A cache side-channel attack defense method and device
By using encrypted processing of cache indexes and key update mechanisms, the problems of utilization and performance overhead in cache side-channel attack defense are solved, achieving efficient protection of secure process data.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- HUAWEI TECH CO LTD
- Filing Date
- 2021-06-10
- Publication Date
- 2026-07-14
AI Technical Summary
Existing methods for defending against cache side-channel attacks are insufficient in reducing cache utilization or increasing performance overhead, and cannot effectively prevent attackers from obtaining confidential information from secure processes.
The cache indexing technology employs encryption processing. When a data access request is received, the cache index is determined using the keys corresponding to P cache lines based on the target physical address of the secure process. This ensures that secure processes use encrypted cache lines, while insecure processes use the entire cache space. Combined with protection domain indication information and a key update mechanism, this improves both security and efficiency.
While ensuring cache utilization and reducing performance overhead, it defends against cache side-channel attacks, ensuring the security of process data and processing efficiency.
Smart Images

Figure CN115470532B_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of information security technology, and in particular to a method and apparatus for defending against cache side-channel attacks. Background Technology
[0002] Side-channel attacks exploit leaked physical state information closely related to internal computations during the execution of cryptographic algorithms, such as acoustic and optical information, power consumption, electromagnetic radiation, and runtime. In recent years, side-channel attack techniques have gradually penetrated from external devices to internal components like the central processing unit (CPU), cache, and branch prediction unit. Cache side-channel attacks are a novel type of side-channel attack that can be performed across platforms and CPUs, breaching security boundaries and posing a significant threat to existing security measures.
[0003] Cache side-channel attacks typically involve four steps: First, obtaining the mapping between physical addresses in memory and cache set indices in the cache; second, operating on the cache set using this mapping; third, triggering computational operations related to sensitive data; and fourth, obtaining the state of the cache set operated on in step two through access time, and then deducing confidential information from the collected state information. Several cache side-channel attack defense methods are provided in the prior art, as detailed below.
[0004] The first method involves preloading sensitive data or code from a secure process into the cache before computation or execution. This method's security lies in preventing attackers from preemptively occupying cache lines used by the secure process in the second step. However, this method requires technical personnel to identify, modify, and label sensitive data and code, which is labor-intensive and does not support binary code. Furthermore, preloading sensitive data and code into the cache can prevent non-secure processes from effectively utilizing the occupied cache space, thus reducing cache utilization.
[0005] The second method uses software instructions to set the cache to randomized mode. A portion of the cache space is randomly selected to store sensitive data. This selected cache space is invalidated upon entering and exiting randomized mode. This ensures that sensitive data in the secure process is not affected by data pre-set by attackers, and no data is left in the cache upon exit. However, this method requires switching between randomized and standard modes and invalidating the selected cache space, resulting in significant performance overhead.
[0006] The third method involves randomizing and encrypting the cache index corresponding to the physical address in each data access request that enters the last level cache (LLC). The resulting value is then stored as the new cache index. In other words, by randomizing and encrypting the physical addresses in all data access requests and using the resulting value as the new cache index, the attacker is prevented from obtaining the mapping between physical addresses in memory and cache indexes. However, this method requires randomizing and encrypting the physical addresses in all data access requests, meaning both secure and insecure processes need to be processed. This reduces processing efficiency and increases performance overhead.
[0007] In summary, the aforementioned different methods for defending against cache side-channel attacks will, to varying degrees, reduce cache utilization or increase cache performance overhead. Summary of the Invention
[0008] This application provides a method and apparatus for defending against cache side-channel attacks, which can be used to defend against attackers obtaining confidential information of secure processes based on cache side-channel attacks while ensuring cache utilization and reducing cache performance overhead, thereby ensuring the data security of secure processes.
[0009] To achieve the above objectives, this application adopts the following technical solution:
[0010] Firstly, a method for defending against cache side-channel attacks is provided. The cache includes P cache lines, where P is a positive integer. The method includes: receiving a data access request from a processing core, the data access request including a target physical address; if the target physical address comes from a security process, determining the cache index corresponding to the P cache lines based on i sets of keys corresponding to the P cache lines; and processing the data access request based on the cache index corresponding to the P cache lines and the target physical address.
[0011] In this embodiment, when a data access request is received from the processing core, if the target physical address in the request originates from the secure process, the key corresponding to the P cache lines is used to determine the cache index corresponding to the P cache lines. The data access request is then processed based on the cache index corresponding to the P cache lines and the target physical address. That is, the secure process in this application can use the P cache lines in the cache, and the cache index corresponding to the P cache lines is encrypted. Non-secure processes can use the entire cache space in the cache. Therefore, compared with existing technologies, this approach can ensure cache utilization and reduce cache performance overhead while preventing attackers from obtaining confidential information of the secure process through cache side-channel attacks, thereby ensuring the security of the secure process's data.
[0012] In one possible implementation of the first aspect, the P cache lines are located in i cache lines, and the key includes i sets of keys that correspond one-to-one with the i cache lines. Each set of keys in the i sets includes an old key and a new key, where i is an integer greater than or equal to 1 and less than or equal to P. The cache index corresponding to the P cache lines is determined based on the keys corresponding to the P cache lines, including: for the first set of keys in the i sets, decrypting the old key and the new key in the first set to obtain the old cache index and the new cache index, where the first set of keys is any set of keys in the i sets; and determining the first cache index from the old cache index and the new cache index according to the index indication. The first cache index is the cache index corresponding to the cache line in the first cache line of the i cache lines among the P cache lines, and the first cache line corresponds to the first set of keys. In the above possible implementation, by encrypting the cache index of the P cache lines using both the old key and the new key, the security of the data in the secure process can be effectively guaranteed, while simultaneously improving the security of the keys corresponding to the P cache lines.
[0013] In one possible implementation of the first aspect, determining the first cache index from the old cache index and the new cache index according to the index indication includes: if the old cache index is greater than or equal to the index indication, determining the old cache index as the first cache index; if the old cache index is less than the index indication, determining the new cache index as the first cache index. In the above possible implementation, determining the first cache index through the size relationship between the index indication and the old and new cache indices can improve the security of the keys corresponding to the P cache lines while ensuring that the correct key can be obtained during data access.
[0014] In one possible implementation of the first aspect, the P cache lines are distributed across multiple cache lines included in the cache. In the above possible implementation, when the P cache lines are distributed across multiple cache lines included in the cache, the cache lines of the P cache lines in the multiple cache lines can be queried at once, thereby improving query efficiency and further improving the processing efficiency of data access requests.
[0015] In one possible implementation of the first aspect, processing the data access request based on the cache indexes corresponding to the P cache lines and the target physical address includes: determining whether a second cache line exists based on the cache indexes corresponding to the P cache lines and the target physical address, wherein the tag information in the second cache line is consistent with the tag information in the target physical address; if the second cache line exists, determining whether the first data in the second cache line originates from the security process; if the first data originates from the security process, reading the first data and sending it to the processing core. In the above possible implementation, the security of the data of the security process stored in the cache can be guaranteed during the processing of the data access request of the security process.
[0016] In one possible implementation of the first aspect, processing the data access request based on the cache index corresponding to the P cache lines and the target physical address further includes: if the second cache line does not exist, or if the first data comes from a non-secure process, retrieving the second data from memory based on the target physical address; and storing the second data in a third cache line among the P cache lines, where the third cache line is any one of the P cache lines. This possible implementation, by storing the second data in a third cache line among the P cache lines, can store the data of the secure process read from memory in an encrypted cache line, thereby effectively improving the security of the secure process's data.
[0017] In one possible implementation of the first aspect, the second cache line further includes protection domain indication information, and the method further includes: if the protection domain indication information is first information, determining that the first data comes from the secure process; if the protection domain indication information is second information, determining that the first data comes from the non-secure process. In the above possible implementation, when the second cache line also includes protection domain indication information, the cache controller can quickly and accurately determine whether the first data comes from a secure process or a non-secure process based on the protection domain indication information, thereby improving the efficiency and accuracy of determining the source of the first data.
[0018] In one possible implementation of the first aspect, the protection domain indication information occupies multiple bits. In the aforementioned possible implementation, when the protection domain indication information occupies multiple bits, the security process can be further divided into multiple security domains of different levels. Each security domain can have its own cache area. The protection domain indication information can indicate different levels of security domains, thereby further improving the isolation and security between different security domains.
