The aggressive performance optimizations in modern microprocessors can result in security vulnerabilities. For example, timing-based attacks in processor caches can steal secret keys or break randomization. So far, finding cache-timing vulnerabilities is mostly performed by human experts, which is inefficient and laborious. There is a need for automatic tools that can explore vulnerabilities given that unreported vulnerabilities leave the systems at risk. In this paper, we propose AutoCAT, an automated exploration framework that finds cache timing-channel attack sequences using reinforcement learning (RL). Specifically, AutoCAT formulates the cache timing-channel attack as a guessing game between an attack program and a victim program holding a secret. This guessing game can thus be solved via modern deep RL techniques. AutoCAT can explore attacks in various cache configurations without knowing design details and under different attack and victim program configurations. AutoCAT can also find attacks to bypass certain detection and defense mechanisms. In particular, AutoCAT discovered StealthyStreamline, a new attack that is able to bypass performance counter-based detection and has up to a 71% higher information leakage rate than the state-of-the-art LRU-based attacks on real processors. AutoCAT is the first of its kind in using RL for crafting microarchitectural timing-channel attack sequences and can accelerate cache timing-channel exploration for secure microprocessor designs.
翻译:现代微处理器中激进的性能优化可能导致安全漏洞。例如,处理器缓存中的时序攻击能够窃取密钥或破坏随机化。目前,缓存时序漏洞的发现主要依赖人工专家,效率低下且费时费力。鉴于未报告的漏洞会使系统持续面临风险,亟需能够自动探索漏洞的工具。本文提出AutoCAT——一种利用强化学习(RL)自动探索缓存时序信道攻击序列的自动化框架。具体而言,AutoCAT将缓存时序信道攻击建模为攻击程序与持有秘密数据的受害者程序之间的猜测博弈。该猜测博弈可通过现代深度强化学习技术求解。AutoCAT无需知晓设计细节即可在多种缓存配置下探索攻击,并支持不同的攻击程序与受害者程序配置。此外,AutoCAT还能发现绕过特定检测与防御机制的攻击方式。特别地,AutoCAT发现了新型攻击StealthyStreamline,该攻击能够绕过基于性能计数器的检测,在实际处理器上的信息泄露率比当前最先进的基于LRU的攻击高出71%。AutoCAT首次将强化学习用于微架构时序信道攻击序列的构造,可加速安全微处理器设计中缓存时序信道的探索进程。