Security News > 2023 > August > Performance and security clash yet again in “Collide+Power” attack

Collide cached data, and measure the power required.

If the CPU keeps track of the RAM addresses that you've used recently, and can guess well enough which ones you're likely to use again soon, it can keep them temporarily in its cache memory and thus greatly speed up your second access to those values, and the third access, the fourth, and so on.

Cached data is usually much faster to access than data in motherboard RAM. Generally speaking you don't get to choose which cache registers get used to store which RAM addresses, and you don't get to choose when the CPU decides to stop caching your "Transparent pixel code" value and start caching another program's "Super-secret cryptograpic key" instead. Indeed, the cache may contain a liberal mix of values, from a liberal mixture of RAM addresses, belonging to a liberal mixture of different user accounts and privilege levels, all at the same time.

Intriguingly, the power consumption of the CPU itself, when it overwrites a cache value with a new one, depends on how many bits changed between the numbers.

In other words, if you can access a bunch of chosen addresses of your own in a way that primes a specific set of cache registers inside the CPU, and then monitor the power consumption accurately enough when someone else's code gets its data assigned to those cache locations instead. then you can make inferences about how many bits flipped between the old cache contents and the new.

Intel's power measurement mitigation is known as running average power limit filtering; AMD's is referred to as performance determinism mode.

News URL

https://nakedsecurity.sophos.com/2023/08/03/performance-and-security-clash-yet-again-in-collidepower-attack/