Collide+Power "Can Enhance Any Side-Channel Signal Related to Power" for Easier Exploitation
Data-dependent power draw changes mean it's possible to exfiltrate private data from any CPU — albeit slowly, researchers say.
A research team from the Graz University of Technology and the CISPA Helmholtz Center for Information Security have published details of a software enhancement to power-based side-channel attacks, making them easier to exploit across all CPUs: Collide+Power.
"Collide+Power is a novel method to exploit the fundamental way we build and share components in CPUs. We do not target specific programs but instead the underlying CPU hardware itself," the team explains. "This advance in software-based power side channels echoes the discovery of Meltdown and Spectre — where similarly, the underlying hardware provided unforeseen attack possibilities, leaking actual data values."
The Spectre and Meltdown vulnerabilities caused a stir upon their publication back in 2018, revealing that systems put in place to improve processor performance could be used in side-channel attacks to leak the contents of supposedly-protected memory — allowing malicious applications to obtain private keys, passwords, and more.
"The Collide+Power technique can enhance any side-channel signal related to power, such as RAPL [Running Average Power Limit] (PLATYPUS) or frequency throttling (Hertzbleed)," the team claims, referring to two later power-related side-channel attacks "While the leakage rates with current proof-of-concepts are comparably low, future attacks may be faster and indicate the necessity of security patches."
The Collide+Power attack works by having the attacker filling a target CPU component, such as the cache, with known data, then forcing the victim to overwite the controlled data with its own. The collision between the two sets of data causes a fluctuation in the CPU's power usage — which, as it varies by data, can be used to infer the supposedly-private data.
"Previous software-based power side-channels attacks like PLATYPUS and Hertzbleed target cryptographic implementations and require precise knowledge of the algorithm or victim program executed on the target machine," the team explains. "In contrast, Collide+Power targets the CPU memory subsystem, which abstracts the precise implementation away as all programs require the memory subsystem in some way. Furthermore, any signal reflecting the power consumption can be used due to the fundamental physical power leakage exploited by Collide+Power."
While the team says that Collide+Power's leakage rate — the speed at which it can retrieve protected secrets — is currently too low to form a practical malicious attack, the researches also warn that it's applicable to "nearly all CPUs" — and suggest that workarounds should be put in place to prevent untrusted applications having unfiltered access to live power usage data.
More details, and the paper under open-access terms, are available on the Collide+Power website.