Side Channel Attacks Flashcards
(7 cards)
What is simple power analysis?
Different operations draw different amounts of power, this may be easily distinguishable on a power trace
Masking
Side Channel Defence
Sensitive variables are split up so that they are never accessed directly
Blinding
Side Channel Defence
Encode random values to the input that are then removed from the output and the computation. So the program never operates on a sensitive value directly.
State 5 side channel defences
Constant time operation
No branches
Masking
Blinding
Use special co-processors to perform sensitive operations
Flush and reload
Side Channel Attack
Spy process flushes the cache and waits for a victim process to perform an operation. The spy process then tries to access a value, if it gets fast access then it was loaded into the cache by the victim process.
What is transient execution?
Lines of a program can be executed in parallel if they are do not require the result from another instruction. If there is an error or change in branch, the state of the program is rolled back. This can include loading data into cache which the program shouldn’t have access to, but only realises this after it has been loaded into cache. The state of the cache does not get rolled back.
How does the spectre attack work?
Train the branch predictor unit to take a certain branch. Access an out of bounds peice of data that gets loaded into the cache before the CPU checks if the process has the right to access that data. Then use a flush and reload attack to get the value from the cache.
