![Page 1: Cross-VM Side Channels and Their Use to Extract Private Keys Yinqian Zhang (UNC-Chapel Hill) Ari Juels (RSA Labs) Michael K. Reiter (UNC-Chapel Hill) Thomas](https://reader036.vdocument.in/reader036/viewer/2022062318/551aa832550346e0158b5d69/html5/thumbnails/1.jpg)
Cross-VM Side Channels and Their Use to Extract Private Keys
Yinqian Zhang (UNC-Chapel Hill)Ari Juels (RSA Labs)
Michael K. Reiter (UNC-Chapel Hill)Thomas Ristenpart (U Wisconsin-Madison)
![Page 2: Cross-VM Side Channels and Their Use to Extract Private Keys Yinqian Zhang (UNC-Chapel Hill) Ari Juels (RSA Labs) Michael K. Reiter (UNC-Chapel Hill) Thomas](https://reader036.vdocument.in/reader036/viewer/2022062318/551aa832550346e0158b5d69/html5/thumbnails/2.jpg)
Motivation
![Page 3: Cross-VM Side Channels and Their Use to Extract Private Keys Yinqian Zhang (UNC-Chapel Hill) Ari Juels (RSA Labs) Michael K. Reiter (UNC-Chapel Hill) Thomas](https://reader036.vdocument.in/reader036/viewer/2022062318/551aa832550346e0158b5d69/html5/thumbnails/3.jpg)
Security Isolation by Virtualization
Virtualization Layer
Computer Hardware
Attacker
VM
Victim
VM
Crypto Keys
![Page 4: Cross-VM Side Channels and Their Use to Extract Private Keys Yinqian Zhang (UNC-Chapel Hill) Ari Juels (RSA Labs) Michael K. Reiter (UNC-Chapel Hill) Thomas](https://reader036.vdocument.in/reader036/viewer/2022062318/551aa832550346e0158b5d69/html5/thumbnails/4.jpg)
Access-Driven Cache Timing Channel
Virtualization (Xen)
Attacker
VM
Victim
VM
Crypto Keys
Side Channels
An open problem: Are cryptographic side channel attacks possible in virtualization environment?
![Page 5: Cross-VM Side Channels and Their Use to Extract Private Keys Yinqian Zhang (UNC-Chapel Hill) Ari Juels (RSA Labs) Michael K. Reiter (UNC-Chapel Hill) Thomas](https://reader036.vdocument.in/reader036/viewer/2022062318/551aa832550346e0158b5d69/html5/thumbnails/5.jpg)
Related WorkPublication Multi-
Core Virtualization w/o SMT Target
Percival 2005 RSAOsvik et al. 2006 AESNeve et al. 2006 AESAciicmez 2007 RSA
Aciicmez et al. 2010 DSABangerter 2011 AES
![Page 6: Cross-VM Side Channels and Their Use to Extract Private Keys Yinqian Zhang (UNC-Chapel Hill) Ari Juels (RSA Labs) Michael K. Reiter (UNC-Chapel Hill) Thomas](https://reader036.vdocument.in/reader036/viewer/2022062318/551aa832550346e0158b5d69/html5/thumbnails/6.jpg)
Related WorkPublication Multi-
Core Virtualization w/o SMT Target
Percival 2005 RSAOsvik et al. 2006 AESNeve et al. 2006 AESAciicmez 2007 RSA
Ristenpart el al. 2009 loadAciicmez et al. 2010 DSA
Bangerter 2011 AES
![Page 7: Cross-VM Side Channels and Their Use to Extract Private Keys Yinqian Zhang (UNC-Chapel Hill) Ari Juels (RSA Labs) Michael K. Reiter (UNC-Chapel Hill) Thomas](https://reader036.vdocument.in/reader036/viewer/2022062318/551aa832550346e0158b5d69/html5/thumbnails/7.jpg)
Related WorkPublication Multi-
Core Virtualization w/o SMT Target
Percival 2005 RSAOsvik et al. 2006 AESNeve et al. 2006 AESAciicmez 2007 RSA
Ristenpart el al. 2009 loadAciicmez et al. 2010 DSA
Bangerter 2011 AESOur work ElGamal
![Page 8: Cross-VM Side Channels and Their Use to Extract Private Keys Yinqian Zhang (UNC-Chapel Hill) Ari Juels (RSA Labs) Michael K. Reiter (UNC-Chapel Hill) Thomas](https://reader036.vdocument.in/reader036/viewer/2022062318/551aa832550346e0158b5d69/html5/thumbnails/8.jpg)
Outline
Cross-VM Side Channel
Probing
Cache Pattern Classification
Noise Reduction
Code-Path Reassembly
Vectors of cache measurements
Sequences of SVM-classified labels
Fragments of code path
Stage 1 Stage 2
