防御技术进行分类,并指出防御的作用范围与失效原因。最后,总结了当前的自动化检测方法并对新兴平台下的时间信道安全研究与未来发展趋势进行了前瞻性的讨论。Abstract:
Significance Processor chip security is widely regarded as the foundation of modern information security. Cryptographic algorithms, operating systems, and applications have traditionally relied on processors as trusted computing bases. However, as Moore’s Law slows, modern processors increasingly adopt aggressive microarchitectural optimizations to improve performance and energy efficiency, often without systematic security consideration. As a result, security vulnerabilities have emerged frequently in recent years. Notably, microarchitectural timing channels exemplified by Meltdown and Spectre exploit timing differences induced by microarchitectural state changes to bypass fundamental hardware and software isolation, affecting billions of devices worldwide. Meanwhile, the boundary between architectural and microarchitectural behavior has become increasingly blurred, giving rise to new attack paradigms and transforming timing channels from isolated hardware flaws into cross-layer system security problems. Progress Although substantial progress has been made in the study of timing channels, existing surveys exhibit several limitations. First, the mechanisms underlying timing channels are highly diverse, with an expanding set of exploitable components, making hardware-centric classifications insufficient to capture emerging and unknown attacks while obscuring commonalities across techniques. Second, as classic microarchitectural channels become better understood and partially mitigated, leakage increasingly migrates to higher-level shared resources, including operating system policies and software-managed coordination mechanisms. However, prior work often treats software primarily as an execution context rather than a source of timing leakage. In addition, existing discussions of defenses tend to focus on individual techniques, with limited analysis of their scope of effectiveness and failure modes. Contributions In this survey, timing channels are systematically reviewed from a cross-layer perspective, and hardware- and software-based leakages are unified under a common abstraction. Four necessary conditions for timing channel exploitation are identified, and a unified classification framework is constructed based on the nature of shared mutable state and the mechanisms enabling timing observability. Within this framework, representative attacks from the past decade are comprehensively reviewed, their attack workflows are analyzed, and underlying commonalities are revealed. Furthermore, existing defense mechanisms are classified according to the leakage conditions they aim to disrupt, and their protection scope as well as potential failure modes are discussed. Finally, this paper also analyzes the current automated detection methods. Prospects Looking forward, timing channel research faces emerging challenges. New hardware optimization techniques continue to introduce novel attack surfaces, while resource sharing at the software level may give rise to additional timing leakage. Moreover, emerging platforms—including chiplet-based architectures, cloud computing environments, hardware accelerators, and heterogeneous systems—are likely to expose new forms of timing channels that warrant systematic investigation. -
Key words:
- Processor security /
