Efficient cache attacks on AES, and countermeasures

Efficient cache attacks on AES, and countermeasures (2009)

Cached

Download Links

by Eran Tromer , Dag Arne Osvik , Adi Shamir

Venue:	Journal of Cryptology, available online
Citations:	11 - 1 self

BibTeX

@ARTICLE{Tromer09efficientcache,
    author = {Eran Tromer and Dag Arne Osvik and Adi Shamir},
    title = {Efficient cache attacks on AES, and countermeasures},
    journal = {Journal of Cryptology, available online},
    year = {2009}
}

Bookmark

OpenURL

Abstract

Abstract. We describe several software side-channel attacks based on inter-process leakage through the state of the CPU’s memory cache. This leakage reveals memory access patterns, which can be used for cryptanalysis of cryptographic primitives that employ data-dependent table lookups. The attacks allow an unprivileged process to attack other processes running in parallel on the same processor, despite partitioning methods such as memory protection, sandboxing and virtualization. Some of our methods require only the ability to trigger services that perform encryption or MAC using the unknown key, such as encrypted disk partitions or secure network links. Moreover, we demonstrate an extremely strong type of attack, which requires knowledge of neither the specific plaintexts nor ciphertexts, and works by merely monitoring the effect of the cryptographic process on the cache. We discuss in detail several attacks on AES, and experimentally demonstrate their applicability to real systems, such as OpenSSL and Linux’s dm-crypt encrypted partitions (in the latter case, the full key was recovered after just 800 writes to the partition, taking 65 milliseconds). Finally, we discuss a variety of countermeasures which can be used to mitigate such attacks.

Citations

407	Differential Cryptanalysis of DES-like Cryptosystems - Biham, Shamir - 1990
111	Software protection and simulation on oblivious RAMs - Goldreich, Ostrovsky
89	L.: Serpent: A Proposal for the Advanced Encryption Standard - Anderson, Biham, et al. - 1998
80	Checking the correctness of memories - Blum, Evans, et al. - 1994
74	On memory-bound functions for fighting spam - Dwork, Goldberg, et al. - 2003
73	T.: Moderately Hard, Memory-bound Functions - Abadi, Burrows, et al. - 2005
73	Side channel cryptanalysis of product ciphers - Kelsey, Schneier, et al. - 1998
57	The design of Rijndael : AES–the Advanced Encryption Standard - Daemen, Rijmen - 2002
55	Cache-timing attacks on AES - Bernstein - 2005
55	Cache attacks and countermeasures: The case of aes - Osvik, Shamir, et al. - 2006
54	A fast new DES implementation in software - Biham - 1997
53	Reducing timing channels with fuzzy time - Hu - 1991
44	Theoretical use of cache memory as a cryptanalytic side-channel - PAGE - 2002
29	placement algorithms for large real-indexed caches - KESSLER, HILL - 1992
27	Predicting secret keys via branch prediction - Acıiçmez, Koç, et al. - 2007
26	A fast new DES implementation - Biham
25	Hide: An infrastructure for efficiently protecting information leakage on the address bus - Zhuang, Zhang, et al. - 2004
24	On the power of simple branch prediction analysis - Aciiçmez, Koç, et al. - 2007
24	The Complexity of Online Memory Checking - Naor, Rothblum - 2005
22	Lattice scheduling and covert channels - HU - 1992
21	Cache-collision timing attacks against AES - BONNEAU, MIRONOV
20	Efficient Rijndael encryption implementation with composite field arithmetic - Rudra, Dubey, et al. - 2001
17	Partitioned cache architecture as a side-channel defence mechanism - Page - 2005
16	Yet another microarchitectural attack: Exploiting I-cache - Aciiçmez - 2007
16	Software mitigations to hedge AES against cache-based software side channel vulnerabilities. IACR ePrint Archive, Report 2006/052 - BRICKELL, GRAUNKE, et al. - 2006
16	Cryptanalysis of DES implemented on computers with cache - Tsunoo, Saito, et al. - 2003
15	A Side-Channel Analysis Resistant Description of the AES S-box - Oswald, Mangard, et al. - 2005
15	Cache Missing for Fun and Profit,” BSDCan 2005 - Percival - 2005
14	A timing attack against Rijndael - Koeune, Quisquater
14	Z.: A Refined Look at Bernstein’s AES Side-Channel Analysis - Neve, Seifert, et al.
12	Advances on access-driven cache attacks on AES - NEVE, SEIFERT
11	Cache based remote timing attack on the AES - ACIIÇMEZ, SCHINDLER, et al.
10	AES power attack based on induced cache miss and countermeasure - Bertoni, Zaccaria, et al. - 2005
10	P.: Faster and Timing-Attack Resistant AES-GCM - Käsper, Schwabe - 2009
10	Collision attacks on processors with cache and countermeasures - Lauradoux - 2005
10	Hardware assisted control flow obfuscation for embedded processors - Zhuang, Zhang, et al. - 2004
9	Java Virtual Machine Specification. 2nd edn - Lindholm, Yellin - 1999
8	Symmetric key cryptography on modern graphics hardware - Yang, Goodman - 2007
7	Cheap hardware parallelism implies cheap security - Aciiçmez, Seifert - 2007
7	Improving cache attacks by considering cipher structure - Tsunoo, Tsujihara, et al. - 2006
6	Understanding cache attacks - Canteaut, Laradoux, et al. - 2006
6	On the power of bitslice implementation on intel core2 processor - Matsui, Nakajima - 2007
6	chosenprefix collisions for MD5 and the creation of a rogue CA certificate - Stevens, Sotirov, et al.
5	How far can we go on the x64 processors - Matsui - 2006
5	Device for and method of secure computing using virtual machines - Meushaw, Schneider, et al.
4	Çetin Kaya Koç. Cache Based Remote Timing Attack on the AES - Aciiçmez, Schindler
4	Other People’s Cache: Hyper Attacks on HyperThreaded Processors. Presentation available at http://www.wisdom.weizmann.il/ ∼tromer - Osvik, Shamir, et al.
4	Defending against cache-based side-channel attacks. Information Security - Page - 2003
4	Higher Order Masking of the AES - Schramm, Paar - 2006
4	H.: Cryptanalysis of Block Ciphers Implemented on Computers with Cache - Tsunoo, Tsujihara, et al. - 2002