cache based side_channel_attacks anestis bechtsoudis
DESCRIPTION
Cache based side_channel_attacks Anestis BechtsoudisTRANSCRIPT
LOGO
New Cache Designs for Thwarting Software Cache-based Side Channel
Attacks - Z. Wang & R. B. Lee
Anestis Bechtsoudis
Patra 2010
COMPANY LOGO
Cache Based Side Channel Attacks
Contents
Introduction1
Threat Model and Attacks2
Proposed Models3
Evaluation4
Conclusions5
2
COMPANY LOGO
1.1. Introduction
3
Cache Based Side Channel Attacks
COMPANY LOGO
Introduction 1/4
Information intensive society – imperative need for security
Design of cryptographic systems to ensure the data protection
Extensive test to cryptosystems over time
Cryptanalysis: the study of techniques to reveal the secret parameters of a security system
4
Cache Based Side Channel Attacks
COMPANY LOGO
Introduction 2/4
Classical cryptanalysis approach
Weaknesses in the algorithm – mathematical model
Attacks based on: ciphertext-only, known plaintext, chosen plaintext/ciphertext …
Black box approach of the cryptosystem
The cryptographic primitive is actually implemented in hardware
Modern cryptanalysis: attacker knows much more for the device – side channel leakage
5
Cache Based Side Channel Attacks
COMPANY LOGO
Introduction 3/4
6
Cache Based Side Channel Attacks
COMPANY LOGO
Introduction 4/4
7
Cache Based Side Channel Attacks
COMPANY LOGO
2.2. Threat Model and Attacks
8
Cache Based Side Channel Attacks
COMPANY LOGO
Threat Model and Attacks 1/6
Goal of the adversary is to learn information that he has no legitimate access to
Adversary: one or more unprivileged user processes, including remote clients, in the server where the secrets are processed
No physical access to the device
Goal achieved by performing legitimate operations – normal process
Victim and adversary are isolated processes9
Cache Based Side Channel Attacks
COMPANY LOGO
Threat Model and Attacks 2/6
Percival’s attack on OpenSSL implementation of RSA algorithm in a SMT CPU
RSA core operation: modulo exponentiation – implemented with a series of ^2 and *
The encryption key is divided into segments
For each *, a multiplier is selected from pre-computed constants stored in a LUT
Segment of key is used to index the LUT
10
Cache Based Side Channel Attacks
COMPANY LOGO
Threat Model and Attacks 3/6
Attacker manages to run simultaneously
Attack process sequentially and repeatedly accesses an array, thus loading data to occupy all cache lines
At the same time he measures the delay for each access to detect cache misses (ex. rdtsc timer in intel x86)
Victim’s cache accesses evict attacker’s data, enabling detection from the attacker
11
Cache Based Side Channel Attacks
COMPANY LOGO
Threat Model and Attacks 4/6
The attacker can identify which table entry is accessed -> the index used -> segment of the key
12
Cache Based Side Channel Attacks
CacheRAM
RSA
Attacker
COMPANY LOGO
Threat Model and Attacks 5/6
Bernstein’s Attack on AES
AES - “Black Box” software module
Give inputs and measure computation time
The execution time is input dependant and can be exploited to recover secret key
Attack consists of three phases: Learning, Attacking and Key Recovery
Statistical correlation analysis
13
Cache Based Side Channel Attacks
COMPANY LOGO
Threat Model and Attacks 6/6
14
Cache Based Side Channel Attacks
COMPANY LOGO
3.3. Proposed Models
15
Cache Based Side Channel Attacks
COMPANY LOGO
Proposed Models 1/4
Problem -> Directly or indirectly cache interference
Learn from attacks and rewrite software
Solutions are attack specific and performance degradation (2x, 4x slower)
Authors attempt to eliminate the root cause with minimum impact and low cost
Ideas -> Partitioning - Randomization
16
Cache Based Side Channel Attacks
COMPANY LOGO
Proposed Models 2/4
Partition-Locked Cache (PLCache)
17
Cache Based Side Channel Attacks
L ID Original Cache Line
COMPANY LOGO
Proposed Models 3/4
Random Permutation Cache (RPCache)
Introduce randomization factor – no useful information about which cache lines evicted
Memory-to-cache mappings
18
Cache Based Side Channel Attacks
COMPANY LOGO
Proposed Models 4/4
19
Cache Based Side Channel Attacks
COMPANY LOGO
4.4. Evaluation
20
Cache Based Side Channel Attacks
COMPANY LOGO
Evaluation 1/
OpenSSL 0.9.7a AES implementation
Traditional cache, L1 PLCache and L1 RPCache
5KByte AES protected data
L2 large enough – no performance impact
21
Cache Based Side Channel Attacks
COMPANY LOGO
Evaluation 1/
22
Cache Based Side Channel Attacks
PLCache & RPCache implemented in M-Sim v2.0
COMPANY LOGO
5.5. Conclusions
23
Cache Based Side Channel Attacks
COMPANY LOGO
Conclusions
Cache-based side channel attacks can harm general purpose cache based systems
Software solution -> attack specific
Hardware solutions -> general purpose
PLCache: minimal hardware cost – software developer must use different API
RPCache: area & complexity in hardware – no special treatment from software developers
24
Cache Based Side Channel Attacks