- timing channels /
- side-channel attacks /
- transient execution
-
表 1 跨层时间信道攻击的统一分类体系
泄露条件 攻击类别 硬件信道实例 软件信道实例 共享状态在
上下文切换
后仍然保留状态驻留类 微架构的持久状态 TLB[11]、LLC[2,12]、BTB[13] ——† 架构的持久
状态DRAMA[14]、LLM[15]、MetaLeak[16] Page[5]、Write+Sync[17]、SLUB[6] 并发使用导致
带宽降低/性能下降资源竞争类 结构性竞争 提交单元[18]、带宽[19]、Reload+Reload[20]、
LeakyHammer[21]KernelSnitch[22]、Sync+Sync[23] 仲裁型竞争 CPU环互连[24]、PCIe[25]、Mesh[26] MES-Attacks[27,28] 状态实现被延迟,
快慢路径可区分延迟转换类 故障/中断触发延迟 SegScope[29]、Thermalscope[30]、Keydrown[31]、WAIT[32] 写时复制[33] 惰性切换延迟 LazyFP[34] ——† 基于历史行为的
预测或自适应优化异步反馈类 预取类 GoFetch[35]、PrefetchX[36] BunnyHop[37]、Prefetchw[38] 预测执行类 Spectre-PHT[3]、Spectre-RSB[39]、RIDL[40]、
Fallout[41]、ARMeD[42]、循环预测机制[43]——† 异常/故障类 Meltdown[4]、Foreshadow[44] ——† †当前未发现对应的实例 
下载: 导出CSV
表 2 时间信道防御技术分类
防御类别 防御范围/目标 典型实例 防御开销 基于
隔离分支预测器隔离 异步反馈类(分支预测攻击) BRB[47] 3.5%~5.5% XOR-BP [48] ~2.5%,0.24%(硬件开销) HyBP[49] 0.5%,21.1%(硬件开销) 缓存隔离 状态驻留类(缓存侧信道) PhantomCache[50] 0.5%~1.2% DAWG[51] <2% 敏感目标
隔离异步反馈类(异常/故障攻击) Site Isolation[52] 9%~13%(内存开销) KAISER[53] 1~10% 限制可观测的微架
构状态变化限制推测
执行异步反馈类(预测执行攻击) Retpoline[54] 5~10% CSF[55] <8% 添加硬件
结构异步反馈类(预测执行与
异常/故障攻击)InvisiSpec[56] 22%,3.5%(面积开销) TreasureCache[57] <0.5%(硬件开销) 撤销或阻止不安全
推测的影响异步反馈类(预测执行与
异常/故障攻击)CleanupSpec[58] 5.1%,~1KB(存储开销) NDA[59] 10.7%~125% SCSGuardian[60] 3.82%~5.97% PreFence[61] 1% 干扰隐蔽信道的测量 注入噪声 时间侧信道 Reuse-trap[62] —† Prefender[63] -1.69% 检测后阻止 代码或特征分析 异步反馈类(预测执行攻击) Spectector[64] —† SpecTaint[65] ~1.5%-2% Spoiler-ALERT[66] 0.24% †文中未给出
下载: 导出CSV
-
[1] ZHANG Jiliang, CHEN Congcong, CUI Jinhua, et al. Timing side-channel attacks and countermeasures in CPU microarchitectures[J]. ACM Computing Surveys, 2024, 56(7): 178. doi: 10.1145/3645109. [2] YAROM Y and FALKNER K. FLUSH+RELOAD: A high resolution, low noise, L3 cache side-channel attack[C]. 23rd USENIX Security Symposium, San Diego, USA, 2014: 719–732. [3] KOCHER P, HORN J, FOGH A, et al. Spectre attacks: Exploiting speculative execution[C]. IEEE Symposium on Security and Privacy, San Francisco, USA, 2019: 1–19. doi: 10.1109/SP.2019.00002. [4] LIPP M, SCHWARZ M, GRUSS D, et al. Meltdown: Reading kernel memory from user space[J]. Communications of the ACM, 2020, 63(6): 46–56. doi: 10.1145/3357033. [5] GRUSS D, KRAFT E, TIWARI T, et al. Page cache attacks[C]. ACM SIGSAC Conference on Computer and Communications Security, London United, UK, 2019: 167–180. doi: 10.1145/3319535.3339809. [6] MAAR L, GAST S, UNTERGUGGENBERGER M, et al. SLUBStick: Arbitrary memory writes through practical software cross-cache attacks within the Linux kernel[C]. 33rd USENIX Security Symposium, Philadelphia, USA, 2024: 4051–4068. [7] BISWAS A K, GHOSAL D, and NAGARAJA S. A survey of timing channels and countermeasures[J]. ACM Computing Surveys, 2018, 50(1): 6. doi: 10.1145/3023872. [8] 蓝泽如, 邱朋飞, 王春露, 等. 处理器硬件漏洞研究综述[J]. 电子与信息学报, 2025, 47(9): 3020–3037. doi: 10.11999/JEIT250357.LAN Zeru, QIU Pengfei, WANG Chunlu, et al. A survey of processor hardware vulnerability[J]. Journal of Electronics & Information Technology, 2025, 47(9): 3020–3037. doi: 10.11999/JEIT250357. [9] 尹嘉伟, 李孟豪, 霍玮. 处理器微体系结构安全研究综述[J]. 信息安全学报, 2022, 7(4): 17–31. doi: 10.19363/J.cnki.cn10-1380/tn.2022.07.02.YIN Jiawei, LI Menghao, and HUO Wei. Survey on security researches of processor's microarchitecture[J]. Journal of Cyber Security, 2022, 7(4): 17–31. doi: 10.19363/J.cnki.cn10-1380/tn.2022.07.02. [10] 刘畅, 黄祺霖, 刘煜川, 等. 处理器数据预取器安全研究综述[J]. 