A Survey of Processor Hardware Vulnerability

LAN Zeru; QIU Pengfei; WANG Chunlu; ZHAO Yaxuan; JIN Yu; ZHANG Zhihao; WANG Dongsheng

doi:10.11999/JEIT250357

Article Contents

Article Navigation > Journal of Electronics & Information Technology > 2025 >

LAN Zeru, QIU Pengfei, WANG Chunlu, ZHAO Yaxuan, JIN Yu, ZHANG Zhihao, WANG Dongsheng. A Survey of Processor Hardware Vulnerability[J]. Journal of Electronics & Information Technology. doi: 10.11999/JEIT250357

Citation:

LAN Zeru, QIU Pengfei, WANG Chunlu, ZHAO Yaxuan, JIN Yu, ZHANG Zhihao, WANG Dongsheng. A Survey of Processor Hardware Vulnerability[J]. Journal of Electronics & Information Technology. doi: 10.11999/JEIT250357

Citation:

PDF( 5519 KB)

A Survey of Processor Hardware Vulnerability

doi: 10.11999/JEIT250357 cstr: 32379.14.JEIT250357

LAN Zeru^{1, 2},
QIU Pengfei^{1, 2, 4
,
,},
WANG Chunlu^{1, 2},
ZHAO Yaxuan^{1, 2},
JIN Yu^{1, 2},
ZHANG Zhihao^{1, 2},
WANG Dongsheng^{3, 4}

1.
School of Cyberspace Security, Beijing University of Posts and Telecommunications, Beijing 100876, China
2.
Key Laboratory of Trustworthy Distributed Computing and Service (BUPT), Ministry of Education, Beijing 100876, China
3.
Department of Computer Science and Technology, Tsinghua University, Beijing 100084, China
4.
Zhongguancun Laboratory, Beijing 100194, China

Funds: Beijing Natural Science Foundation (4242026), The National Natural Science Foundation of China (62372258), The Fundamental Research Funds for the Central Universities (2023RC71)

Received Date: 2025-05-06
Rev Recd Date: 2025-07-30

Available Online: 2025-08-05

Abstract

Abstract

Significance Processor security is a cornerstone of computer system security, providing a trusted execution environment for upper-layer systems and applications. However, the increasing complexity of processor microarchitectures and the widespread integration of performance-driven optimization mechanisms have introduced significant security risks. These mechanisms, primarily designed to enhance performance and energy efficiency, often lack comprehensive security evaluation, thereby expanding the potential attack surface. Therefore, numerous microarchitectural security vulnerabilities have emerged, presenting critical challenges in architectural security research. Progress Although recent years have witnessed notable progress in the study of hardware vulnerabilities, several key issues remain unresolved. First, the landscape of hardware vulnerabilities is both diverse and complex, yet existing literature lacks a consistent and systematic classification framework. This gap complicates researchers’ efforts to understand, compare, and generalize vulnerability characteristics. Second, current studies predominantly focus on individual vulnerability discovery or specific attack implementations, with limited attention to modeling the full vulnerability lifecycle. A comprehensive research framework including vulnerability identification, attack instantiation, and exploitation is still lacking. One pressing challenge is how to efficiently and systematically convert potential vulnerabilities into practical, high-risk attack paths. In addition, unlike software vulnerabilities, hardware vulnerabilities are inherently more difficult to mitigate and impose higher defense costs. These characteristics highlight the need for a more structured and integrated approach to hardware vulnerability research. Contributions This paper systematically reviews and analyzes processor hardware vulnerabilities reported in major architecture security conferences and academic journals since 2010. It first outlines four primary methods for discovering hardware vulnerabilities and, based on prior studies, proposes a three-step attack model and a novel attack scenario framework. The paper then categorizes and describes existing hardware vulnerabilities according to their behavioral characteristics and consolidates eight evaluation metrics for side-channel vulnerabilities derived from related research. To assess the feasibility and scope of various attack types, representative vulnerabilities are selected for experimental validation across multiple processor platforms, with in-depth analysis of the results. In addition, the study provides a systematic evaluation of current defense and mitigation mechanisms for hardware vulnerabilities. Finally, it discusses future research directions from both offensive and defensive perspectives. Prospects Future research in processor hardware security is expected to focus on new attack surfaces introduced by increasingly diversified microarchitectural optimizations. Key areas will include the development of system-level collaborative defense mechanisms, automated verification tools, and integrated strategies to enhance awareness and precision in mitigating hardware-level information leakage risks.
- Hardware vulnerabilities,
- Computer architecture security,
- Side channels,
- Transient execution,
- Fault injection