[0019] In one possible implementation of the first aspect, the method further includes: updating the keys corresponding to the P cache lines when the number of accesses reaches a preset number of accesses. Optionally, during the process of reaching the preset number of accesses, the keys corresponding to the P cache lines are updated through multiple updates. In the above possible implementations, by updating the keys corresponding to the P cache lines, the security and effectiveness of the keys corresponding to the P cache lines can be improved, thereby preventing attackers from attempting to obtain the keys corresponding to the P cache lines through long-term analysis.
[0020] In one possible implementation of the first aspect, the keys corresponding to the P cache lines include i sets of keys, where i is an integer greater than or equal to 1 and less than or equal to P. Updating the keys corresponding to the P cache lines includes: for the second set of keys in the i sets of keys, decrypting the old key and the new key in the second set of keys respectively to obtain the old cache index and the new cache index, where the second set of keys is any set of keys in the i sets of keys; generating a first new key, storing the data in the cache line indicated by the new cache index in the cache line indicated by the first new cache index, where the first new cache index is obtained by decrypting the first new key; storing the data in the cache line indicated by the old cache index in the cache line indicated by the new cache index, and determining that the old key is equal to the new key; incrementing the index indicator by one to complete the update of the index indicator. In the above possible implementations, when the i-th key group includes multiple key groups, the multiple key groups can be updated multiple times during the process of reaching the preset number of accesses. For example, only one key group in the i-th key group can be updated each time to avoid the problem of large performance overhead and latency caused by updating multiple key groups at the same time.
[0021] In one possible implementation of the first aspect, the method further includes: if the target physical address comes from a non-secure process, determining whether a fourth cache line exists in the cache based on the target physical address, wherein the tag information in the fourth cache line is consistent with the tag information in the target physical address; if the fourth cache line exists and belongs to the P cache lines, determining whether the third data in the fourth cache line comes from the non-secure process; if the fourth cache line exists and does not belong to the P cache lines, or the third data comes from the non-secure process, reading the third data and sending it to the processing core. In the above possible implementation, when the target physical address comes from a non-secure process, the cache can be queried directly based on the target physical address, that is, the cache index of the cache line can be determined directly based on the target physical address, without needing to encrypt and decrypt the cache index using a key, thereby improving the processing efficiency of data access requests to a certain extent.
[0022] In one possible implementation of the first aspect, the method further includes: if the fourth cache line does not exist, or if the third data originates from the secure process, retrieving the fourth data from memory based on the target physical address, and storing the fourth data in the cache. The above possible implementations can improve the processing efficiency of data access requests from insecure processes without affecting the security of the data in the secure process.
[0023] In one possible implementation of the first aspect, after receiving the data access request from the processing core, the method further includes: if the target physical address is within a first physical address range corresponding to the secure process, determining that the target physical address originates from the secure process; if the target physical address is within a second physical address range corresponding to a non-secure process, determining that the target physical address originates from the non-secure process. In the above possible implementations, by configuring a first physical address range for the secure process and a second physical address range for the non-secure process, the accuracy and speed of determining the source based on the physical address range to which the target physical address belongs can be improved.
[0024] Secondly, a cache side-channel attack defense device is provided. The cache includes P cache lines, where P is a positive integer. The device includes: a receiving unit for receiving a data access request from a processing core, the data access request including a target physical address; a determining unit for determining the cache index corresponding to the P cache lines based on the key corresponding to the P cache lines if the target physical address comes from a security process; and a processing unit for processing the data access request based on the cache index corresponding to the P cache lines and the target physical address.
[0025] In one possible implementation of the second aspect, the P cache lines are located in i cache lines, the key includes i sets of keys and corresponds one-to-one with the i cache lines, each set of keys in the i sets of keys includes an old key and a new key, where i is an integer greater than or equal to 1 and less than or equal to P, and the determining unit is further configured to: for the first set of keys in the i sets of keys, decrypt the old key and the new key in the first set of keys respectively to obtain an old cache index and a new cache index, wherein the first set of keys is any set of keys in the i sets of keys; determine a first cache index from the old cache index and the new cache index according to the index indication, wherein the first cache index is the cache index corresponding to the cache line in the first cache line in the i cache lines where the P cache lines are located, and the first cache line corresponds to the first set of keys.
[0026] In one possible implementation of the second aspect, the determining unit is further configured to: determine the old cache index as the first cache index if the old cache index is greater than or equal to the index indication; and determine the new cache index as the first cache index if the old cache index is less than the index indication.
[0027] In one possible implementation of the second aspect, the P cache lines are distributed across the multiple cache lines included in the cache.
[0028] In one possible implementation of the second aspect, the determining unit is further configured to determine whether a second cache line exists based on the cache index corresponding to the P cache lines and the target physical address, wherein the tag information in the second cache line is consistent with the tag information in the target physical address; the determining unit is further configured to determine whether the first data in the second cache line comes from the security process if the second cache line exists; the processing unit is further configured to read the first data and send it to the processing core if the first data comes from the security process.
[0029] In one possible implementation of the second aspect, the processing unit is further configured to: if the second cache line does not exist, or if the first data comes from an insecure process, retrieve the second data from memory according to the target physical address; store the second data in a third cache line among the P cache lines, wherein the third cache line is any one of the P cache lines.
[0030] In one possible implementation of the second aspect, the second cache line further includes protection domain indication information, and the determining unit is further configured to: if the protection domain indication information is first information, determine that the first data comes from the secure process; if the protection domain indication information is second information, determine that the first data comes from the non-secure process.
[0031] In one possible implementation of the second aspect, the protection field indicates that the information occupies multiple bits.
[0032] In one possible implementation of the second aspect, the apparatus further includes: an update unit, configured to update the keys corresponding to the P cache lines when the number of accesses reaches a preset number of accesses. Optionally, the update unit is further configured to: update the keys corresponding to the P cache lines through multiple updates during the process of the number of accesses reaching the preset number of accesses.
[0033] In one possible implementation of the second aspect, the keys corresponding to the P cache lines include i sets of keys, where i is an integer greater than or equal to 1 and less than or equal to P. The update unit is further configured to: for the second set of keys in the i sets of keys, decrypt the old key and the new key in the second set of keys respectively to obtain the old cache index and the new cache index, where the second set of keys is any set of keys in the i sets of keys; generate a first new key, store the data in the cache line indicated by the new cache index in the cache line indicated by the first new cache index, where the first new cache index is obtained by decrypting the first new key; store the data in the cache line indicated by the old cache index in the cache line indicated by the new cache index, and determine that the old key is equal to the new key; increment the index indicator by one to complete the update of the index indicator.
[0034] In one possible implementation of the second aspect, the determining unit is further configured to, if the target physical address comes from a non-secure process, determine whether a fourth cache line exists in the cache based on the target physical address, wherein the tag information in the fourth cache line is consistent with the tag information in the target physical address; the determining unit is further configured to, if the fourth cache line exists and the fourth cache line belongs to the P cache lines, determine whether the third data in the fourth cache line comes from the non-secure process; the processing unit is further configured to, if the fourth cache line exists and the fourth cache line does not belong to the P cache lines, or the third data comes from the non-secure process, read the third data and send it to the processing core.
[0035] In one possible implementation of the second aspect, the processing unit is further configured to: if the fourth cache line does not exist, or if the third data comes from the security process, retrieve the fourth data from memory according to the target physical address, and store the fourth data in the cache.
[0036] In one possible implementation of the second aspect, the determining unit is further configured to: if the target physical address is located within a first physical address range corresponding to the secure process, determine that the target physical address comes from the secure process; if the target physical address is located within a second physical address range corresponding to a non-secure process, determine that the target physical address comes from the non-secure process.
[0037] In another aspect of this application, a chip is also provided, the chip including at least one processing core and a cache coupled to the at least one processing core, the cache including the cache side-channel attack defense device provided by the second aspect or any possible implementation of the second aspect.
[0038] In another aspect of this application, an electronic device is provided, the electronic device including a processor, the processor including at least one processing core, and a cache coupled to the at least one processing core, the cache including the cache side-channel attack defense device provided by the second aspect or any possible implementation of the second aspect.