电子与信息学报, 2025, 47(9): 3038–3056. doi: 10.11999/JEIT250412.LIU Chang, HUANG Qilin, LIU Yuchuan, et al. A survey of data prefetcher security on modern processors[J]. Journal of Electronics & Information Technology, 2025, 47(9): 3038–3056. doi: 10.11999/JEIT250412. [11] GRAS B, RAZAVI K, BOS H, et al. Translation leak-aside buffer: Defeating cache side-channel protections with TLB attacks[C]. 27th USENIX Security Symposium, Baltimore, USA, 2018: 955–972. [12] LIU Fangfei, YAROM Y, GE Qian, et al. Last-level cache side-channel attacks are practical[C]. IEEE Symposium on Security and Privacy, San Jose, USA, 2015: 605–622. doi: 10.1109/SP.2015.43. [13] EVTYUSHKIN D, PONOMAREV D, and ABU-GHAZALEH N. Jump over ASLR: Attacking branch predictors to bypass ASLR[C]. 49th Annual IEEE/ACM International Symposium on Microarchitecture, Taipei, China, 2016: 1–13. doi: 10.1109/MICRO.2016.7783743. [14] PESSL P, GRUSS D, MAURICE C, et al. DRAMA: Exploiting DRAM addressing for cross-CPU attacks[C]. 25th USENIX Security Symposium, Austin, USA, 2016: 565–581. [15] SONG Linke, PANG Zixuan, WANG Wenhao, et al. The early bird catches the leak: Unveiling timing side channels in LLM serving systems[J]. IEEE Transactions on Information Forensics and Security, 2025, 20: 11431–11446. doi: 10.1109/TIFS.2025.3622954. [16] CHOWDHURYY M H I, ZHENG Hao, and YAO Fan. MetaLeak: Uncovering side channels in secure processor architectures exploiting metadata[C]. ACM/IEEE 51st Annual International Symposium on Computer Architecture, Buenos Aires, Argentina, 2024: 693–707. doi: 10.1109/ISCA59077.2024.00056. [17] CHEN Congcong, CUI Jinhua, QU Gang, et al. Write+Sync: Software cache write covert channels exploiting memory-disk synchronization[J]. IEEE Transactions on Information Forensics and Security, 2024, 19: 8066–8078. doi: 10.1109/TIFS.2024.3414255. [18] XU Ke, TANG Ming, WANG Quancheng, et al. Exploitation of security vulnerability on retirement[C]. IEEE International Symposium on High-Performance Computer Architecture, Edinburgh, UK, 2024: 1–14. doi: 10.1109/HPCA57654.2024.00012. [19] WANG Han, TANG Ming, XU Ke, et al. Cache bandwidth contention leaks secrets[C]. Design, Automation & Test in Europe Conference & Exhibition, Valencia, Spain, 2024: 1–6. doi: 10.23919/DATE58400.2024.10546529. [20] CHIANG L C and LI S W. Reload+Reload: Exploiting cache and memory contention side channel on AMD SEV[C]. 30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Rotterdam, Netherlands, 2025: 1014–1027. doi: 10.1145/3676641.3716017. [21] BOSTANCI F N, CANPOLAT O, OLGUN A, et al. Understanding and mitigating covert channel and side channel vulnerabilities introduced by RowHammer defenses[C]. 58th IEEE/ACM International Symposium on Microarchitecture, Seoul, South Korea, 2025: 1412–1432. doi: 10.1145/3725843.3756029. [22] MAAR L, JUFFINGER J, STEINBAUER T, et al. KernelSnitch: Side channel-attacks on kernel data structures[C]. 32nd Annual Network and Distributed System Security Symposium, San Diego, USA, 2025: 1–20. [23] JIANG Qisheng and WANG Chundong. Sync+Sync: A covert channel built on fsync with storage[C]. 33rd USENIX Security Symposium, Philadelphia, USA, 2024: 1–18. [24] PACCAGNELLA R, LUO Licheng, and FLETCHER C W. Lord of the ring(s): Side channel attacks on the CPU on-chip ring interconnect are practical[C]. 