0x00 说明
- 本文收集整理了近年来国内外关于处理器侧信道安全相关的CVE漏洞列表;
- 涵盖侧信道攻击漏洞、瞬态执行漏洞以及架构错误漏洞等方面;
- 侧信道漏洞包括Timing类、Cache类等多种类型;
- 瞬态执行漏洞主要涉及Meltdown、Spectre等漏洞及其变种;
- 架构错误漏洞涵盖处理器设计缺陷导致的安全问题。
0x01 侧信道漏洞CVE汇总
Cache/Timing/Power类侧信道漏洞:
| 序号 | 漏洞类型 | 攻击名称 | 处理器架构 | 攻击描述 | CVE编号 | 披露时间 |
|---|---|---|---|---|---|---|
| 1 | Cache | Flush+Reload | Intel AMD ARM |
利用冲刷指令探测缓存行重用 | CVE-2013-4242 (GnuPG) |
2013 |
| 2 | Cache | Prime+Probe | Intel AMD ARM |
利用驱逐集探测缓存组竞争 | CVE-2015-0837 (GnuPG) |
2015 |
| 3 | Timing | SQUIP | AMD | 执行单元调度程序争用 | CVE-2021-46778 | 2022 |
| 4 | Power | PLATYPUS | Intel | RAPL功耗接口泄漏 | CVE-2020-8694 | 2020 |
| 5 | Power | HertzBleed | Intel AMD |
DVFS动态电压频率缩放泄漏 | CVE-2022-24436 CVE-2022-23823 |
2022 |
| 6 | Power | Collide+Power | AMD | 汉明距离功耗泄漏 | CVE-2023-20583 | 2023 |
参考资料:
[1] https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/yarom
[2] https://ieeexplore.ieee.org/document/7163050
[3] https://ieeexplore.ieee.org/document/10179368
[4] https://ieeexplore.ieee.org/document/9519416
[5] https://www.usenix.org/conference/usenixsecurity22/presentation/wang-yingchen
[6] https://www.usenix.org/conference/usenixsecurity23/presentation/kogler
0x02 瞬态执行漏洞CVE汇总
乱序类漏洞:
| 序号 | 攻击名称 | 处理器架构 | 攻击描述 | CVE编号 | 披露时间 |
|---|---|---|---|---|---|
| 1 | Meltdown | Intel ARM |
特权数据缓存加载 | CVE-2017-5754 | 2018 |
| 2 | Meltdown V3a | Intel | 特权寄存器越权读取 | CVE-2018-3640 | 2018 |
| 3 | Foreshadow | Intel | 针对SGX的L1终端故障 | CVE-2018-3615 | 2018 |
| 4 | Foreshadow-OS | Intel | 针对系统内核的L1终端故障 | CVE-2018-3620 | 2018 |
| 5 | Foreshadow-VMM | Intel | 针对虚拟机的L1终端故障 | CVE-2018-3646 | 2018 |
| 6 | Fallout | Intel | 存储缓冲区数据采样 | CVE-2018-12126 | 2019 |
| 7 | RIDL | Intel | 加载端口数据采样 | CVE-2018-12127 | 2019 |
| 8 | ZombieLoad | Intel | 行填充缓冲区数据采样 | CVE-2018-12130 | 2019 |
| 9 | TAA | Intel | 事务异步中止数据采样 | CVE-2019-11135 | 2019 |
| 10 | CacheOut | Intel | L1数据缓存驱逐采样 | CVE-2020-0549 | 2020 |
| 11 | Snoop | Intel | Snoop辅助的L1数据缓存采样 | CVE-2020-0550 | 2020 |
| 12 | LVI | Intel | 加载值注入 | CVE-2020-0551 | 2020 |
| 13 | CrossTalk | Intel | 特殊寄存器缓冲区数据采样 | CVE-2020-0543 | 2020 |
| 14 | Downfall | Intel | 向量寄存器文件数据采样 | CVE-2022-40982 | 2023 |
| 15 | RFDS | Intel | 寄存器文件数据采样 | CVE-2023-28746 | 2024 |
推测类漏洞:
| 序号 | 攻击名称 | 处理器架构 | 攻击描述 | CVE编号 | 披露时间 |
|---|---|---|---|---|---|
| 1 | Spectre V1 | Intel AMD ARM |
边界检查绕过 | CVE-2017-5753 | 2018 |
| 2 | Spectre V2 | Intel AMD ARM |
分支目标注入 | CVE-2017-5715 | 2018 |
| 3 | Spectre V4 | Intel AMD ARM |
推测存储绕过 | CVE-2018-3639 | 2018 |
| 4 | Spectre V5 | Intel | 返回分支注入 | CVE-2017-5715 | 2018 |
| 5 | BHI | Intel ARM |
分支历史注入 | CVE-2022-0001 CVE-2022-0002 |
2022 |
