Static Evaluation Of Spectre Attacks On RISC-V Architecture

Side-channel attack is an attack method that extracts secret information by measuring the operational characteristics of a physical device.The microarchitecture side channel combines the microarchitecture design features of computer hardware and the sensitive information extraction methods by side channel.Spectre attack is a group of microarchitectural sidechannel attacks,of which the mitigation is still a thorny problem.As a representative of a new generation of open source architecture,the RISC-V architecture has the advantages of readable source code and configurable parameters,which are suitable for research on microarchitecture-related attack evaluation.Therefore,when the software source code and hardware micro-architecture are known,it is an important research topic to evaluate whether the software code will be affected by Spectre attacks in advance.This thesis studies the evaluation of Spectre micro-architecture side-channel leakages on RISC-V processors using the symbolic execution and abstract interpretation approaches.Spectre v1 and Spectre v4 are evaluated.Firstly,in the attack mechanism part,the attack methods and evaluation characteristics of different variants of the Spectre micro-architecture side-channel attack are analyzed,and the Spectre attack is reproduced in the software programmed on the BOOM core on the FPGA in the experiments.Secondly,in the modeling part,according to the instruction set characteristics and hardware characteristics of RISC-V,the modeling method and realization of RISC-V BOOM architecture based on symbolic execution and abstract interpretation are studied.Finally,in the experiment part,the artificially constructed test vector,the Linux source code on RISC-V,and the cryptographic algorithm of the open source cryptographic library are used as evaluation vectors to conduct evaluation experiments.The evaluation indicators include the false positive rate,the number of false positives and the evaluation time.The parameters set in the evaluation to simulate the behavior of the microarchitecture are studied,including the number of cache sets,branch prediction window size and ROB size.In this thesis,these variable parameters are dynamically configured and adjusted in the experiment,and the parameter values when the two models achieve the highest accuracy are obtained.The experimental results show that in the evaluation of Spectre v1 and v4 microarchitecture side-channel attacks on RISC-V BOOM,the execution time of the symbolic execution model is greatly affected by the change of the micro-architecture parameters,but the false negative rate of evaluation is lower than that of the abstract interpretation model.Overall,the approach of symbolic execution is more effective than the abstract interpretation of evaluation modeling for Spectre attack evaluation on RISC-V.Compared with the work of Spectre v1 evaluation on other architectures,the symbol execution model in this thesis has an accuracy rate of 85.7%for Spectre v1 under the same test set,which is the same as the tool that has achieved the best accuracy at present and slightly(7.1%)better than the second best tool.Compared with the similar work of Spectre v4,the accuracy has reached 73.0%,which is the same as the tool that has achieved the best accuracy at present.Therefore,it can be agreed that the symbolic execution model in this thesis can effectively evaluate Spectre v1 and v4 leakages on RISC-V.