30th USENIX Security Symposium, 2021: 645–662. (查阅网上资料, 未找到本条文献出版地信息, 请确认并补充). [25] TAN Mingtian, WAN Junpeng, ZHOU Zhe, et al. Invisible probe: Timing attacks with PCIe congestion side-channel[C]. IEEE Symposium on Security and Privacy, San Francisco, USA, 2021: 322–338. doi: 10.1109/SP40001.2021.00059. [26] WAN Junpeng, BI Yanxiang, ZHOU Zhe, et al. MeshUp: Stateless cache side-channel attack on CPU mesh[C]. IEEE Symposium on Security and Privacy, San Francisco, USA, 2022: 1506–1524. doi: 10.1109/SP46214.2022.9833794. [27] SHEN Chaoqun, ZHANG Jiliang, and QU Gang. MES-attacks: Software-controlled covert channels based on mutual exclusion and synchronization[C]. 60th ACM/IEEE Design Automation Conference, San Francisco, USA, 2023: 1–6. doi: 10.1109/DAC56929.2023.10247792. [28] ZHANG Jiliang, SHEN Chaoqun, and QU Gang. Mex+Sync: Software covert channels exploiting mutual exclusion and synchronization[J]. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, 2023, 42(12): 4491–4504. doi: 10.1109/TCAD.2023.3291669. [29] ZHANG Xin, ZHANG Zhi, SHEN Qingni, et al. SegScope: Probing fine-grained interrupts via architectural footprints[C]. IEEE International Symposium on High-Performance Computer Architecture, Edinburgh, UK, 2024: 424–438. doi: 10.1109/HPCA57654.2024.00039. [30] ZHANG Xin, ZHANG Zhi, SHEN Qingni, et al. ThermalScope: A practical interrupt side channel attack based on thermal event interrupts[C]. 61st ACM/IEEE Design Automation Conference, San Francisco, USA, 2024: 28. doi: 10.1145/3649329.3656525. [31] SCHWARZ M, LIPP M, GRUSS D, et al. KeyDrown: Eliminating software-based keystroke timing side-channel attacks[C]. 25th Network and Distributed System Security Symposium, San Diego, USA, 2018: 1–15. [32] ZHANG Ruiyi, KIM T, WEBER D, et al. (M)WAIT for it: Bridging the gap between microarchitectural and architectural side channels[C]. 32nd USENIX Security Symposium, Anaheim, USA, 2023: 7267–7284. [33] SUZAKI K, IIJIMA K, YAGI T, et al. Memory deduplication as a threat to the guest OS[C]. Fourth European Workshop on System Security, Salzburg, Austria, 2011: 1. doi: 10.1145/1972551.1972552. [34] STECKLINA J and PRESCHER T. LazyFP: Leaking FPU register state using microarchitectural side-channels[J]. arXiv preprint arXiv: 1806.07480, 2018. doi: 10.48550/arXiv.1806.07480.(查阅网上资料,请核对文献类型及格式是否正确). [35] CHEN Boru, WANG Yingchen, SHOME P, et al. GoFetch: Breaking constant-time cryptographic implementations using data memory-dependent prefetchers[C]. 33rd USENIX Security Symposium, Philadelphia, USA, 2024: 1117–1134. [36] CHEN Yun, HAJIABADI A, PEI Lingfeng, et al. PREFETCHX: Cross-core cache-agnostic prefetcher-based side-channel attacks[C]. IEEE International Symposium on High-Performance Computer Architecture, Edinburgh, UK, 2024: 395–408. doi: 10.1109/HPCA57654.2024.00037. [37] ZHANG Zhiyuan, TAO Mingtian, O’CONNELL S, et al. BunnyHop: Exploiting the instruction prefetcher[C]. 32nd USENIX Security Symposium, Anaheim, USA, 2023: 7321–7337. [38] GUO Yanan, ZIGERELLI A, ZHANG Youtao, et al. Adversarial prefetch: New cross-core cache side channel attacks[C]. IEEE Symposium on Security and Privacy, San Francisco, USA, 2022: 1458–1473. doi: 10.1109/SP46214.2022.9833692. [39] MAISURADZE G and ROSSOW C. ret2spec: Speculative execution using return stack buffers[C]. ACM SIGSAC Conference on Computer and Communications Security, Toronto, Canada, 2018: 2109–2122. doi: 10.1145/3243734.3243761. [40] VAN SCHAIK S, MILBURN A, OSTERLUND S, et al. RIDL: Rogue in-flight data load[C]. IEEE Symposium on Security and Privacy, San Francisco, USA, 2019: 88–105. doi: 10.1109/SP.2019.00087. [41] CANELLA C, GENKIN D, GINER L, et al. Fallout: Leaking data on meltdown-resistant CPUs[C]. ACM SIGSAC Conference on Computer and Communications Security, London, UK, 2019: 769–784. doi: 10.1145/3319535.3363219. [42] LIU Chang, LI Zhouyang, WANG Haixia, et al. Exploiting ARMeD channels by reverse engineering ARM memory disambiguation unit[J]. