Cache-timing attacks without a profiling phase (original) (raw)
Related papers
Countermeasures against Bernstein's remote cache timing attack
2011
Cache timing attack is a type of side channel attack where the leaking timing information due to the cache behaviour of a crypto system is used by an attacker to break the system. Advanced Encryption Standard (AES) was considered a secure encryption standard until 2005 when Daniel Bernstein claimed that the software implementation of AES is vulnerable to cache timing attack. Bernstein demonstrated a remote cache timing attack on a software implementation of AES. The original AES implementation can methodically be altered to prevent the cache timing attack by hiding the natural cache-timing pattern during the encryption while preserving its semantics. The alternations while preventing the attack should not make the implementation very slow. In this paper, we report outcomes of our experiments on designing and implementing a number of possible countermeasures.
2011
This paper presents several side-channel attacks based on timing information leaked from CPU cache memory. The attacks are focused towards cryptographic ciphers that have an implementation based on lookup tables. Several attacks lead to a recovery of a major part of the secret key, such that an exhaustive search on the rest of the undetermined bits becomes computationally feasible. This attack is possible due to the data-dependent lookups performed during the encryption process. Since encryptions are performed in variable amounts of time this leads to a correlation between the time and data. By making some wise assumptions based also on the cipher structure, the attacker is able to extract the secret key from the earlier correlation. The paper also discusses the applicability of these attacks and offers some countermeasures.
2009
Cache-timing attacks are a serious threat to security-critical software. We show that the combination of vector quantization and hidden Markov model cryptanalysis is a powerful tool for automated analysis of cache-timing data; it can be used to recover critical algorithm state such as key material. We demonstrate its effectiveness by running an attack on the elliptic curve portion of OpenSSL (0.9.8k and under). This involves automated lattice attacks leading to key recovery within hours. We carry out the attack on live cache-timing data without simulating the side channel, showing these attacks are practical and realistic.
A Formal Analysis of Prefetching in Profiled Cache-Timing Attacks on Block Ciphers
Journal of Cryptology
Formally bounding side-channel leakage is important to bridge the gap between the theory and practice in cryptography. However, bounding side-channel leakages is difficult because leakage in a cryptosystem could be from several sources. Moreover the amount of leakage from a source may vary depending on the implementation of the cipher and the form of attack. To formally analyze the security of a cryptosystem against a form of attack, it is therefore essential to consider each source of leakage independently. This paper considers data prefetching, which is used in most modern day cache memories to reduce the miss penalty. To the best of our knowledge, we show for the first time that micro-architectural features like prefetching is a major source of leakage in profiled cache-timing attacks. We further quantify the leakage due to important data prefetching algorithms, namely sequential and arbitrarystride prefetching. The analytical results, with supported experimentation, brings out interesting facts like the effect of placement of tables in memory and the cipher's implementation on the leakage in profiled cache-timing attacks.
Security testing of a secure cache design
Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy - HASP '13, 2013
Cache side channel attacks are attacks that leak secret information through physical implementation of cryptographic operations, nullifying cryptographic protection. Recently, these attacks have received great interest. Previous research found that software countermeasures alone are not enough to defend against cache side channel attacks. Secure cache designs can thwart the root causes of cache side channels and are more efficient. For instance, Newcache is a cache design that can enhance security, performance and power efficiency simultaneously through dynamic memory-cache remapping and eviction randomization. However, these cache designs seldom had their security verified experimentally by mounting cache side channel attacks on them. In this paper, we test the security of Newcache using representative classes of cache side channel attacks proposed for conventional set-associative caches. The results show that Newcache can defeat all these attacks. However, what if a very knowledgeable attacker crafted the attack strategy targeting the secure cache's design? We redesign the attacks specifically for Newcache. The results show that Newcache can defeat even crafted access-driven attacks specifically targeted at it but sometimes succumbs to the specifically crafted timing attacks, which is due to a very subtle vulnerability in its replacement algorithm. We further secure Newcache by modifying its replacement algorithm slightly, thus defeating these specifically crafted timing attacks. In addition, the improved Newcache simplifies the replacement algorithm in the original Newcache design.