[0039] In another aspect of this application, a computer-readable storage medium is provided, which stores instructions that, when executed on a device, cause the device to perform the cache side-channel attack defense method provided by the first aspect or any possible implementation thereof.
[0040] In another aspect of this application, a computer program product is provided that, when the computer program product is run on a device, causes the device to execute the cache side-channel attack defense method provided by the first aspect or any possible implementation of the first aspect.
[0041] It should be understood that any of the cache side-channel attack defense devices, chips, electronic devices, computer-readable storage media or computer program products provided above are used to execute the cache side-channel attack defense method provided above. Therefore, the beneficial effects they can achieve can be referred to the beneficial effects in the corresponding methods provided above, and will not be repeated here. Attached Figure Description
[0042] Figure 1 A schematic diagram of the structure of a CPU cache provided in an embodiment of this application;
[0043] Figure 2 A schematic diagram illustrating a cache side-channel attack provided in an embodiment of this application;
[0044] Figure 3 A schematic diagram of a processor provided in an embodiment of this application;
[0045] Figure 4 This is a schematic diagram of a cache-based random pattern defense against cache side-channel attacks.
[0046] Figure 5 This is a schematic diagram illustrating a method of defending against cache side-channel attacks by randomizing the cache index;
[0047] Figure 6This is a schematic diagram illustrating a defense against cache side-channel attacks achieved through a purging attack.
[0048] Figure 7 A flowchart illustrating a method for defending against cache side-channel attacks provided in this application embodiment;
[0049] Figure 8 This is a schematic diagram of a P-type cache line provided in an embodiment of this application;
[0050] Figure 9 A schematic diagram illustrating a query multi-way set association cache provided in an embodiment of this application;
[0051] Figure 10 This is a schematic diagram of another P cache lines provided in an embodiment of this application;
[0052] Figure 11 A schematic diagram of a query caching process provided in an embodiment of this application;
[0053] Figure 12 This application provides a schematic diagram of the structure of a cache line according to an embodiment of the present application;
[0054] Figure 13 A flowchart illustrating another method for defending against cache side-channel attacks provided in this application embodiment;
[0055] Figure 14 A schematic diagram of another query caching process provided in an embodiment of this application;
[0056] Figure 15 A schematic diagram of a processor provided in an embodiment of this application;
[0057] Figure 16 A schematic diagram of a cache side-channel attack defense device provided in this application embodiment;
[0058] Figure 17 This is a schematic diagram of the structure of an electronic device provided in an embodiment of this application. Detailed Implementation
[0059] The technical solutions in the embodiments of this application will be described below with reference to the accompanying drawings. In this application, "at least one" refers to one or more, and "more than one" refers to two or more. "And / or" describes the relationship between related objects, indicating that three relationships can exist. For example, A and / or B can mean: A exists alone, A and B exist simultaneously, or B exists alone, where A and B can be singular or plural. The character " / " generally indicates that the related objects before and after are in an "or" relationship. "At least one of the following" or similar expressions refer to any combination of these items, including any combination of single or plural items. For example, at least one of a, b, or c can mean: a, b, c, ab, ac, bc, or abc, where a, b, and c can be single or multiple. In addition, in the embodiments of this application, the words "first," "second," etc., do not limit the quantity or order.
[0060] It should be noted that, in this application, the terms "exemplary" or "for example" are used to indicate that something is being described as an example, illustration, or illustration. Any embodiment or design described as "exemplary" or "for example" in this application should not be construed as being more preferred or advantageous than other embodiments or design solutions. Specifically, the use of terms such as "exemplary" or "for example" is intended to present the relevant concepts in a concrete manner.
[0061] Before introducing the embodiments of this application, the technical terms and background technology involved in this application will be introduced and explained first.
[0062] Cache: A cache is a storage unit with a faster read / write speed than main memory. A cache can also be called a high-speed cache storage. Caches typically include two types: data caches and integrity tree node caches. Data caches typically include Level 1 cache (L1 cache), Level 2 cache (L2 cache), and Level 3 cache (L3 cache).
[0063] Cache line: Processors read from and write to the cache in units of one cache line, which is typically 512 bits in size. Cache lines are grouped together in the cache as cache sets, and a cache set can contain multiple cache lines.
[0064] N-way set associative: This is a way for the processor to access the cache. During access, the corresponding cache set index is first calculated based on the address, and then the cache line is looked up within the cache set. N-way indicates that the cache set includes n cache lines. Fully associative: This is another way for the processor to access the cache. During access, all cache lines in the cache can be looked up.
[0065] Side-channel attacks exploit leaked physical state information closely related to internal computations during the execution of cryptographic algorithms, such as acoustic and optical information, power consumption, electromagnetic radiation, and runtime. Cache side-channel attacks are a new type of side-channel attack technique, referring to attacks based on caches. Cache side-channel attacks can be performed across platforms and processors, breaching security boundaries to attack target devices.
[0066] Trusted Execution Environment (TEE): A secure area within a processor to ensure the storage, processing, and protection of sensitive data within the TEE.
[0067] Currently, computing architecture security is the cornerstone of future trusted computing, providing crucial safeguards for data security in big data computing represented by cloud computing, edge computing, and artificial intelligence (AI). The central processing unit (CPU), as the root of trust in computing architecture security, is vulnerable; if its security is compromised, the confidentiality or integrity of data will be compromised.
[0068] As a key component of the CPU, the cache has an access time close to the CPU's processing frequency. By utilizing the temporal and spatial locality of data access in the CPU, some data in memory is stored in the CPU's cache, which greatly reduces the time for the CPU to repeatedly access data, thereby improving the overall access efficiency. Figure 1 This is a schematic diagram of a CPU cache structure, which includes a Level 1 cache (L1 cache), a Level 2 cache (L2 cache), and a Level 3 cache (L3 cache). Typically, the L1 and L2 caches are dedicated to a single CPU core, while the L3 cache is shared by multiple CPU cores. Figure 1This example uses four cores, designated cores 1 through 4. Specifically, when the CPU attempts to read data from main memory, it queries the L1 cache to determine if the data is present. If it is, the data is read directly from the L1 cache; if not, the L2 cache is queried, and so on. If the data is not in the L3 cache, the CPU sends a read / write request to main memory (internal storage), which returns the requested data. Simultaneously, the returned data is stored in the appropriate L1, L2, or L3 cache according to certain rules, facilitating future CPU memory read / write requests. Therefore, there is a difference in access time between cached and uncached data. The presence or absence of data in the cache affects the CPU's execution time when calculating data; that is, the CPU's processing time is correlated with the data itself. This correlation makes time-based side-channel attacks possible.
[0069] Side-channel attacks exploit leaked physical state information closely related to internal computations during the execution of cryptographic algorithms, such as acoustic and optical information, power consumption, electromagnetic radiation, and runtime. With the advent of Trusted Execution Environments (TEEs) represented by ARM TEE and Intel SGX, the severity of side-channel attacks has become even more pronounced in this new security environment. TEEs attempt to isolate secure processes from insecure processes, making it difficult for potential malicious applications to steal sensitive data from secure processes or for attackers to exploit vulnerabilities in insecure processes to obtain confidential information from highly secure processes. However, cached side-channel attacks allow malicious applications to bypass isolation mechanisms, steal sensitive information, undermine the security assumptions of TEEs, and compromise business confidentiality.
[0070] like Figure 2 As shown, cache side-channel attacks typically involve four steps: First, the attacker obtains the mapping between physical addresses in memory and cache set indices in the cache. This also allows the attacker to obtain the cache set mapped to the physical address space of the victim (e.g., a secure process). Second, the attacker operates on the cache set through this mapping. For example, the attacker can operate on the cache set used by the victim. Third, the attacker triggers computational operations related to sensitive data. If the victim subsequently operates on the cache set manipulated in the second step, it will increase the attacker's access time. Fourth, the attacker obtains the state of the cache set manipulated in the second step through the access time, and uses the collected state information to deduce confidential information.
[0071] Defending against cache side-channel attacks can be achieved by applying one or more of the four steps mentioned above. For example, it can be done by applying only the first, second, or fourth step, specifically by adding noise or isolation. Different defense methods can employ a processor architecture that isolates the insecure environment from the secure environment. This insecure environment can also be called an untrusted execution environment, an untrusted domain, or a normal domain, while the secure environment can be called a trusted execution environment or a trusted domain.