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, 2026, 45(2): 1075–1088. doi: 10.1109/TCAD.2025.3585078. [43] 郭佳益, 邱朋飞, 苑洁, 等. 利用循环预测执行机制实现新型瞬态执行攻击[J]. 电子与信息学报, 2025, 47(9): 3363–3373. doi: 10.11999/JEIT250361.GUO Jiayi, QIU Pengfei, YUAN Jie, et al. A novel transient execution attack exploiting loop prediction mechanisms[J]. Journal of Electronics & Information Technology, 2025, 47(9): 3363–3373. doi: 10.11999/JEIT250361. [44] VAN BULCK J, MINKIN M, WEISSE O, et al. Foreshadow: Extracting the keys to the intel SGX Kingdom with transient out-of-order execution[C]. 27th USENIX Security Symposium, Baltimore, USA, 2018: 991–1008. [45] BRIONGOS S, MALAGÓN P, MOYA J M, et al. RELOAD+REFRESH: Abusing cache replacement policies to perform stealthy cache attacks[C]. 29th USENIX Security Symposium, 2020: 1967–1984. (查阅网上资料, 未找到本条文献出版地信息, 请确认并补充). [46] LIU Chang, LYU Yongqiang, WANG Haixia, et al. Leaky MDU: ARM memory disambiguation unit uncovered and vulnerabilities exposed[C]. 60th ACM/IEEE Design Automation Conference, San Francisco, USA, 2023: 1–6. doi: 10.1109/DAC56929.2023.10247985. [47] VOUGIOUKAS I, NIKOLERIS N, SANDBERG A, et al. BRB: Mitigating branch predictor side-channels[C]. IEEE International Symposium on High Performance Computer Architecture, Washington, USA, 2019: 466–477. doi: 10.1109/HPCA.2019.00058. [48] ZHAO Lutan, LI Peinan, HOU Rui, et al. A lightweight isolation mechanism for secure branch predictors[C]. 58th ACM/IEEE Design Automation Conference, San Francisco, USA, 2021: 1267–1272. doi: 10.1109/DAC18074.2021.9586178. [49] ZHAO Lutan, LI Peinan, HOU Rui, et al. HyBP: Hybrid isolation-randomization secure branch predictor[C]. IEEE International Symposium on High-Performance Computer Architecture, Seoul, South Korea, 2022: 346–359. doi: 10.1109/HPCA53966.2022.00033. [50] TAN Qinhan, ZENG Zhihua, BU Kai, et al. PhantomCache: Obfuscating cache conflicts with localized randomization[C]. 27th Annual Network and Distributed Systems Security Symposium, San Diego, USA, 2020: 1–17. [51] KIRIANSKY V, LEBEDEV I, AMARASINGHE S, et al. DAWG: A defense against cache timing attacks in speculative execution processors[C]. 51st Annual IEEE/ACM International Symposium on Microarchitecture, Fukuoka, Japan, 2018: 974–987. doi: 10.1109/MICRO.2018.00083. [52] REIS C, MOSHCHUK A, and OSKOV N. Site isolation: Process separation for web sites within the browser[C]. 28th USENIX Security Symposium, Santa Clara, USA, 2019: 1661–1678. [53] GRUSS D, LIPP M, SCHWARZ M, et al. KASLR is dead: Long live KASLR[C]. 9th International Symposium on Engineering Secure Software and Systems, Bonn, Germany, 2017: 161–176. doi: 10.1007/978-3-319-62105-0_11. [54] HARRIS S. Retpoline: A software construct for preventing branch-target-injection[EB/OL]. https://harukizaemon.com/links/2018/01/15/retpoline-a-software-construct-for-preventing-branch-target-injection/, 2018. [55] TARAM M, VENKAT A, and TULLSEN D. Context-Sensitive fencing: Securing speculative execution via microcode customization[C]. Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems, Providence, USA, 2019: 395–410. doi: 10.1145/3297858.3304060. [56] YAN Mengjia, CHOI J, SKARLATOS D, et al. InvisiSpec: Making speculative execution invisible in the cache hierarchy[C]. 51st Annual IEEE/ACM International Symposium on Microarchitecture, Fukuoka, Japan, 2018: 428–441. doi: 10.1109/MICRO.2018.00042. [57] LI Mengming, BU Kai, MIAO Chenlu, et al. TreasureCache: Hiding cache evictions against side-channel attacks[J]. IEEE Transactions on Dependable and Secure Computing, 2024, 21(5): 4574–4588. doi: 10.1109/TDSC.2024.3354991. [58] SAILESHWAR G and QURESHI M K. CleanupSpec: An “Undo” approach to safe speculation[C]. 52nd Annual IEEE/ACM International Symposium on Microarchitecture, Columbus, USA, 2019: 73–86. doi: 10.1145/3352460.3358314. [59] WEISSE O, NEAL I, LOUGHLIN K, et al. NDA: Preventing speculative execution attacks at their source[C]. 52nd Annual IEEE/ACM International Symposium on Microarchitecture, Columbus, USA, 2019: 572–586. doi: 10.1145/3352460.3358306. [60] CHENG Xiaoyu, TONG Fei, ZHOU Zhe, et al. SCSGuardian: A practical hardware defense against speculative cache side-channel attacks[J]. IEEE Transactions on Information Forensics and Security, 2025, 20: 8833–8847. doi: 10.1109/TIFS.2025.3598478. [61] SCHLÜTER T and TIPPENHAUER N O. PreFence: A fine-grained and scheduling-aware defense against prefetching-based attacks[C]. 10th IEEE European Symposium on Security and Privacy, Venice, Italy, 2025: 374–394. doi: 10.1109/EuroSP63326.2025.00030. [62] FANG Hongyu, DOROSLOVAČKI M, and VENKATARAMANI G. Reuse-trap: Re-purposing cache reuse distance to defend against side channel leakage[C]. 57th ACM/IEEE Design Automation Conference, San Francisco, USA, 2020: 1–6. doi: 10.1109/DAC18072.2020.9218725. [63] LI Luyi, HUANG Jiayi, FENG Lang, et al. Prefender: A prefetching defender against cache side channel attacks as a pretender[J]. IEEE Transactions on Computers, 2024, 73(6): 1457–1471. doi: 10.1109/TC.2024.3377891. [64] GUARNIERI M, KOPF B, MORALES J F, et al. Spectector: Principled detection of speculative information flows[C]. IEEE Symposium on Security and Privacy, San Francisco, USA, 2020: 1–19. doi: 10.1109/SP40000.2020.00011. [65] QI Zhenxiao, FENG Qian, CHENG Yueqiang, et al. SpecTaint: Speculative taint analysis for discovering spectre gadgets[C]. 28th Annual Network and Distributed Systems Security Symposium, 2021: 1–14. (查阅网上资料, 未找到本条文献出版地信息, 请确认并补充). [66] CUI Jinhua, YIN Yiyun, CHEN Congcong, et al. Spoiler-alert: Detecting spoiler attacks using a cuckoo filter[C]. Design, Automation & Test in Europe Conference & Exhibition, Antwerp, Belgium, 2023: 1–6. doi: 10.23919/DATE56975.2023.10137180. [67] WICHELMANN J, RABICH A, PÄTSCHKE A, et al. Obelix: Mitigating side-channels through dynamic obfuscation[C]. IEEE Symposium on Security and Privacy, San Francisco, USA, 2024: 4182–4199. doi: 10.1109/SP54263.2024.00261. [68] SONG Wei, XUE Zihan, HAN Jinchi, et al. Randomizing set-associative caches against conflict-based cache side-channel attacks[J]. IEEE Transactions on Computers, 2024, 73(4): 1019–1033. doi: 10.1109/TC.2024.3349659. [69] CHOWDHURYY M H I and YAO Fan. IvLeague: Side channel-resistant secure architectures using isolated domains of dynamic integrity trees[C]. 