TU Graz
Focus on TU Graz
University
Overview: University
TU Graz at a Glance
Organisational Basis
Mission Statement
Key Objectives and Focus Areas
Cooperations
Climate-Neutral TU Graz
TU Graz Portfolio of Affiliated Companies
Data Protection at TU Graz
History
Buildings of TU Graz
University Gazettes
Info Portal: Sexual Harassment and Gender-based Violence
Career
Overview: Career
Job Vacancies
Professional Fields
Professorships
Apprenticeships
TU Graz as an Employer
Living in Graz
Starting Work at TU Graz
Accessible Working
Services
Overview: Services
News+Stories
Follow TU Graz
TU Graz events
Media Service
Projects with Companies
Form a Partnership with TU Graz
Founders at TU Graz
Publish Job Vacancies
Services for Children and Young People
Offers for Schools
TU Graz Library
Archive Research
Services for Alumni
Childcare
Nostrification
Organisational Structure
Overview: Organisational Structure
Organisational Chart
Rectorate of TU Graz
Senate of TU Graz
University Council of TU Graz
Deans
Service Departments and Staff Units
Representative Bodies for Members of TU Graz
Committees
Studying and Teaching
Focus on Studying and Teaching
Degree and Certificate Programmes
Overview: Degree and Certificate Programmes
Bachelor's Degree Programmes
Master's Degree Programmes
Teacher Education Programme
Doctoral Programmes
Continuing Education
Studying at TU Graz
Overview: Studying at TU Graz
Prospective Students
New Students
Students
Graduates
Studying Internationally
Overview: Studying Internationally
Incoming Students – Exchange at TU Graz
Outgoing Students – Study Abroad
International Students
International House
Summer and Winter Programmes
Blog
Teaching at TU Graz
Overview: Teaching at TU Graz
Strategy Teaching and Learning
Services and Advancements for Teaching Staff
Teaching in Dialogue
Teaching Blog
International Teaching
Research
Focus on Research
Fields of Expertise
Overview: Fields of Expertise
Advanced Materials Science
Human & Biotechnology
Information, Communication & Computing
Mobility & Production
Sustainable Systems
TU Graz – Science for Future
Research at TU Graz
Overview: Research at TU Graz
Services for Researchers
Research Cooperation Ventures
Research Centers
ERC Grants at TU Graz
Christian Doppler (CD) Laboratories
Lead Projects at TU Graz
Responsible Science
Doctoral Schools
TU Graz Research Portal
TU Graz SciPix
Research and Business
Overview: Research and Business
Form a Partnership with TU Graz
Projects with Companies
Competence Centres
Business Enterprises – Start-ups and Spin-offs
Christian Doppler (CD) Laboratories at TU Graz
Publish Job Vacancies
International Research
Overview: International Research
Research Stays Abroad
Research Stays at TU Graz
Research and Technology Advisory Committee
Faculties and Institutes
Overview: Faculties and Institutes
Faculty of Architecture
Faculty of Civil Engineering
Faculty of Electrical and Information Engineering
Faculty of Computer Science and Biomedical Engineering
Faculty of Mechanical Engineering and Economic Sciences
Faculty of Mathematics, Physics and Geodesy
Faculty of Technical Chemistry, Chemical and Process Engineering, Biotechnology
Information for...
Quick Links
Prospective Students
Researchers
Teaching Staff
Pupils
Internationals
Companies
New Students
Continuing Education
Media Representatives
Alumni
Prospective Employees
TU Graz
Graz University of Technology
TU Graz/ TU Graz/ Services/ News+Stories/

New CPU security loophole: Analysis of energy consumption allows data theft

08/02/2023 | TU Graz news | Research

By Philipp Jarke

Researchers at TU Graz and the Helmholtz Center for Information Security have discovered a novel security gap in all common CPUs that can hardly be mitigated.

Hands on a computer keyboard, a computer screen in the background
Researchers from TU Graz and the Helmholtz Center for Information Security have found a new security loophole. Image source: Lunghammer - TU Graz

Main processors (CPUs) of computers are designed to run multiple applications simultaneously. This is beneficial for efficiency, but poses a security risk. Researchers at TU Graz and the Helmholtz Center for Information Security have found a novel method that allows attackers to read data from the memory of CPUs by analyzing the processor's energy consumption. They call this method of attack "Collide+Power".

Overwriting data thousands of times

In a "Collide+Power" attack, the attackers store a data package on a segment of the CPU. In a second step, malicious code causes the attacker's own data to be overwritten ("collide") with the data the attackers are targeting. This overwriting consumes power - the more the two data packages differ from each other, the more power is consumed. The entire process is then repeated thousands of times, each time with minimally different attacker data packages to be overwritten. Finally, the targeted data package can be derived from the slightly different power consumptions that occur each time during this process.

Increased power consumption and time delays provide clues

Although the power consumption of CPUs cannot be read without administrator rights, attackers can bypass this security barrier: In addition to increased power consumption, overwriting the data packets also leads to delays in the computing processes on the attacked processor. These delays can be used to determine the power consumption and, in turn, the target data.

Attack currently still very time-consuming

"All computers with modern CPUs are affected by this security weakness," says Andreas Kogler from the Institute of Applied Information Processing and Communications at Graz University of Technology. "And this security risk is very difficult to fix." However, a "Collide+Power" attack is currently still extremely time-consuming: Due to the countless overwrite operations, the data theft requires at least 16 hours per bit, in other scenarios even up to a year. However, future leaps in technological development could significantly reduce the time required, making "Collide+Power" attacks an everyday security risk.

In principle, the issue of so called power side channels has been known for a long time and is one of the research topics of Stefan Mangard, who leads the IAIK at the TU Graz and has co-authored the Collide+Power study. However, the research group of Daniel Gruss at IAIK only recently discovered that power measurements on modern computers do not require expensive measurement hardware and physical access, but can be done directly from software.

Chip manufacturers have been informed in advance

The major chip manufacturers have been informed about the "Collide+Power" risk in advance and have adjusted their guidelines accordingly. For the general public, the researchers have set up a website describing the security gap in detail: collidepower.com

Information

Original Publication: Collide+Power: Leaking Inaccessible Data with Software-based Power Side Channels

Authors: Andreas Kogler, Jonas Juffinger, Lukas Giner, Lukas Gerlach, Martin Schwarzl, Michael Schwarz, Daniel Gruss, Stefan Mangard

Website: collidepower.com

Contact

Andreas KOGLER
Dipl.-Ing. BSc
TU Graz | Institute of Applied Information Processing and Communications
Phone: +43 316 873 5583
andreas.koglernoSpam@tugraz.at

A man stands in front of a building and smiles into the camera
Andreas Kogler from the Institute of Applied Information Processing and Communications at TU Graz. Image source: Lunghammer - TU Graz

Back to: Current Articles