Stage 3 Stage 4
![Page 9: Cross-VM Side Channels and Their Use to Extract Private Keys Yinqian Zhang (UNC-Chapel Hill) Ari Juels (RSA Labs) Michael K. Reiter (UNC-Chapel Hill) Thomas](https://reader036.vdocument.in/reader036/viewer/2022062318/551aa832550346e0158b5d69/html5/thumbnails/9.jpg)
Digress: Prime-Probe Protocol
Time
PROBEPRIME-PROBE IntervalPRIME
Cache Set4-way set associative
L1 I-Cache
![Page 10: Cross-VM Side Channels and Their Use to Extract Private Keys Yinqian Zhang (UNC-Chapel Hill) Ari Juels (RSA Labs) Michael K. Reiter (UNC-Chapel Hill) Thomas](https://reader036.vdocument.in/reader036/viewer/2022062318/551aa832550346e0158b5d69/html5/thumbnails/10.jpg)
Cross-VM Side Channel Probing
Virtualization (Xen)
L1I-Cache
Attacker
VM
Victim
VM
L1I-Cache
L1I-Cache
L1I-Cache
![Page 11: Cross-VM Side Channels and Their Use to Extract Private Keys Yinqian Zhang (UNC-Chapel Hill) Ari Juels (RSA Labs) Michael K. Reiter (UNC-Chapel Hill) Thomas](https://reader036.vdocument.in/reader036/viewer/2022062318/551aa832550346e0158b5d69/html5/thumbnails/11.jpg)
Challenge: Observation Granularity
VictimAttacker
VM/VCPU
30ms 30msTime
VM/VCPU
• W/ SMT: tiny prime-probe intervals
• W/o SMT: gaming schedulersL1
I-Cache
![Page 12: Cross-VM Side Channels and Their Use to Extract Private Keys Yinqian Zhang (UNC-Chapel Hill) Ari Juels (RSA Labs) Michael K. Reiter (UNC-Chapel Hill) Thomas](https://reader036.vdocument.in/reader036/viewer/2022062318/551aa832550346e0158b5d69/html5/thumbnails/12.jpg)
Ideally …
Short intervals
• Use Interrupts to preempt the victim:• Timer interrupts?• Network interrupts?• HPET interrupts?• Inter-Processor interrupts (IPI)!
Time
![Page 13: Cross-VM Side Channels and Their Use to Extract Private Keys Yinqian Zhang (UNC-Chapel Hill) Ari Juels (RSA Labs) Michael K. Reiter (UNC-Chapel Hill) Thomas](https://reader036.vdocument.in/reader036/viewer/2022062318/551aa832550346e0158b5d69/html5/thumbnails/13.jpg)
Inter-Processor Interrupts
Victim
CPU core
AttackerVCPU
Attacker VM
VM/VCPU
IPIVCPU
CPU core
For( ; ; ) { send_IPI(); Delay();}
Virtualization (Xen)
![Page 14: Cross-VM Side Channels and Their Use to Extract Private Keys Yinqian Zhang (UNC-Chapel Hill) Ari Juels (RSA Labs) Michael K. Reiter (UNC-Chapel Hill) Thomas](https://reader036.vdocument.in/reader036/viewer/2022062318/551aa832550346e0158b5d69/html5/thumbnails/14.jpg)
Cross-VM Side Channel Probing
2.5 µs
Time2.5 µs 2.5 µs
![Page 15: Cross-VM Side Channels and Their Use to Extract Private Keys Yinqian Zhang (UNC-Chapel Hill) Ari Juels (RSA Labs) Michael K. Reiter (UNC-Chapel Hill) Thomas](https://reader036.vdocument.in/reader036/viewer/2022062318/551aa832550346e0158b5d69/html5/thumbnails/15.jpg)
Outline
Cross-VM Side Channel
Probing
Cache Pattern Classification
Noise Reduction
Code-Path Reassembly
Vectors of cache measurements
Sequences of SVM-classified labels
Fragments of code path
Stage 1 Stage 2
Stage 3 Stage 4
![Page 16: Cross-VM Side Channels and Their Use to Extract Private Keys Yinqian Zhang (UNC-Chapel Hill) Ari Juels (RSA Labs) Michael K. Reiter (UNC-Chapel Hill) Thomas](https://reader036.vdocument.in/reader036/viewer/2022062318/551aa832550346e0158b5d69/html5/thumbnails/16.jpg)
Square-and-Multiply (libgcrypt)/* y = xe mod N , from libgcrypt*/Modular Exponentiation (x, e, N):
let en … e1 be the bits of ey ← 1for ei in {en …e1}
y ← Square(y) (S)y ← Reduce(y, N) (R)if ei = 1 then
y ← Multi(y, x) (M)y ← Reduce(y, N) (R)
ei = 1 → “SRMR”ei = 0 → “SR”