57th IEEE/ACM International Symposium on Microarchitecture, Austin, USA, 2024: 1153–1168. doi: 10.1109/MICRO61859.2024.00087. [70] ZHU Yongye, CHEN Boru, ZHAO Z N, et al. Controlled preemption: Amplifying side-channel attacks from userspace[C]. 30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Rotterdam, Netherlands, 2025: 162–177. doi: 10.1145/3676641.3715985. [71] FADIHEH M R, WEZEL A, MULLER J, et al. An exhaustive approach to detecting transient execution side channels in RTL designs of processors[J]. IEEE Transactions on Computers, 2023, 72(1): 222–235. doi: 10.1109/TC.2022.3152666. [72] ROSTAMI M, ZEITOUNI S, KANDE R, et al. Lost and found in speculation: Hybrid speculative vulnerability detection[C]. 61st ACM/IEEE Design Automation Conference, San Francisco, USA, 2024: 294. doi: 10.1145/3649329.3658469. [73] XU Jinyan, ZHOU Yangye, ZHANG Xingzhi, et al. DejaVuzz: Disclosing transient execution bugs with dynamic swappable memory and differential information flow tracking assisted processor fuzzing[C]. 30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Rotterdam, Netherlands, 2025: 64–80. doi: 10.1145/3676642.3736115. [74] BORKAR P, CHEN Chen, ROSTAMI M, et al. WhisperFuzz: White-box fuzzing for detecting and locating timing vulnerabilities in processors[C]. 33rd USENIX Security Symposium, Philadelphia, USA, 2024: 5377–5394. [75] ZHANG Shixuan, WANG Haixia, QIU Pengfei, et al. SCAFinder: Formal verification of cache fine-grained features for side channel detection[J]. IEEE Transactions on Information Forensics and Security, 2024, 19: 8079–8093. doi: 10.1109/TIFS.2024.3452002. [76] ZHANG Kanqi, LI Peinan, LI Miao, et al. Sonar: A hardware fuzzing framework to uncover contention side channels in processors[C]. IEEE/ACM International Symposium on Microarchitecture, Seoul, South Korea, 2025: 125–139. doi: 10.1145/3725843.3756136. [77] GRAS B, GIUFFRIDA C, KURTH M, et al. ABSynthe: Automatic Blackbox side-channel synthesis on commodity microarchitectures[C]. 27th Annual Network and Distributed System Security Symposium, San Diego, USA, 2020: 1–18. doi: 10.14722/ndss.2020.23018. [78] WEBER D, IBRAHIM A, NEMATI H, et al. Osiris: Automated discovery of microarchitectural side channels[C]. 30th USENIX Security Symposium, Vancouver, Canada, 2021: 1415–1432. (查阅网上资料, 未找到本条文献出版地信息, 请确认). [79] OLEKSENKO O, FETZER C, KÖPF B, et al. Revizor: Testing black-box CPUs against speculation contracts[J]. IEEE Micro, 2023, 43(4): 37–44. doi: 10.1109/MM.2023.3273009. [80] THOMAS F, ARRIBAS E G, HETTERICH L, et al. RISCover: Automatic discovery of user-exploitable architectural security vulnerabilities in closed-source RISC-V CPUs[C]. ACM SIGSAC Conference on Computer and Communications Security, Taipei, China, 2025: 3326–3340. doi: 10.1145/3719027.3765141. [81] THOMAS F, TORRES M, MOGHIMI D, et al. ExfilState: Automated discovery of timer-free cache side channels on ARM CPUs[C]. ACM SIGSAC Conference on Computer and Communications Security, Taipei, China, 2025: 2564–2578. doi: 10.1145/3719027.3765061. [82] WANG Xinrui, FENG Lang, WANG Yujie, et al. Resister: A resilient interposer architecture for chiplet to mitigate timing side-channel attacks[J]. ACM Transactions on Design Automation of Electronic Systems, 2025, 30(5): 76. doi: 10.1145/3748258. -
图(2) / 表(2)
计量
- 文章访问数: 19
- HTML全文浏览量: 6
- PDF下载量: 1
- 被引次数: 0
下载:
