I wonder to what extent these attacks can be mitigated by the addition of “noise” in the form of concurrent/interleaved computational loads, analogous to how fuzzy fonts can be used mitigate TEMPEST radiation-based information leakage ( https://www.mdpi.com/2076-3417/10/8/2828/html ).
Obviously this would necessitate a security/performance trade-off.
See also the closely related "DVFS Frequently Leaks Secrets: Hertzbleed Attacks Beyond SIKE, Cryptography, and CPU-Only Data," which will be presented at Oakland today: https://www.hertzbleed.com/2h2b.pdf
(It's citation 68 in the Hot Pixels paper.)
Ouch. Matthew Green's take: https://twitter.com/matthew_d_green/status/16608301610574888...
"It is time to give up on computers altogether."
The drive to create thinner, lighter, and more energy efficient devices has resulted in modern SoCs being forced to balance a delicate tradeoff between power consumption, heat dissipation, and execution speed (i.e., frequency). While beneficial, these DVFS mechanisms have also resulted in software-visible hybrid side-channels, which use software to probe analog properties of computing devices. Such hybrid attacks are an emerging threat that can bypass countermeasures for traditional microarchitectural side-channel attacks. Given the rise in popularity of both Arm SoCs and GPUs, in this paper we investigate the susceptibility of these devices to information leakage via power, temperature and frequency, as measured via internal sensors. We demonstrate that the sensor data observed correlates with both instructions executed and data processed, allowing us to mount software-visible hybrid side-channel attacks on these devices. To demonstrate the real-world impact of this issue, we present JavaScript-based pixel stealing and history sniffing attacks on Chrome and Safari, with all side channel countermeasures enabled. Finally, we also show website fingerprinting attacks, without any elevated privileges.