FullText(HTML)

References(63)

References

[1]	KOCHER P, HORN J, FOGH A, et al. Spectre attacks: Exploiting speculative execution[C]. The 2019 IEEE Symposium on Security and Privacy, San Francisco, USA, 2019: 1–19. doi: 10.1109/SP.2019.00002.
[2]	LIPP M, SCHWARZ M, GRUSS D, et al. Meltdown: Reading kernel memory from user space[C]. The 27th USENIX Conference on Security Symposium, Baltimore, USA, 2018: 973–990.
[3]	王泉成, 唐明. 微架构安全漏洞攻击技术综述[J]. 密码学报, 2024, 11(6): 1199–1232. doi: 10.13868/j.cnki.jcr.000730. WANG Quancheng and TANG Ming. Survey of attack techniques for microarchitecture security vulnerabilities[J]. Journal of Cryptologic Research, 2024, 11(6): 1199–1232. doi: 10.13868/j.cnki.jcr.000730.
[4]	ZHANG Ruiyi, GERLACH L, WEBER D, et al. CacheWarp: Software-based fault injection using selective state reset[C]. The 33rd USENIX Conference on Security Symposium, Philadelphia, USA, 2024: 1135–1151.
[5]	YAROM Y and FALKNER K. FLUSH+RELOAD: A high resolution, low noise, L3 cache side-channel attack[C]. Proceedings of the 23rd USENIX Conference on Security Symposium, San Diego, USA, 2014: 719–732.
[6]	GRUSS D, MAURICE C, WAGNER K, et al. Flush+Flush: A fast and stealthy cache attack[C]. The 13th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, San Sebastián, Spain, 2016: 279–299. doi: 10.1007/978-3-319-40667-1_14.
[7]	TROMER E, OSVIK D A, and SHAMIR A. Efficient cache attacks on AES, and countermeasures[J]. Journal of Cryptology, 2010, 23(1): 37–71. doi: 10.1007/s00145-009-9049-y.
[8]	LIU Fangfei, YAROM Y, GE Qian, et al. Last-level cache side-channel attacks are practical[C]. The 2015 IEEE Symposium on Security and Privacy, San Jose, USA, 2015: 605–622. doi: 10.1109/SP.2015.43.
[9]	LIPP M, GRUSS D, SPREITZER R, et al. ARMageddon: Cache attacks on mobile devices[C]. The 25th USENIX Conference on Security Symposium, Austin, USA, 2016: 549–564.
[10]	DISSELKOEN C, KOHLBRENNER D, PORTER L, et al. Prime+abort: A timer-free high-precision L3 cache attack using intel TSX[C]. The 26th USENIX Conference on Security Symposium, Vancouver, Canada, 2017: 51–67.
[11]	WANG Alan, CHEN Boru, WANG Yingchen, et al. Peek-a-walk: Leaking secrets via page walk side channels[C]. The 2025 IEEE Symposium on Security and Privacy, San Francisco, USA, 2025: 3534–3548. doi: 10.1109/SP61157.2025.00023.
[12]	GRAS B, RAZAVI K, BOS H, et al. Translation leak-aside buffer: Defeating cache side-channel protections with TLB attacks[C]. The 27th USENIX Conference on Security Symposium, Baltimore, USA, 2018: 955–972.
[13]	QIU Pengfei, GAO Qiang, LIU Chang, et al. PMU-spill: A new side channel for transient execution attacks[J]. IEEE Transactions on Circuits and Systems I: Regular Papers, 2023, 70(12): 5048–5059. doi: 10.1109/TCSI.2023.3298913.
[14]	QIU Pengfei, GAO Qiang, WANG Dongsheng, et al. PMU-leaker: Performance monitor unit-based realization of cache side-channel attacks[C]. The 28th Asia and South Pacific Design Automation Conference, Tokyo, Japan, 2023: 1–6.
[15]	KIM T and SHIN Y. ThermalBleed: A practical thermal side-channel attack[J]. IEEE Access, 2022, 10: 25718–25731. doi: 10.1109/ACCESS.2022.3156596.
[16]	KOGLER A, JUFFINGER J, GINER L, et al. Collide+Power: Leaking inaccessible data with software-based power side channels[C]. The 32nd USENIX Conference on Security Symposium, Anaheim, USA, 2023: 7285–7302.
[17]	刘畅, 杨毅, 李昊儒, 等. 处理器分支预测攻击研究综述[J]. 计算机学报, 2022, 45(12): 2475–2509. doi: 10.11897/SP.J.1016.2022.02475. LIU Chang, YANG Yi, LI Haoru, et al. A survey of branch prediction attacks on modern processors[J]. Chinese Journal of Computers, 2022, 45(12): 2475–2509. doi: 10.11897/SP.J.1016.2022.02475.