[0072] For example, Figure 3 This is a schematic diagram of the structure of a processor provided in an embodiment of this application. Figure 3 (a) in the diagram is a schematic diagram of the hardware structure of the processor. Figure 3 (b) in the diagram is a schematic diagram of the software architecture of the processor. The processor can be a CPU, a graphics processing unit (GPU), or a tensor processing unit (TPU) for artificial intelligence (AI), etc., and this application embodiment does not impose specific limitations on it.
[0073] Specifically, such as Figure 3 As shown in (a), the processor may include a processing core 101, a cache 102, a cache controller 103, and memory 104. The cache 102 is located between the processing core 101 and the memory 104. The cache controller 103 is used to calculate the cache index of the cache set in the cache 102, query whether the requested data exists in the cache 102, and replace or update the data stored in the cache 102. The access speed of the processing core 101 to the cache 102 is much higher than the access speed of the processing core 101 to the memory 104. The cache 102 utilizes the spatial locality of data usage to store data (e.g., 64 bytes), greatly reducing the access frequency of the processing core 101 to the memory 104 and improving the overall system performance.
[0074] like Figure 3As shown in (b), the processor runs an insecure process 111 located in an insecure environment 110 and a secure process 121 located in a secure environment 120. The insecure environment 110 may also include an insecure operating system (OS) 112 for running the insecure process 111, and the secure environment 120 may also include a secure kernel 122 for running the secure process 121. The insecure environment 110 and the secure environment 120 can be switched by a monitor 130.
[0075] The following is based on Figure 3 The processor structure shown is illustrated, and several different methods for defending against cache side-channel attacks are introduced below.
[0076] The first method: When sensitive data or sensitive code in a security process is about to be computed or executed, the sensitive data or code is preloaded into the cache. Specifically, this is achieved through... Figure 3 The security environment shown includes a logbook to record the storage status of sensitive data in the cache. If sensitive data is already in the cache, it doesn't need to be read from memory during preloading; otherwise, it's preloaded. The security of this method lies in preventing attackers from preempting the cache lines used by the secure process in the second step, making it difficult for attackers to preemptively seize these lines. However, this method requires technical personnel to identify, modify, and annotate sensitive data and code, which is labor-intensive and doesn't support binary code. Furthermore, preloading sensitive data and code into the cache can prevent non-secure processes from effectively utilizing the occupied cache space, thus reducing cache utilization.
[0077] The second method, such as Figure 4 As shown, the method includes the following steps: S201, using software instructions to set the cache to randomized mode, and randomly selecting a portion of the cache space to store sensitive data; S202, invalidating the selected cache space when entering randomized mode; S203, invalidating the selected cache space when exiting randomized mode. This ensures that the sensitive data of the security process is not affected by data pre-set by an attacker by invalidating the selected cache space when entering randomized mode, and that the sensitive data is not left in the cache space when exiting randomized mode. However, this method requires switching between randomized mode and standard mode, and also requires invalidating the selected cache space, resulting in significant performance overhead.
[0078] The third method: such as Figure 5 As shown in (a), for each data access request among all data access requests entering the last level cache (LLC), the cache index corresponding to the physical address in the request is randomized and encrypted, and the resulting value is stored as the corresponding new cache index. That is, by randomizing and encrypting the physical addresses in all data access requests of the processor and using the resulting value as the new cache index, the attacker is prevented from obtaining the mapping relationship between the physical address of memory and the cache set index in the cache. When data in the cache line needs to be evicted, the value is decrypted, the physical address of the cache line is obtained, and then it is written back. However, this method requires randomizing and encrypting the physical addresses in all data access requests of the processor, meaning that data access requests corresponding to both secure and insecure processes need to be processed, which reduces the processing efficiency of data access requests and increases performance overhead.
[0079] Furthermore, if the cache index of a physical address remains unchanged, an attacker could still determine the actual cache index of that physical address through multiple attempts. To prevent such attacks, the cache index of a single physical address can be periodically changed based on cache index randomization. For example, the encryption key can be changed periodically, and the data in the cache can be updated simultaneously with the key update. For instance, as shown... Figure 5 As shown in (b), at times t0 to t1, the cache set index in the LLC can be ID0, and the corresponding encryption key can be K0; at times t1 to t2, the cache set index in the LLC can be ID1, and the corresponding encryption key can be K1. Furthermore, for N-way caches, the cache can be divided into multiple parts, each using an independent encryption key; that is, the cache set index for the same physical address is not the same in different parts. For example... Figure 5 As shown in (c), for a 16-way cache (denoted as W0 to W15), W0 to W15 can be divided into two parts: W0 to W7 and W8 to W15. For physical address Add-X, the encryption key corresponding to the cache index of Add-X in W0 to W7 can be LK, and the encryption key corresponding to the cache index of Add-X in W8 to W15 can be RK. During actual access, for access requests entering the cache, each part uses its own key to query. If a match is found, the data is returned directly; if a match is not found, a part is randomly selected from multiple parts to store the data read from memory.
[0080] The fourth method primarily defends against flush attacks in side-channel attacks. A flush attack requires two conditions: first, there must be shared memory shared by the attacker (e.g., a malicious application) and the secure process; second, the use of this shared memory must be directly or indirectly related to confidential data. A flush attack involves the attacker using flush instructions to evict the cache corresponding to the shared memory between the attacker and the secure process, then triggering data computation or code execution in the secure process, and finally observing the secure process's execution through the shared memory. Specifically, to defend against flush attacks, a zombie bit (Z) is added to each cache line. When the flush instruction is executed, this is combined with the existing valid bit (V) in the cache line to indicate whether the cache line has been accessed according to the flush attack's access pattern. For example,... Figure 6 As shown, assuming that at time t1, when the secure process accesses a certain cache line in the shared cache, it sets the valid position of that cache line to 1 (i.e., V=1) and the zombie position to 0 (i.e., T=0). At time t2, when the attacker clears the cache line using the flush instruction, it sets the valid position to 0 (i.e., V=0) and the zombie position to 1 (i.e., T=1). At time t3, when the secure process accesses the cache line, it sets the valid position to 0 (i.e., V=1) and T=1. At time t4, when the attacker accesses the cache line, it determines that the access pattern of the cache line matches the access pattern of the clearing attack, thereby delaying the response to the attacker's access and blocking the attacker's process of obtaining confidential information by measuring the access time. Figure 6 In this context, TX represents the tag bit (T) in the cache line, and DX represents the data bit (D) in the cache line.
[0081] Figure 7 A flowchart illustrating a method for defending against cache side-channel attacks provided in this application embodiment is available. This method can be applied to the above-mentioned... Figure 3 In the processor shown, this method can be specifically executed by the cache controller within the processor, and includes the following steps.
[0082] S301: Receives a data access request from the processing core, which includes the target physical address.
[0083] The cache in the processor can include M rows of N-way cache lines, which can also be called an N-way cache. The cache includes M cache sets, each of which includes N cache lines. The M rows of N-way cache lines are used to store data of non-secure processes. P cache lines in the M rows of N-way cache lines are used to store data of non-secure processes. M, N and P are positive integers.
[0084] Optionally, the P cache lines are located in the i-th cache line of the N-way cache lines, where i is an integer greater than or equal to 1 and less than or equal to P. In one possible embodiment, the P cache lines may occupy all cache lines in the i-way cache lines. In another possible implementation, the P cache lines may occupy a portion of the i-way cache lines; for example, the P cache lines may occupy the N-way cache lines and be distributed among them.
[0085] For example, suppose the M rows of N-way cache lines are actually 8 rows of 4-way cache lines, where the 8 rows are represented by S0 to S7, and the 4 ways are represented by W0 to W3. If the P cache lines occupy all the cache lines of the i-way cache line, such as Figure 8 As shown in (a), the P cache lines constitute 8 cache lines and are located in the last cache line W3, meaning that the 8 cache lines include W3 from S0 to S7. If the P cache lines occupy the N cache lines and are distributed among the N cache lines, as... Figure 8 As shown in (b), the P cache lines are 8 cache lines, and the 0th to 1st cache lines are located in S0 and S1 respectively (W0), the 2nd to 3rd cache lines are located in S2 and S3 respectively (W1), the 4th to 5th cache lines are located in S4 and S5 respectively (W2), and the 6th to 7th cache lines are located in S6 and S7 respectively (W3).
