The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Cache based side_channel_attacks Anestis Bechtsoudis
1. LOGO
New Cache Designs for Thwarting
Software Cache-based Side Channel
Attacks - Z. Wang & R. B. Lee
Anestis Bechtsoudis
mpechtsoud@ceid.upatras.gr
Patra 2010
2. Cache Based Side Channel Attacks
Contents
1
Introduction
2
Threat Model and Attacks
3
Proposed Models
4
Evaluation
5
Conclusions
2
COMPANY LOGO
4. Cache Based Side Channel Attacks
Introduction 1/4
Information intensive society – imperative
need for security
Design of cryptographic systems to ensure
the data protection
Extensive test to cryptosystems over time
Cryptanalysis: the study of techniques to
reveal the secret parameters of a security
system
4
COMPANY LOGO
5. Cache Based Side Channel Attacks
Introduction 2/4
Classical cryptanalysis approach
Weaknesses in the algorithm – mathematical model
Attacks based on: ciphertext-only, known plaintext,
chosen plaintext/ciphertext …
Black box approach of the cryptosystem
The cryptographic primitive is actually
implemented in hardware
Modern cryptanalysis: attacker knows much
more for the device – side channel leakage
5
COMPANY LOGO
8. Cache Based Side Channel Attacks
2.
Threat Model and Attacks
8
COMPANY LOGO
9. Cache Based Side Channel Attacks
Threat Model and Attacks 1/6
Goal of the adversary is to learn information
that he has no legitimate access to
Adversary: one or more unprivileged user
processes, including remote clients, in the
server where the secrets are processed
No physical access to the device
Goal achieved by performing legitimate
operations – normal process
Victim and adversary are isolated processes
9
COMPANY LOGO
10. Cache Based Side Channel Attacks
Threat Model and Attacks 2/6
Percival’s attack on OpenSSL implementation
of RSA algorithm in a SMT CPU
RSA core operation: modulo exponentiation –
implemented with a series of ^2 and *
The encryption key is divided into segments
For each *, a multiplier is selected from precomputed constants stored in a LUT
Segment of key is used to index the LUT
10
COMPANY LOGO
11. Cache Based Side Channel Attacks
Threat Model and Attacks 3/6
Attacker manages to run simultaneously
Attack process sequentially and repeatedly
accesses an array, thus loading data to
occupy all cache lines
At the same time he measures the delay for
each access to detect cache misses (ex. rdtsc
timer in intel x86)
Victim’s cache accesses evict attacker’s data,
enabling detection from the attacker
11
COMPANY LOGO
12. Cache Based Side Channel Attacks
Threat Model and Attacks 4/6
Cache
RAM
RSA
Attacker
The attacker can identify which table entry is
accessed -> the index used -> segment of
the key
12
COMPANY LOGO
13. Cache Based Side Channel Attacks
Threat Model and Attacks 5/6
Bernstein’s Attack on AES
AES - “Black Box” software module
Give inputs and measure computation time
The execution time is input dependant and
can be exploited to recover secret key
Attack consists of three phases: Learning,
Attacking and Key Recovery
Statistical correlation analysis
13
COMPANY LOGO
14. Cache Based Side Channel Attacks
Threat Model and Attacks 6/6
14
COMPANY LOGO
15. Cache Based Side Channel Attacks
3.
Proposed Models
15
COMPANY LOGO
16. Cache Based Side Channel Attacks
Proposed Models 1/4
Problem -> Directly or indirectly cache
interference
Learn from attacks and rewrite software
Solutions are attack specific and performance
degradation (2x, 4x slower)
Authors attempt to eliminate the root cause
with minimum impact and low cost
Ideas -> Partitioning - Randomization
16
COMPANY LOGO
17. Cache Based Side Channel Attacks
Proposed Models 2/4
Partition-Locked Cache (PLCache)
L
ID
Original Cache Line
17
COMPANY LOGO
18. Cache Based Side Channel Attacks
Proposed Models 3/4
Random Permutation Cache (RPCache)
Introduce randomization factor – no useful
information about which cache lines evicted
Memory-to-cache mappings
18
COMPANY LOGO
19. Cache Based Side Channel Attacks
Proposed Models 4/4
19
COMPANY LOGO
21. Cache Based Side Channel Attacks
Evaluation 1/
OpenSSL 0.9.7a AES implementation
Traditional cache, L1 PLCache and L1 RPCache
5KByte AES protected data
L2 large enough – no performance impact
21
COMPANY LOGO
22. Cache Based Side Channel Attacks
Evaluation 1/
PLCache & RPCache implemented in M-Sim v2.0
22
COMPANY LOGO
24. Cache Based Side Channel Attacks
Conclusions
Cache-based side channel attacks can harm
general purpose cache based systems
Software solution -> attack specific
Hardware solutions -> general purpose
PLCache: minimal hardware cost – software
developer must use different API
RPCache: area & complexity in hardware – no
special treatment from software developers
24
COMPANY LOGO