[18]	CANELLA C, VAN BULCK J, SCHWARZ M, et al. A systematic evaluation of transient execution attacks and defenses[C]. The 28th USENIX Conference on Security Symposium, Santa Clara, USA, 2019: 249–266.
[19]	KORUYEH E M, KHASAWNEH K N, SONG Chengyu, et al. Spectre returns! Speculation attacks using the return stack buffer[J]. IEEE Design & Test, 2024, 41(2): 47–55. doi: 10.1109/MDAT.2024.3352537.
[20]	KIM J, CHUANG J, GENKIN D, et al. FLOP: Breaking the apple M3 CPU via false load output predictions[C]. The 34th USENIX Conference on Security Symposium, Seattle, USA, 2025.
[21]	KIM J, GENKIN D, and YAROM Y. SLAP: Data speculation attacks via load address prediction on apple silicon[C]. 2025 IEEE Symposium on Security and Privacy, San Francisco, USA, 2025: 3549–3566. doi: 10.1109/SP61157.2025.00098.
[22]	TANG A, SETHUMADHAVAN S, and STOLFO S. CLKSCREW: Exposing the perils of security-oblivious energy management[C]. The 26th USENIX Conference on Security Symposium, Vancouver, Canada, 2017: 1057–1074.
[23]	QIU Pengfei, WANG Dongsheng, LYU Yongqiang, et al. Voltjockey: Breaching TrustZone by software-controlled voltage manipulation over multi-core frequencies[C]. The 2019 ACM SIGSAC Conference on Computer and Communications Security, London, UK, 2019: 195–209. doi: 10.1145/3319535.3354201.
[24]	KENJAR Z, FRASSETTO T, GENS D, et al. V0LTpwn: Attacking x86 processor integrity from software[C]. The 29th USENIX Conference on Security Symposium, 2020: 1445–1461.
[25]	MURDOCK K, OSWALD D, GARCIA F D, et al. Plundervolt: Software-based fault injection attacks against intel SGX[C]. 2020 IEEE Symposium on Security and Privacy, San Francisco, USA, 2020: 1466–1482. doi: 10.1109/SP40000.2020.00057.
[26]	DENG Shuwen, XIONG Wenjie, and SZEFER J. Analysis of secure caches using a three-step model for timing-based attacks[J]. Journal of Hardware and Systems Security, 2019, 3(4): 397–425. doi: 10.1007/s41635-019-00075-9.
[27]	XIONG Wenjie and SZEFER J. Survey of transient execution attacks and their mitigations[J]. ACM Computing Surveys, 2022, 54(3): 54. doi: 10.1145/3442479.
[28]	RAUSCHER F, FIEDLER C, KOGLER A, et al. A systematic evaluation of novel and existing cache side channels[C]. The 32nd Annual Network and Distributed System Security Symposium, San Diego, USA, 2025.
[29]	DENG Shuwen, XIONG Wenjie, and SZEFER J. A benchmark suite for evaluating caches' vulnerability to timing attacks[C]. The 25th International Conference on Architectural Support for Programming Languages and Operating Systems, Lausanne, Switzerland, 2020: 683–697. doi: 10.1145/3373376.3378510.
[30]	ALDAYA A C, BRUMLEY B B, UL HASSAN S, et al. Port contention for fun and profit[C]. The 2019 IEEE Symposium on Security and Privacy, San Francisco, USA, 2019: 870–887. doi: 10.1109/SP.2019.00066.
[31]	BHATTACHARYYA A, SANDULESCU A, NEUGSCHWANDTNER M, et al. SMoTherSpectre: Exploiting speculative execution through port contention[C]. The 2019 ACM SIGSAC Conference on Computer and Communications Security, London, UK, 2019: 785–800. doi: 10.1145/3319535.3363194.
[32]	LIU Chang, WANG Dongsheng, LYU Yongqiang, et al. Uncovering and exploiting AMD speculative memory access predictors for fun and profit[C]. 2024 IEEE International Symposium on High-Performance Computer Architecture, Edinburgh, UK, 2024: 31–45. doi: 10.1109/HPCA57654.2024.00014.