New Results on Instruction Cache Attacks
Lecture Notes in Computer Science, 2010
We improve instruction cache data analysis techniques with a framework based on vector quantization and hidden Markov models. As a result, we are capable of carrying out efficient automated attacks using live I-cache timing data. Using this analysis technique, we run an I-cache attack on OpenSSL's DSA implementation and recover keys using lattice methods. Previous I-cache attacks were proof-of-concept: we present results of an actual attack in a real-world setting, proving these attacks to be realistic. We also present general software countermeasures, along with their performance impact, that are not algorithm specific and can be employed at the kernel and/or compiler level.
Remote Cache Timing Attack on Advanced Encryption Standard and countermeasures
2010
AES, Advanced Encryption Standard, is a symmetric key encryption standard being widely used to secure data in places where data confidentiality is a critical issue. AES was adopted from the Rijndael algorithm which was developed by Joan Daemen and Vincent Rijmen. In 2001 NIST, National Institute of Standards and Technology, declared Rijndael algorithm as the next generation cryptographic algorithm, and thus was titled AES - Advanced Encryption Standard. NIST spent several years analyzing the Rijndael algorithm for vulnerabilities against all known breeds of attacks and finally declared it to be a secure algorithm. In 2005 Daniel J. Bernstein claimed that the software implementation of AES is vulnerable to side channel attacks. Side Channel Attacks are a form of cryptanalysis that focuses not on breaking the underlying cipher directly but on exploiting weaknesses found in certain implementations of a cipher. One could derive attacks based on side-channel information gained through timing information, radiation of various sorts, power consumption statistics, cache contents, etc. AES uses a series of table look ups to increase its performance. Since these tables do not fully fit into the cache, cache hits and misses are frequent during encryption, causing various look up times, and thus various encryption times that change according to the input text and the encryption key. The Cache Timing Attack proposed by Bernstein correlates the timing details for encryption under a known key with an unknown key to deduce the unknown key. Bernstein demonstrated the attack against the OpenSSL 0.9.7a AES implementation on an 850MHz Pentium III desktop computer running FreeBSD 4.8. Over the years many researchers have proposed a number of countermeasures against Bernstein's Cache Timing Attack but there is no evidence to date of any investigation carried out to determine their effectiveness and efficiency. Our study focused on verifying Bernstein's Cache Timing Attack and investiga- - ting some of the countermeasures that have been proposed by implementing them.
Effective Countermeasures for Cache Timing Attack on AES
This paper describes several software side-channel attacks based on inter-process leakage through the state of the CPU's memory cache. This leakage reveals memory access patterns, which can be used for cryptanalysis of cryptographic primitives that employ data-dependent table lookups. The attacks allow an unprivileged process to attack other processes running in parallel on the same processor, despite partitioning methods such as memory protection, sandboxing and virtualization. In this paper, we propose an algorithm which disables the cache memory .This would make the AES impregnable to cache timing attack.
Attacks of the Knights: Exploiting Non Uniform Cache Access Time
ArXiv, 2021
Intel Knights Landing Processors have shared last level cache (LLC) across all the tiles using MESIF protocol and uses a mesh network of Caching and Homing Agents(CHA)s. Due to the structure of the network, the cache access is non uniform in nature having significant difference in cache hit times. In this paper, we try to exploit this idea to leak secret from a victim process. First, we show a naive implementation of the attack using a gem5 simulator that achieves 100% accuracy of extracting the secret bits. Then we replicate the attack in a Intel Xeon Phi 7290@ 1.50 GHz Knightâs Landing CPU to show the efficacy of the attack. In real machine we can leak the secret from a victim process at 85% accuracy and 350 kbps bandwidth. All the attacks were done on a machine without any root or sudo privileges, so this shows the strength of the attack. This can be further extended to leak secrets from different processes given the vulnerable patterns may exist in many libraries. Other processo...
Hardware Prefetchers Leak: A Revisit of SVF for Cache-Timing Attacks
2012 45th Annual IEEE/ACM International Symposium on Microarchitecture Workshops, 2012
Micro-architectural features have an influence on security against cache attacks. This paper shows that modern hardware prefetchers enabled in cache memories to reduce the miss penalty, can be a source of information leakage with respect to cache-timing attacks. The work revisits the Side Channel Vulnerability Factor (SVF) proposed in ISCA'12 and shows how to adapt the metric to assess the vulnerability of a prefetcher in cache-timing attacks. We use the modified metric denoted Timing-SVF, to show that standard prefetchers based on sequential algorithms can leak information in cache timing attacks. The findings have been established by experimental validations on a standard 128 bit cipher, called CLEFIA, designed by Sony Corporation Ltd. and used for light weight cryptography.