Federated learning is a novel distributed learning framework which enables the sharing of training data across multiple participants without compromising their data privacy. However， such novel learning mechanism can still suffer from unprecedented security and privacy threats from various attackers. This article mainly explores the security and privacy challenges of federated learning by first introducing the preliminary knowledge and threat models to facilitate understanding of the potential attacks. Second， three types of attacks launched by the internal malicious entities are summarized and meanwhile the security and privacy vulnerabilities of federated learning architecture are analyzed. Third， the state-of-art protection solutions in aspects of differential privacy， homomorphic cryptosystem， and secure multi-party aggregation are surveyed. Finally， by summarizing and comparing these solutions， the promising directions are discussed.