[33]	尹嘉伟, 李孟豪, 霍玮. 处理器微体系结构安全研究综述[J]. 信息安全学报, 2022, 7(4): 17–31. doi: 10.19363/J.cnki.cn10-1380/tn.2022.07.02. YIN Jiawei, LI Menghao, and HUO Wei. Survey on security researches of processor's microarchitecture[J]. Journal of Cyber Security, 2022, 7(4): 17–31. doi: 10.19363/J.cnki.cn10-1380/tn.2022.07.02.
[34]	BRIONGOS S, MALAGÓN P, MOYA J M, et al. RELOAD+REFRESH: Abusing cache replacement policies to perform stealthy cache attacks[C]. The 29th USENIX Conference on Security Symposium, Berkeley, USA, 2020: 1967–1984.
[35]	XIONG Wenjie and SZEFER J. Leaking information through cache LRU states[C]. 2020 IEEE International Symposium on High Performance Computer Architecture, San Diego, USA, 2020: 139–152. doi: 10.1109/HPCA47549.2020.00021.
[36]	CUI Yujie, YANG Chun, and CHENG Xu. Abusing cache line dirty states to leak information in commercial processors[C]. 2022 IEEE International Symposium on High-Performance Computer Architecture, Seoul, Korea, Republic of, 2022: 82–97. doi: 10.1109/HPCA53966.2022.00015.
[37]	YAO Fan, DOROSLOVACKI M, and VENKATARAMANI G. Are coherence protocol states vulnerable to information leakage?[C]. 2018 IEEE International Symposium on High Performance Computer Architecture, Vienna, Austria, 2018: 168–179. doi: 10.1109/HPCA.2018.00024.
[38]	XU Tianhong, DING A A, and FEI Yunsi. EXAM: Exploiting exclusive system-level cache in apple M-series SoCs for enhanced cache occupancy attacks[EB/OL]. https://arxiv.org/abs/2504.13385, 2025.
[39]	HERTOGH M, WIEBING S, and GIUFFRIDA C. Leaky address masking: Exploiting unmasked spectre gadgets with noncanonical address translation[C]. The 2024 IEEE Symposium on Security and Privacy, San Francisco, USA, 2024: 3773–3788. doi: 10.1109/SP54263.2024.00158.
[40]	LIPP M, KOGLER A, OSWALD D, et al. PLATYPUS: Software-based power side-channel attacks on x86[C]. 2021 IEEE Symposium on Security and Privacy, San Francisco, USA, 2021: 355–371. doi: 10.1109/SP40001.2021.00063.
[41]	WAN Junpeng, BI Yanxiang, ZHOU Zhe, et al. MeshUp: Stateless cache side-channel attack on CPU mesh[C]. 2022 IEEE Symposium on Security and Privacy, San Francisco, USA, 2022: 1506–1524. doi: 10.1109/SP46214.2022.9833794.
[42]	SIDE M, YAO Fan, and ZHANG Zhenkai. LockedDown: Exploiting contention on Host-GPU PCIe bus for fun and profit[C]. 2022 IEEE 7th European Symposium on Security and Privacy, Genoa, Italy, 2022: 270–285. doi: 10.1109/EuroSP53844.2022.00025.
[43]	YAROM Y, GENKIN D, and HENINGER N. CacheBleed: A timing attack on OpenSSL constant-time RSA[J]. Journal of Cryptographic Engineering, 2017, 7(2): 99–112. doi: 10.1007/s13389-017-0152-y.
[44]	MOGHIMI A, WICHELMANN J, EISENBARTH T, et al. MemJam: A false dependency attack against constant-time crypto implementations[J]. International Journal of Parallel Programming, 2019, 47(4): 538–570. doi: 10.1007/s10766-018-0611-9.
[45]	CHEN Yun, PEI Lingfeng, and CARLSON T E. AfterImage: Leaking control flow data and tracking load operations via the hardware prefetcher[C]. The 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Vancouver, Canada, 2023: 16–32. doi: 10.1145/3575693.3575719.
[46]	CHEN Yun, HAJIABADI A, PEI Lingfeng, et al. PREFETCHX: Cross-core cache-agnostic prefetcher-based side-channel attacks[C]. 2024 IEEE International Symposium on High-Performance Computer Architecture, Edinburgh, UK, 2024: 395–408. doi: 10.1109/HPCA57654.2024.00037.
[47]	ZHU Yongye, CHEN Boru, ZHAO Z N, et al. Controlled preemption: Amplifying side-channel attacks from userspace[C]. The 30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Rotterdam, The Netherlands, 2025: 162–177. doi: 10.1145/3676641.3715985.
