Power analysis is a class of side-channel attacks, where power consumption data is used to infer sensitive information and extract secrets from a system. Traditionally, such attacks required physical access to the target, as well as specialized devices to measure the power consumption with enough precision. The PLATYPUS attack has shown that on-chip power meter capabilities exposed to a software interface might form a new class of power side-channel attacks. This paper presents a software-based power side-channel attack on Apple Silicon M1/M2 platforms, exploiting the System Management Controller (SMC) and its power-related keys, which provides access to the on-chip power meters through a software interface to user space software. We observed data-dependent power consumption reporting from such keys and analyzed the correlations between the power consumption and the processed data. Our work also demonstrated how an unprivileged user mode application successfully recovers bytes from an AES encryption key from a cryptographic service supported by a kernel mode driver in macOS. Furthermore, we discuss the impact of software-based power side-channels in the industry, possible countermeasures, and the overall implications of software interfaces for modern on-chip power management systems.

翻译：功耗分析是一类侧信道攻击，利用功耗数据推断敏感信息并从系统中提取秘密。传统上，此类攻击需要物理接触目标以及使用专用设备以足够精度测量功耗。PLATYPUS攻击表明，暴露于软件接口的片上功耗计能力可能形成一类新型功耗侧信道攻击。本文针对苹果硅M1/M2平台提出了一种基于软件的功耗侧信道攻击，利用系统管理控制器（SMC）及其与功耗相关的键值，这些键值通过软件接口向用户空间软件提供片上功耗计的访问权限。我们观察到此类键值返回的功耗报告与数据相关，并分析了功耗与处理数据之间的相关性。我们的工作还展示了无特权的用户模式应用如何成功从macOS内核模式驱动支持的加密服务中恢复AES加密密钥的字节。此外，我们讨论了基于软件的功耗侧信道在工业界的影响、可能的防御措施，以及当代片上功耗管理系统的软件接口的整体意义。