[0086] Specifically, this data access request is used to request access to data in memory, and the physical address of the data in memory is the target physical address included in the data access request. This data access request can be a read request or a write request; a read request can be used to read data, and a write request can be used to write data. When a processing core in the processor needs to access data in memory, the processing core can send a data access request, carrying the target physical address of the data in the data access request, so that the cache controller in the processor can receive the data access request.
[0087] S302: If the target physical address comes from a secure process, determine the cache index corresponding to the P cache lines based on the keys corresponding to the P cache lines.
[0088] The P cache lines are located in i cache lines out of the N cache lines. The keys corresponding to the P cache lines can specifically include i sets of keys. Each i set of keys corresponds one-to-one with each i cache line; that is, each cache line in the i cache lines corresponds to one set of keys in the i sets of keys. Each set of keys in the i sets of keys can include an old key and a new key. The old key can be the key before the update, and the new key can be the key after the update.
[0089] Furthermore, the cache indices corresponding to the P cache lines can include i cache indices, each of which can correspond one-to-one with the i sets of keys. That is, each of the i sets of keys can be used to determine one of the i cache indices. These cache indices can also be called cache set indices, and the cache indices corresponding to the P cache lines can also be called the indices of the cache set to which the P cache lines belong.
[0090] Optionally, when the target physical address comes from a secure process, for each key in the i-group of keys, the cache controller can determine the cache index corresponding to the key in the following method. The following explanation takes the first key in the i-group of keys as an example. The first key is any one of the keys in the i-group of keys.
[0091] Specifically, when the target physical address originates from a secure process, for the first key in the i-group of keys, the cache controller can decrypt the old key and the new key in the first key group respectively, obtaining the corresponding old cache index and new cache index. Based on the index indication, a first cache index is determined from the old cache index and the new cache index. The first cache index is the cache index corresponding to the cache line in the first cache line among the i-path cache lines, and the first cache line corresponds to the first key group. Further, determining the first cache index from the old cache index and the new cache index based on the index indication can specifically include: if the old cache index is greater than or equal to the index indication, the old cache index is determined as the first cache index; if the old cache index is less than the index indication, the new cache index is determined as the first cache index.
[0092] It should be noted that the i-group key and the index indicator can be stored in different registers, and can be retrieved from the corresponding registers when the cache controller needs to use them.
[0093] Furthermore, optionally, after receiving the data access request, the cache controller may first determine whether the target physical address included in the data access request comes from a secure process, and execute the above step S302 if it is determined that the target physical address comes from a secure process. That is, after S301 and before S302, the method may also include S300: determining whether the target physical address comes from a secure process.
[0094] In this processor, secure processes and non-secure processes can correspond to different physical address ranges. Optionally, the physical address range corresponding to memory can be pre-divided. For example, the physical address range corresponding to memory can be divided into a first physical address range used by secure processes and a second physical address range used by non-secure processes. That is, secure processes correspond to the first physical address range, and non-secure processes correspond to the second physical address range.
[0095] Specifically, after receiving the data access request, the cache controller can first determine whether the target physical address included in the data access request comes from a secure process. If the secure process corresponds to a first physical address range and the non-secure process corresponds to a second physical address range, then when the target physical address is within the first physical address range corresponding to the secure process, it is determined that the target physical address comes from the secure process; when the target physical address is within the second physical address range corresponding to the non-secure process, it is determined that the target physical address comes from the non-secure process.
[0096] S303: Process the data access request based on the cache index corresponding to the P cache lines and the target physical address.
[0097] The cache line used to store data in this cache may include a valid (V) bit, a tag (T) field, and a data field. The valid bit indicates whether the data in the cache line is valid. The tag field carries tag information, which can be used to determine whether the data in the cache line corresponds to the data at the physical address that the processing core will read. The data field stores the data retrieved from memory.
[0098] Additionally, the target physical address may include a tag (T) field and a cache index segment. The tag field carries tag information, and the cache index segment identifies the row number of the cache line to be retrieved in the cache (also known as the cache set index). Optionally, the target physical address may also include other fields, such as a block offset field, which is not specifically limited in this embodiment.
[0099] Furthermore, for multi-way set associative caches, the cache controller can typically query the cache to handle data access requests in the following ways. For example, such as... Figure 9 As shown, taking a 2-way associative cache as an example, the specific query process may include: based on the cache index segment in the target physical address (i.e., Figure 9After selecting the row number of the cache line in S2), the tag information in the two cache lines corresponding to that row number (represented as W0 and W1 respectively) is extracted (i.e., T0 in W0 and T1 in W1 are extracted); then the comparator (11, 12) is used to compare whether the read tag information (i.e., T0 and T1) is the same as the tag information (T2) in the target physical address; the comparison result is calculated with the valid bits of the two cache lines (i.e., V0 in W0 and V1 in W1) through AND gate (21, 22); finally, the output results of the two AND gates are calculated through OR gate 31, and the final calculation result indicates whether the data corresponding to the target physical address exists in the cache. If the result is true (1), the data exists in the cache and is considered a hit. If the result is false (0), the data does not exist in the cache and is considered a miss. If a match is found, the output of AND gate (21, 22) is converted by encoder 41 into the number of the cache line. This number is then input into multiplexer 51 to select the data in the corresponding cache line and return it to the processing core. If a data is missing, the cache controller sends a read request to memory. After memory returns the data, the cache controller stores the data in the cache according to certain rules.
[0100] In this embodiment, when the cache controller processes the data access request based on the cache indexes corresponding to the P cache lines and the target physical address, it can use the cache lines indicated by the cache indexes corresponding to the P cache lines as i-way isolated cache lines, as described above. Figure 9 Similarly, the i-way isolation cache line is queried based on the target physical address to determine whether the data corresponding to the target physical address is in the i-way isolation cache line. If it is in the i-way isolation cache line (i.e. the data accessed by the processing core is in the cache), the data can be read and returned to the processing core. If it is not in the i-way isolation cache line (i.e. the data accessed by the processing core is not in the cache), the corresponding data can be read from memory and written to the cache.
[0101] The i-way isolated cache line can be pre-set or pre-defined. That is, the P cache lines can be pre-set or pre-defined as the i-way isolated cache line. The i-way isolated cache line can include one or more isolated cache lines, and each isolated cache line can include N cache lines. When the P cache lines occupy all the cache lines in the i-way cache line among the N cache lines, the i-way cache line is the i-way isolated cache line, and the cache controller can query each cache line in each isolated cache line. When the P cache lines occupy the N cache lines and are distributed among the N cache lines, the i-way isolated cache line includes some cache lines from different cache lines, and the cache controller can query multiple cache lines in the same isolated cache line simultaneously.
[0102] For example, suppose the cache is a 16-way cache and includes 8 cache sets. The P cache lines comprise 32 cache lines and are divided into four isolated cache lines. The 16-way cache is represented as W0 to W15, and the 8 cache sets are represented as S0 to S7. Figure 10 As shown in (a), if the P cache lines occupy W3, W7, W11, and W15 of the 16-way cache, then the four isolated cache lines are W3, W7, W11, and W15. Figure 10 As shown in (b), if the P cache lines occupy 16 paths and are distributed among the 16 cache lines, then the first isolated cache line among the four isolated cache lines can include W0 in S0 and S1, W1 in S2 and S3, W2 in S4 and S5, and W3 in S6 and S7; the second isolated cache line can include W4 in S0 and S1, W5 in S2 and S3, W6 in S4 and S5, and W7 in S6 and S7; the third isolated cache line can include W8 in S0 and S1, W9 in S2 and S3, W10 in S4 and S5, and W11 in S6 and S7; and the fourth isolated cache line can include W12 in S0 and S1, W13 in S2 and S3, W14 in S4 and S5, and W15 in S6 and S7.