[48]	ZHANG Xin, ZHANG Zhi, SHEN Qingni, et al. SegScope: Probing fine-grained interrupts via architectural footprints[C]. 2024 IEEE International Symposium on High-Performance Computer Architecture, Edinburgh, UK, 2024: 424–438. doi: 10.1109/HPCA57654.2024.00039.
[49]	VAN BULCK J, MINKIN M, WEISSE O, et al. Foreshadow: Extracting the keys to the intel SGX kingdom with transient out-of-order execution[C]. The 27th USENIX Conference on Security Symposium, Baltimore, USA, 2018: 991–1008.
[50]	BRUNELLA M S, BIANCHI G, TURCO S, et al. Foreshadow-VMM: Feasibility and network perspective[C]. 2019 IEEE Conference on Network Softwarization, Paris, France, 2019: 257–259. doi: 10.1109/NETSOFT.2019.8806712.
[51]	VAN SCHAIK S, MILBURN A, ÖSTERLUND S, et al. RIDL: Rogue in-flight data load[C]. The 2019 IEEE Symposium on Security and Privacy, San Francisco, USA, 2019: 88–105. doi: 10.1109/SP.2019.00087.
[52]	SCHWARZ M, LIPP M, MOGHIMI D, et al. ZombieLoad: Cross-privilege-boundary data sampling[C]. The 2019 ACM SIGSAC Conference on Computer and Communications Security, London, UK, 2019: 753–768. doi: 10.1145/3319535.3354252.
[53]	CHEN Yun, HAJIABADI A, and CARLSON T E. GADGETSPINNER: A new transient execution primitive using the loop stream detector[C]. 2024 IEEE International Symposium on High-Performance Computer Architecture, Edinburgh, UK, 2024: 15–30. doi: 10.1109/HPCA57654.2024.00013.
[54]	ZHANG Ruiyi, KIM T, WEBER D, et al. (M)WAIT for it: Bridging the gap between microarchitectural and architectural side channels[C]. The 32nd USENIX Conference on Security Symposium, Anaheim, USA, 2023: 7267–7284.
[55]	CHOI H, KIM S, and SHIN S. AVX timing side-channel attacks against address space layout randomization[C]. 2023 60th ACM/IEEE Design Automation Conference, San Francisco, USA, 2023: 1–6. doi: 10.1109/DAC56929.2023.10247741.
[56]	GUO Yanan, ZIGERELLI A, ZHANG Youtao, et al. Adversarial prefetch: New cross-core cache side channel attacks[C]. 2022 IEEE Symposium on Security and Privacy, San Francisco, USA, 2022: 1458–1473. doi: 10.1109/SP46214.2022.9833692.
[57]	DI DIO A, HERTOGH M, and GIUFFRIDA C. Half spectre, full exploit: Hardening rowhammer attacks with half-spectre gadgets[C]. 2025 IEEE Symposium on Security and Privacy, San Francisco, USA, 2025: 3583–3598. doi: 10.1109/SP61157.2025.00207.
[58]	TOBAH Y, KWONG A, KANG I, et al. Go go gadget hammer: Flipping nested pointers for arbitrary data leakage[C]. The 33rd USENIX Conference on Security Symposium, Philadelphia, USA, 2024: 1635–1650.
[59]	CANELLA C, GENKIN D, GINER L, et al. Fallout: Leaking data on meltdown-resistant CPUs[C]. The 2019 ACM SIGSAC Conference on Computer and Communications Security, London, UK, 2019: 769–784. doi: 10.1145/3319535.3363219.
[60]	ORMANDY T. Zenbleed[EB/OL]. https://cmpxchg8b.com/zenbleed.html, 2023.
[61]	RAGAB H, MILBURN A, RAZAVI K, et al. CrossTalk: Speculative data leaks across cores are real[C]. The 2021 IEEE Symposium on Security and Privacy, San Francisco, USA, 2021: 1852–1867. doi: 10.1109/SP40001.2021.00020.
[62]	ZHANG Jiliang, CHEN Congcong, CUI Jinhua, et al. Timing side-channel attacks and countermeasures in CPU microarchitectures[J]. ACM Computing Surveys, 2024, 56(7): 178. doi: 10.1145/3645109.
[63]	TRUJILLO D, WIKNER J, and RAZAVI K. INCEPTION: Exposing new attack surfaces with training in transient execution[C]. The 32nd USENIX Conference on Security Symposium, Anaheim, USA, 2023: 7303–7320.