Microarchitectural timing side channels have been thoroughly investigated as a security threat in hardware designs featuring shared buffers (e.g., caches) and/or parallelism between attacker and victim task execution. Contradicting common intuitions, recent activities demonstrate, however, that this threat is real also in microcontroller SoCs without such features. In this paper, we describe SoC-wide timing side channels previously neglected by security analysis and present a new formal method to close this gap. In a case study with the RISC-V Pulpissimo SoC platform, our method found a vulnerability to a so far unknown attack variant that allows an attacker to obtain information about a victim's memory access behavior. After implementing a conservative fix, we were able to verify that the SoC is now secure w.r.t. timing side channels.

翻译：微架构时序侧信道作为安全威胁已得到广泛研究，主要针对具有共享缓冲区（如缓存）和/或攻击者与受害者任务并行执行特征的硬件设计。然而，近期研究活动表明，与普遍认知相悖的是，这种威胁在缺乏此类特征的微控制器SoC中同样真实存在。本文描述了此前被安全分析忽视的全SoC时序侧信道，并提出一种新型形式化方法来填补这一空白。在基于RISC-V Pulpissimo SoC平台的案例研究中，我们的方法发现了一个迄今未知的攻击变种漏洞，该漏洞使攻击者能够获取受害者内存访问行为信息。在实施保守修复后，我们成功验证了该SoC现已具备针对时序侧信道攻击的安全性。