With Collide+Power, attackers can extract data directly from the processor. This is because all data that is processed by a computer system has to pass through the Central Processing Unit (CPU), which contains short-term memories or caches. Here, data that has already been processed is stored temporarily so that it can quickly be retrieved and reused. When data stored in the cache is overwritten by new data, for example because users access another password in their password manager, power is consumed. At this point, a physical effect comes in: The more data in the cache is changed, the more power is required.
Data collides in the cache
Collide+Power takes advantage of this effect. The malicious code programmed for the attack fills the cache with data known to the attackers. If users now access a program – such as their password manager – the attackers' data in the cache is overwritten with the password: Attacker and user data "collide" in the cache. The power consumption of the CPU during the overwriting process allows the attackers to draw conclusions about the password. “The more similar the attackers’ data and the data from the target program are, the less power is consumed – and power consumption can be measured very accurately," Schwarz explains.
Of course, many different computing processes take place in parallel in the caches of a computer, for example because various programs are open at the same time. So how can attackers identify the part of the calculations in the cache that they want to exploit? "The injected malicious code reloads the data from the program under attack countless times in the cache", Gerlach points out. These constantly repeated loading processes allow the attackers to draw conclusions about the data records that are relevant to them.
Power consumption allows conclusions to be drawn about data
This type of data theft is possible because, in computer memories, all values are represented based on a binary code. Each individual value is coded with multiple digits, each of these being either a 1 or a 0. For one byte, which has eight digits, the number 1 would be represented by “0000 0001”, the number 2 by “0000 0010”. Thus, to overwrite a 1 in the cache with a 2, two digits, namely the last two, have to change. If a 1 is overwritten with a zero, which is represented by “0000 0000”, only the last digit changes. This requires less power. By comparing the amount of power consumed with each change, Collide+Power manages to "guess" each of the individual digits of a value.
Many repetitions of this "guessing process" are necessary to capture every digit of a value and, thus, the secret. This makes the process very complex and time-consuming. With the current malicious code, extracting a credit card number, for example, would take 4-5 hours, the researchers estimate. "However, this is only our test code. If you are serious about this, you could surely optimize the code," Schwarz says.
Collide+Power closes a research gap
Collide+Power closes a gap in the detection of power side-channel attacks. It is the first side-channel attack that uses power measurements to derive data directly from the processor. Since the hardware itself is targeted by Collide+Power, it is impossible to prevent this kind of attack. Manufacturers can only provide information and notifications. According to Michael Schwarz, Collide+Power has not been seen in practice yet: "As researchers, we can only show that the attack is possible," he says. "How dangerous it is, is for the manufacturers to judge." However, Lukas Gerlach adds, "you lose the guarantee that data will remain untouchable."
The paper was published in cooperation with the Institute of Applied Information Processing and Communications at the Graz University of Technology (Andreas Kogler, Jonas Juffinger, Lukas Giner, Martin Schwarzl, Daniel Gruss, Stefan Mangard). More information about Collide+Power can be found on the project website collidepower.com.