[0103] Furthermore, such as Figure 11 As shown, the process by which the cache controller processes the data access request based on the cache indexes corresponding to the P cache lines and the target physical address, as described above, may include: S01. Determining whether a second cache line exists based on the cache indexes corresponding to the P cache lines and the target physical address, wherein the tag information in the second cache line is consistent with the tag information in the target physical address; S02A. If no second cache line exists, retrieving the second data from memory based on the target physical address and storing the second data in the third cache line among the P cache lines, wherein the third cache line is any one of the P cache lines; S02B. If a second cache line exists, determining whether the first data in the second cache line originates from the secure process; S03A. If the first data originates from the secure process, reading the first data and sending it to the processing core; S03B. If the first data originates from the non-secure process, retrieving the second data from memory based on the target physical address and storing the second data in the third cache line among the P cache lines, wherein the third cache line is any one of the P cache lines.
[0104] The cache controller can determine whether the first data in the second cache line originates from the secure process in two ways. The first method involves decrypting the group key corresponding to the cache line where the second cache line is located, and determining the cache index of the second cache line from the decrypted new cache index and old cache index according to the aforementioned index indication; determining the physical address corresponding to the first data based on the cache index of the second cache line and the tag information in the second cache line; if the physical address belongs to the aforementioned first physical address range, then the first data is determined to originate from the secure process; if the physical address belongs to the aforementioned second physical address range, then the first data is determined to originate from the non-secure process.
[0105] In the second approach, the second cache line includes, in addition to the aforementioned valid (V) bit, tag (T) field, and data field, protection domain indication information. Specifically, if the protection domain indication information is the first type of information, it is determined that the first data originates from the secure process; if the protection domain indication information is the second type of information, it is determined that the first data originates from the non-secure process. For example, such as... Figure 12 As shown, in the second method, a protection field (P) is set for each cache line in the cache. The indication information stored in the protection field is used to indicate the protection field of the data stored in the corresponding cache line. Optionally, the protection field can occupy one or more bits.
[0106] For example, the protection field is 1 bit. If the value of the protection field is 0, it indicates that the data in the cache line comes from the non-secure process; if the value of the protection field is 1, it indicates that the data in the cache line comes from the secure process. Alternatively, the protection field is 3 bits. If the value of the protection field is 0, it indicates that the data in the cache line comes from the non-secure process; if the value of the protection field is 1 to 7, it indicates that the data in the cache line comes from different security domains. That is, the secure process can be further divided into multiple security domains of different levels, and each security domain can have its own cache area, thereby further improving the isolation and security between different security domains. In this embodiment, the cache controller can update or set the specific value of the protection field of the cache line each time data is loaded into the cache line.
[0107] Furthermore, the cache controller can employ a random strategy to determine the third cache line, i.e., the third cache line used to store the second data. Specifically, the cache controller can generate a random number R using a built-in random number generator, select a cache line based on the specific value of R, determine the number of the cache line, and then determine the cache index of the cache line to be removed using the key group and index indication corresponding to that cache line, i.e., determine the cache index of the third cache line. After that, the original data in the third cache line can be evicted, and the second data can be stored in the third cache line.
[0108] Furthermore, the method may also include: updating the key corresponding to the P cache lines when the number of accesses reaches a preset number of accesses.
[0109] Wherein, when the processor includes one processing core, the access count can be the access count of that processing core; when the processor includes multiple processing cores, the access count can be the sum of the access counts of the multiple processing cores. The preset access count can be set in advance, and can be set according to actual needs. This application embodiment does not impose specific limitations on this.
[0110] In addition, when the i-th key group includes multiple key groups, the cache controller can update the multiple key groups multiple times during the process of the access count reaching the preset access count. For example, each time only one key group in the i-th key group can be updated to avoid the cache controller updating the multiple key groups at the same time, which would cause a large performance overhead and latency problem.
[0111] For any one of the i-group keys, the cache controller can update the key group according to the following method. The following explanation uses the second key group as an example, where the second key group is any one of the i-group keys. Specifically, the process of updating the second key group by the cache controller can include: decrypting the old key and the new key in the second key group respectively to obtain the old cache index and the new cache index; generating a first new key, storing the data in the cache line indicated by the new cache index in the cache line indicated by the first new cache index, where the first new cache index is obtained by decrypting the first new key; storing the data in the cache line indicated by the old cache index in the cache line indicated by the new cache index, and determining that the old key is equal to the new key; incrementing the index indicator by one to complete the update of the index indicator.
[0112] Furthermore, such as Figure 13 As shown, after the cache controller determines whether the target physical address comes from a secure process via S300, the method may also include S304.
[0113] S304: If the target physical address comes from the insecure process, process the data access request based on the target physical address.
[0114] Specifically, if the target physical address originates from the insecure process, for example, if the target physical address is within the second physical address range corresponding to the insecure process, the cache controller can query the M rows and N cache lines included in the cache based on the target physical address to determine whether the data corresponding to the target physical address is in the M rows and N cache lines. If a matching fourth cache line is found (i.e., the data accessed by the processing core is in the cache), and the fourth cache line does not belong to the P cache lines or the data in the fourth cache line originates from the insecure process, the data can be read and returned to the processing core. If no matching cache line is found (i.e., the data accessed by the processing core is not in the cache), or if the fourth cache line belongs to the P cache lines and the data in the fourth cache line originates from the secure process, the corresponding data can be read from memory and written into the cache.
[0115] In one possible embodiment, such as Figure 14 As shown, the process by which the cache controller processes the data access request based on the target physical address may include: S11. Determining whether a fourth cache line exists based on the target physical address, wherein the tag information in the fourth cache line is consistent with the tag information in the target physical address; S12A. If a fourth cache line does not exist (i.e., no), retrieving the corresponding data from memory based on the target physical address and storing the data in the cache; S12B. If a fourth cache line exists (i.e., yes), determining whether the fourth cache line belongs to the P cache lines; S13A. If the fourth cache line does not belong to the P cache lines. S13B. If the fourth cache line belongs to the P cache lines (i.e., yes), determine whether the third data in the fourth cache line comes from the non-secure process; S14A. If the third data comes from the non-secure process (i.e., yes), read the first data and send it to the processing core; S14B. If the third data comes from the secure process (i.e., no), retrieve the corresponding data from memory according to the target physical address, and store the data in the cache. For example, use the least recently used (LRU) algorithm to select the cache line where the data will be stored, and replace the data in that cache line.
[0116] It should be noted that when the cache controller queries the M rows and N paths of cache lines based on the target physical address, it can do so in accordance with the above... Figure 9 A similar query is performed. Furthermore, in S13B above, the cache controller determines whether the third data in the fourth cache line originates from the insecure process in the specific process described above. Figure 11 The process of determining whether the first data in the second cache line comes from the security process in S02B is similar, and can be found in the relevant description above. The embodiments of this application will not be repeated here.
[0117] For ease of understanding, the following will be used as an example. Figure 15 Taking the processor structure shown as an example, the method provided in the embodiments of this application will be illustrated. Figure 15 As shown, the processor may include four processing cores (with a clock speed of 2GHz) and are referred to as core 1 to core 4 respectively. The cache may be a three-level cache, with the L1 cache being a 4-way cache including 32KB of L1I and 32KB of L1D, the L2 cache being an 8-way cache including 256KB, and the L3 cache being a 16-way cache including 8MB.
[0118] In the embodiments of this application, such as Figure 10 As shown in (b), the 16-way cache lines in the L3 cache can be logically divided into 4 isolated ways, with each of these 4 isolated ways being evenly distributed across the 4 cache lines. At processor startup, the cache controller can set the index indicator to 0 and maintain 32 dedicated registers to store the set key corresponding to each of the 16 cache lines. The cache controller can be set to a preset access count of 1600, meaning the key is updated once after 1600 accesses to the L3 cache. For example, a set of keys can be updated every 100 accesses, and each set of keys will be updated at least once after 1600 accesses.
[0119] Specifically, when the cache controller receives a data access request, the cache controller can proceed as described above. Figure 7 , Figure 11 , Figure 12 or Figure 13 The described method handles this data access request. Specifically, in the above... Figure 11 In steps S02A and S03B, the cache controller can use a random strategy to determine the third cache line. For example, the cache controller can generate a random number R using a built-in random number generator, select a cache line based on the result of taking R modulo 16 (R mod 16), determine the number of the cache line, and then determine the cache index of the cache line to be removed using the key group and index indication corresponding to the cache line. That is, the cache index of the third cache line is determined. After that, the original data in the third cache line can be evicted, and the second data can be stored in the third cache line. In addition, in the above... Figure 14 In steps S12A and S14B, the cache controller can use the LRU algorithm to determine the cache line where the data read from memory will be stored, and replace the data in that cache line.