| 6 | RetBleed | Intel AMD |
返回堆栈缓冲区溢出 | CVE-2022-29900 CVE-2022-29901 |
2022 |
| 7 | GhostRace | Intel AMD |
推测竞态条件 | CVE-2024-2193 | 2024 |
| 8 | InSpectre | Intel ARM |
分支历史利用 | CVE-2024-2201 | 2024 |
| 9 | BSE | ARM | 分支状态驱逐 | CVE-2024-10929 | 2024 |
| 10 | ITS | Intel | 间接目标选择 | CVE-2024-28956 | 2025 |
| 11 | BPI | Intel | 分支特权注入 | CVE-2024-45332 | 2025 |
| 12 | TSA | AMD | 暂态调度数据泄漏 | CVE-2024-36350 CVE-2024-36357 CVE-2024-36348 CVE-2024-36349 |
2025 |
| 13 | VMSCAPE | Intel AMD |
虚拟化分支目标注入 | CVE-2025-40300 | 2025 |
参考资料:
[1] https://www.usenix.org/conference/usenixsecurity18/presentation/lipp
[2] https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html
[3] https://www.usenix.org/conference/usenixsecurity18/presentation/bulck
[4] https://foreshadowattack.eu
[5] https://dl.acm.org/doi/10.1145/3319535.3363219
[6] https://ieeexplore.ieee.org/document/8835281
[7] https://dl.acm.org/doi/10.1145/3319535.3354252
[8] https://ieeexplore.ieee.org/document/9519461
[9] https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00330.html
[10] https://ieeexplore.ieee.org/document/9152763
[11] https://ieeexplore.ieee.org/document/9519489
[12] https://www.usenix.org/conference/usenixsecurity23/presentation/moghimi
[13] https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00898.html
[14] https://ieeexplore.ieee.org/document/8835233
[15] https://bugs.chromium.org/p/project-zero/issues/detail?id=1528
[16] https://www.usenix.org/conference/woot18/presentation/koruyeh
[17] https://www.usenix.org/conference/usenixsecurity22/presentation/barberis
[18] https://www.usenix.org/conference/usenixsecurity22/presentation/wikner
[19] https://www.usenix.org/conference/usenixsecurity24/presentation/ragab
[20] https://www.usenix.org/conference/usenixsecurity24/presentation/wiebing
[21] https://www.usenix.org/conference/usenixsecurity25/presentation/zhu-yuhui
[22] https://ieeexplore.ieee.org/document/11023266
[23] https://www.usenix.org/conference/usenixsecurity25/presentation/ruegge
[24] https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7029.html
0x03 架构错误漏洞CVE汇总
架构错误类漏洞:
| 序号 | 攻击名称 | 处理器架构 | 攻击描述 | CVE编号 | 披露时间 |
|---|---|---|---|---|---|
| 1 | ÆPIC | Intel | APIC MMIO“陈旧”数据泄漏 | CVE-2022-21233 | 2022 |
| 2 | CacheWarp | AMD | 未写回内存“陈旧”数据覆盖 | CVE-2023-20592 | 2024 |
| 3 | GhostWrite | RISC-V | 向量指令任意内存写 | CVE-2024-44067 | 2024 |
| 4 | StackWarp | AMD | SEV-SNP客户机堆栈指针劫持 | CVE-2025-29943 | 2026 |
参考资料:
[1] https://www.usenix.org/conference/usenixsecurity22/presentation/borrello
[2] https://www.usenix.org/conference/usenixsecurity24/presentation/zhang-ruiyi