[0120] This embodiment of the application was tested on the CPU2006 test suite, and the cache configuration is as follows: Figure 15As shown, simulation was performed by modifying the GEM5 simulator. During the testing process, four test programs were selected from the CPU2006 test set, and the instructions per clock (IPC) of the simulated system was used as the technical evaluation indicator. The test baseline was set as the overall IPC when all four test programs were treated as unsafe programs. When testing the performance loss of this application, one test program was selected as a safe program, and the other three were treated as unsafe programs, resulting in the overall IPC. Table 1 below lists the performance overhead under different tests.
[0121] Table 1
[0122]
[0123]
[0124] The first column shows four test programs selected from the CPU2006 test suite. The second column shows the tests selected from these four programs as security processes. The third column represents the IPC performance overhead of the programs in the second column as security processes compared to the test baseline. A positive performance overhead indicates a performance decrease, while a negative performance overhead indicates a performance increase. Higher performance overhead values indicate a greater performance decrease. The last row shows the calculated average IPC performance overhead as 0.394%.
[0125] In this embodiment, the cache includes M rows and N cache lines, all of which can be used to store data from insecure processes. P cache lines among these M rows and N cache lines are also used to store data from secure processes. When a data access request is received from the processing core, if the target physical address in the request originates from the secure process, the key corresponding to each of the P cache lines is used to determine the cache index corresponding to that P cache line. The data access request is then processed based on the cache index corresponding to the P cache lines and the target physical address. If the target physical address originates from the insecure process, the data access request can be processed directly based on that target physical address. That is, the secure process in this application uses P cache lines in the cache, and the cache index corresponding to each of the P cache lines is encrypted. The insecure process can use the entire cache space in the cache, and the cache index of the M rows and N cache lines used by the insecure process does not need to be encrypted. Therefore, compared with existing technologies, this approach can ensure cache utilization and reduce cache performance overhead while defending against attackers obtaining confidential information of secure processes through cache side-channel attacks, thereby ensuring the security of the secure process's data.
[0126] The foregoing primarily describes the solution provided in this application from the perspective of the cache controller in the processor. It is understood that, to achieve the aforementioned functions, the cache controller includes corresponding hardware structures and / or software modules for executing each function. Those skilled in the art should readily recognize that, in conjunction with the network elements and algorithm steps of the various examples described in the embodiments disclosed herein, the present invention can be implemented in hardware or a combination of hardware and computer software. Whether a function is executed in hardware or by computer software driving hardware depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions for each specific application, but such implementation should not be considered beyond the scope of the present invention.
[0127] This application embodiment can divide the cache controller into functional modules according to the above method example. For example, each function can be divided into its own functional module, or two or more functions can be integrated into one processing module. The integrated module can be implemented in hardware or as a software functional module. It should be noted that the module division in this application embodiment is illustrative and only represents one logical functional division. In actual implementation, there may be other division methods.
[0128] Figure 16 A possible structural diagram of the buffer side-channel attack defense device involved in the above embodiments is shown. This device can be a buffer controller and includes: a receiving unit 401, a determining unit 402, and a processing unit 403. The receiving unit 401 is used to support the device in executing S301 in the above method embodiments; the determining unit 402 is used to support the device in executing one or more of S300 or S302 in the above method embodiments; and the processing unit 403 is used to support the device in executing one or more of S303 or S304 in the above method embodiments. In one possible embodiment, the determining unit 402 is further used to support the device in executing one or more of S01 or S02B in the above method embodiments; and the processing unit 403 is further used to support the device in executing one or more of S03A or S03B in the above method embodiments. In another possible embodiment, the determining unit 402 is further configured to support the device in executing one or more of S11, S12B, or S13B in the above method embodiment; the processing unit 403 is further configured to support the device in executing one or more of S12A, S13A, S14A, and S14B in the above method embodiment. Further, the device may also include an updating unit 404; the updating unit 404 is configured to support the device in executing the step of updating the keys corresponding to the P cache lines in the above method embodiment.
[0129] It should be noted that all relevant content of each step involved in the above method embodiments can be referenced from the functional description of the corresponding functional module, and will not be repeated here.
[0130] In another embodiment of this application, a chip is also provided, which can be a processor, and the processor can be structured as follows: Figure 3 As shown in (a), the processor may include a processing core 101, a cache 102, a cache controller 103, and memory 104. The cache 102 may include M rows and N cache lines, which are used to store data of insecure processes. P cache lines in the M rows and N cache lines are used to store data of insecure processes, where M, N, and P are positive integers. In this embodiment, the processing core 101 can be used to send a data access request including a target physical address; the cache controller 103 is used to execute the steps in the embodiments related to the cache side-channel attack defense method provided above.
[0131] In another embodiment of this application, an electronic device is also provided. For example... Figure 17 As shown, the electronic device may include a processor 502, a memory 501, a communication interface 503, and a bus 504, which are coupled together via the bus 504. The processor 502 is used to control and manage the operation of the electronic device. For example, the processor 502 is the processor described above, and the cache controller in the processor can be used to support the device in executing one or more steps of S301 to S304, S01 to S03B, and S11 to S14B in the above method embodiments, and / or other processes used in the technology described herein. Furthermore, the communication interface 503 can be used to support the electronic device in communication, such as supporting communication between the electronic device and other electronic devices; the memory 501 can be used to store the program code and data of the electronic device.
[0132] The processor 502 can be a central processing unit, a general-purpose processor, a baseband processor, a digital signal processor, an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or other programmable logic devices, transistor logic devices, hardware components, or any combination thereof. It can implement or execute various exemplary logic blocks, modules, and circuits described in conjunction with the disclosure of this application. The processor can also be a combination that implements computing functions, such as a combination of one or more microprocessors, a combination of a digital signal processor and a microprocessor, etc. The bus 504 can be a peripheral component interconnect (PCI) bus or an extended industry standard architecture (EISA) bus, etc. The bus 504 can be divided into an address bus, a data bus, a control bus, etc. For ease of representation, Figure 17 The bus is represented by a single thick line, but this does not mean that there is only one bus or one type of bus.
[0133] In another aspect of this application, a computer-readable storage medium is provided, which stores instructions that, when executed on a device, cause the device to perform the cache side-channel attack defense method provided in the above-described method embodiments.
[0134] In another aspect of this application, a computer program product is provided that, when the computer program product is run on a device, causes the device to execute the cache side-channel attack defense method provided in the above-described method embodiments.
[0135] In the several embodiments provided in this application, it should be understood that the disclosed apparatus and methods can be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative. For instance, the division of modules or units is merely a logical functional division, and in actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated into another apparatus, or some features may be ignored or not executed.
[0136] The units described as separate components may or may not be physically separate. A component shown as a unit can be one or more physical units; that is, it can be located in one place or distributed in multiple different locations. Some or all of the units can be selected to achieve the purpose of this embodiment according to actual needs.
[0137] Furthermore, the functional units in the various embodiments of this application can be integrated into one unit, or each unit can exist physically separately, or two or more units can be integrated into one unit. The integrated unit can be implemented in hardware or as a software functional unit.
[0138] Finally, it should be noted that the above description is merely a specific embodiment of this application, but the scope of protection of this application is not limited thereto. Any variations or substitutions within the technical scope disclosed in this application should be included within the scope of protection of this application. Therefore, the scope of protection of this application should be determined by the scope of the claims.
Claims
1. A method for defending against cache side-channel attacks, characterized in that, The cache comprises M rows and N cache lines, where M and N are positive integers, and the method includes: Receive a data access request from the processing core, the data access request including a target physical address; If the target physical address comes from a secure process, the cache index corresponding to the P cache lines is determined according to the key corresponding to the P cache lines. The P cache lines are located in the i cache lines in the M rows and N paths of the cache lines. The key includes i sets of keys and the i sets of keys correspond one-to-one with the i cache lines. P is a positive integer and i is an integer greater than 1 and less than or equal to P. The data access request is processed based on the cache index corresponding to the P cache lines and the target physical address; If the target physical address originates from an insecure process, the data access request is processed based on the target physical address.
2. The method according to claim 1, characterized in that, Each of the i sets of keys includes an old key and a new key. The step of determining the cache index corresponding to the P cache lines based on the keys corresponding to the P cache lines includes: For the first key in the i-group of keys, decrypt the old key and the new key in the first key group respectively to obtain the old cache index and the new cache index. The first key group is any one of the i-group of keys. The first cache index is determined from the old cache index and the new cache index according to the index indication. The first cache index is the cache index corresponding to the cache line in the first cache line of the i-path among the P cache lines. The first cache line corresponds to the first set of keys.
3. The method according to claim 2, characterized in that, Determining the first cache index from the old cache index and the new cache index according to the index indication includes: If the old cache index is greater than or equal to the index indication, the old cache index is determined to be the first cache index; If the old cache index is less than the index indication, the new cache index is determined to be the first cache index.
4. The method according to any one of claims 1-3, characterized in that, The P cache lines are distributed among the multiple cache lines included in the cache.
5. The method according to claim 1, characterized in that, The step of processing the data access request based on the cache indexes corresponding to the P cache lines and the target physical address includes: The existence of a second cache line is determined based on the cache index corresponding to the P cache lines and the target physical address, wherein the tag information in the second cache line is consistent with the tag information in the target physical address; If the second cache line exists, determine whether the first data in the second cache line comes from the security process; If the first data comes from the security process, read the first data and send it to the processing core.
6. The method according to claim 5, characterized in that, The step of processing the data access request based on the cache indexes corresponding to the P cache lines and the target physical address further includes: If the second cache line does not exist, or if the first data comes from a non-secure process, the second data is retrieved from memory according to the target physical address; The second data is stored in the third cache line among the P cache lines, where the third cache line is any one of the P cache lines.
7. The method according to claim 5, characterized in that, The second cache line also includes protection domain indication information, and determining whether the first data in the second cache line comes from the security process includes: If the protection domain indication information is the first information, it is determined that the first data comes from the security process; If the protection domain indication information is the second information, it is determined that the first data comes from the insecure process.
8. The method according to claim 1, characterized in that, The method further includes: When the number of accesses reaches the preset number of accesses, the keys corresponding to the P cache lines are updated.
9. The method according to claim 8, characterized in that, The key includes i sets of keys, where i is an integer greater than or equal to 1 and less than or equal to P. Updating the keys corresponding to the P cache lines includes: For the second key in the i-th key group, decrypt the old key and the new key in the second key group respectively to obtain the old cache index and the new cache index. The second key group is any one of the i-th key groups. Generate a first new key, and store the data in the cache line indicated by the new cache index in the cache line indicated by the first new cache index, wherein the first new cache index is obtained by decrypting the first new key; The data in the cache line indicated by the old cache index is stored in the cache line indicated by the new cache index, and the old key is determined to be equal to the new key; The index indicator has been incremented by one, completing the update of the index indicator.
10. The method according to claim 1, characterized in that, If the target physical address originates from an insecure process, processing the data access request based on the target physical address includes: If the target physical address comes from a non-secure process, determine whether there is a fourth cache line in the cache based on the target physical address, and the tag information in the fourth cache line is consistent with the tag information in the target physical address; If the fourth cache line exists and the fourth cache line belongs to the P cache lines, determine whether the third data in the fourth cache line comes from the non-safe process; If the fourth cache line exists and the fourth cache line does not belong to the P cache lines, or if the third data comes from the non-secure process, the third data is read and sent to the processing core.
11. The method according to claim 10, characterized in that, The method further includes: If the fourth cache line does not exist, or if the third data comes from the security process, the fourth data is retrieved from memory according to the target physical address and stored in the cache.
12. The method according to claim 1, characterized in that, After receiving the data access request from the processing core, the method further includes: If the target physical address is within the first physical address range corresponding to the security process, it is determined that the target physical address comes from the security process; If the target physical address is located within the second physical address range corresponding to the insecure process, it is determined that the target physical address comes from the insecure process.
13. A buffer side-channel attack defense device, characterized in that, The cache includes M rows and N cache lines, where M and N are positive integers. The device includes: A receiving unit is configured to receive a data access request from the processing core, the data access request including a target physical address; The determining unit is used to determine the cache index corresponding to the P cache lines based on the key corresponding to the P cache lines if the target physical address comes from a secure process. The P cache lines are located in i cache lines in the M rows and N cache lines. The key includes i sets of keys and the i sets of keys correspond one-to-one with the i cache lines. P is a positive integer and i is an integer greater than 1 and less than or equal to P. The processing unit is configured to process the data access request based on the cache index corresponding to the P cache lines and the target physical address; The determining unit is further configured to process the data access request based on the target physical address if the target physical address originates from an insecure process.
14. The apparatus according to claim 13, characterized in that, Each of the i sets of keys includes an old key and a new key, and the determining unit is further configured to: For the first key in the i-group of keys, decrypt the old key and the new key in the first key group respectively to obtain the old cache index and the new cache index. The first key group is any one of the i-group of keys. The first cache index is determined from the old cache index and the new cache index according to the index indication. The first cache index is the cache index corresponding to the cache line in the first cache line among the i-way cache lines of the P cache lines. The first cache line corresponds to the first set of keys.
15. The apparatus according to claim 14, characterized in that, The determining unit is further configured to: If the old cache index is greater than or equal to the index indication, the old cache index is determined to be the first cache index; If the old cache index is less than the index indication, the new cache index is determined to be the first cache index.
16. The apparatus according to any one of claims 13-15, characterized in that, The P cache lines are distributed among the multiple cache lines included in the cache.
17. The apparatus according to claim 13, characterized in that: The determining unit is further configured to determine whether a second cache line exists based on the cache index corresponding to the P cache lines and the target physical address, wherein the tag information in the second cache line is consistent with the tag information in the target physical address; The determining unit is further configured to, if the second cache line exists, determine whether the first data in the second cache line comes from the security process; The processing unit is further configured to read the first data and send it to the processing core if the first data comes from the security process.
18. The apparatus according to claim 17, characterized in that, The processing unit is also used for: If the second cache line does not exist, or if the first data comes from a non-secure process, the second data is retrieved from memory according to the target physical address; The second data is stored in the third cache line among the P cache lines, where the third cache line is any one of the P cache lines.
19. The apparatus according to claim 17, characterized in that, The second cache line also includes protection domain indication information, and the determining unit is further configured to: If the protection domain indication information is the first information, it is determined that the first data comes from the security process; If the protection domain indication information is the second information, it is determined that the first data comes from the insecure process.
20. The apparatus according to claim 13, characterized in that, The device further includes: The update unit is used to update the keys corresponding to the P cache lines when the number of accesses reaches a preset number of accesses.
21. The apparatus according to claim 20, characterized in that, The key includes i sets of keys, where i is an integer greater than or equal to 1 and less than or equal to P. The update unit is further used for: For the second key in the i-th key group, decrypt the old key and the new key in the second key group respectively to obtain the old cache index and the new cache index. The second key group is any one of the i-th key groups. Generate a first new key, and store the data in the cache line indicated by the new cache index in the cache line indicated by the first new cache index, wherein the first new cache index is obtained by decrypting the first new key; The data in the cache line indicated by the old cache index is stored in the cache line indicated by the new cache index, and the old key is determined to be equal to the new key; Incrementing the index indicator by one completes the update of the index indicator.
22. The apparatus according to claim 13, characterized in that: The determining unit is further configured to, if the target physical address comes from a non-secure process, determine whether a fourth cache line exists in the cache based on the target physical address, wherein the tag information in the fourth cache line is consistent with the tag information in the target physical address; The determining unit is further configured to determine whether the third data in the fourth cache line comes from the non-secure process if the fourth cache line exists and the fourth cache line belongs to the P cache lines; The processing unit is further configured to read the third data and send it to the processing core if the fourth cache line exists and the fourth cache line does not belong to the P cache lines, or if the third data comes from the non-secure process.
23. The apparatus according to claim 22, characterized in that, The processing unit is also used for: If the fourth cache line does not exist, or if the third data comes from the security process, the fourth data is retrieved from memory according to the target physical address and stored in the cache.
24. The apparatus according to claim 13, characterized in that, The determining unit is further configured to: If the target physical address is within the first physical address range corresponding to the security process, it is determined that the target physical address comes from the security process; If the target physical address is located within the second physical address range corresponding to the insecure process, it is determined that the target physical address comes from the insecure process.