![Page 17: Cross-VM Side Channels and Their Use to Extract Private Keys Yinqian Zhang (UNC-Chapel Hill) Ari Juels (RSA Labs) Michael K. Reiter (UNC-Chapel Hill) Thomas](https://reader036.vdocument.in/reader036/viewer/2022062318/551aa832550346e0158b5d69/html5/thumbnails/17.jpg)
Cache Pattern ClassificationKey observation: Footprints of different functions are distinct in the I-Cache !• Square(): cache set 1, 3, …, 59• Multi(): cache set 2, 5, …, 60, 61• Reduce(): cache set 2, 3, 4, …, 58
Classification
Square()
Multi()
Reduce()
![Page 18: Cross-VM Side Channels and Their Use to Extract Private Keys Yinqian Zhang (UNC-Chapel Hill) Ari Juels (RSA Labs) Michael K. Reiter (UNC-Chapel Hill) Thomas](https://reader036.vdocument.in/reader036/viewer/2022062318/551aa832550346e0158b5d69/html5/thumbnails/18.jpg)
Support Vector Machine
SVM
Square()
Multi()
Reduce()
Noise: hypervisor context switch
Read more on SVM training
![Page 19: Cross-VM Side Channels and Their Use to Extract Private Keys Yinqian Zhang (UNC-Chapel Hill) Ari Juels (RSA Labs) Michael K. Reiter (UNC-Chapel Hill) Thomas](https://reader036.vdocument.in/reader036/viewer/2022062318/551aa832550346e0158b5d69/html5/thumbnails/19.jpg)
Support Vector Machine
SS SS RRRR MMMM ……
SVM
S RR R
![Page 20: Cross-VM Side Channels and Their Use to Extract Private Keys Yinqian Zhang (UNC-Chapel Hill) Ari Juels (RSA Labs) Michael K. Reiter (UNC-Chapel Hill) Thomas](https://reader036.vdocument.in/reader036/viewer/2022062318/551aa832550346e0158b5d69/html5/thumbnails/20.jpg)
Outline
Cross-VM Side Channel
Probing
Cache Pattern Classification
Noise Reduction
Code-Path Reassembly
Vectors of cache measurements
Sequences of SVM-classified labels
Fragments of code path
Stage 1 Stage 2
Stage 3 Stage 4
![Page 21: Cross-VM Side Channels and Their Use to Extract Private Keys Yinqian Zhang (UNC-Chapel Hill) Ari Juels (RSA Labs) Michael K. Reiter (UNC-Chapel Hill) Thomas](https://reader036.vdocument.in/reader036/viewer/2022062318/551aa832550346e0158b5d69/html5/thumbnails/21.jpg)
Noise Reduction
SS SR RSRR
Square Reduce Multi
MRM ……R
requires robust automated error correction
![Page 22: Cross-VM Side Channels and Their Use to Extract Private Keys Yinqian Zhang (UNC-Chapel Hill) Ari Juels (RSA Labs) Michael K. Reiter (UNC-Chapel Hill) Thomas](https://reader036.vdocument.in/reader036/viewer/2022062318/551aa832550346e0158b5d69/html5/thumbnails/22.jpg)
Hidden Markov Model
MRS
MultiSquare Reduce Unkn
![Page 23: Cross-VM Side Channels and Their Use to Extract Private Keys Yinqian Zhang (UNC-Chapel Hill) Ari Juels (RSA Labs) Michael K. Reiter (UNC-Chapel Hill) Thomas](https://reader036.vdocument.in/reader036/viewer/2022062318/551aa832550346e0158b5d69/html5/thumbnails/23.jpg)
Hidden Markov Model
MRS
MultiSquare Reduce Unkn
SS SR RSRR MRM ……R
![Page 24: Cross-VM Side Channels and Their Use to Extract Private Keys Yinqian Zhang (UNC-Chapel Hill) Ari Juels (RSA Labs) Michael K. Reiter (UNC-Chapel Hill) Thomas](https://reader036.vdocument.in/reader036/viewer/2022062318/551aa832550346e0158b5d69/html5/thumbnails/24.jpg)
Hidden Markov Model
low confidence
![Page 25: Cross-VM Side Channels and Their Use to Extract Private Keys Yinqian Zhang (UNC-Chapel Hill) Ari Juels (RSA Labs) Michael K. Reiter (UNC-Chapel Hill) Thomas](https://reader036.vdocument.in/reader036/viewer/2022062318/551aa832550346e0158b5d69/html5/thumbnails/25.jpg)
Eliminate Non-Crypto Computation
SVM
S RRR MMM ……RR RRSR
![Page 26: Cross-VM Side Channels and Their Use to Extract Private Keys Yinqian Zhang (UNC-Chapel Hill) Ari Juels (RSA Labs) Michael K. Reiter (UNC-Chapel Hill) Thomas](https://reader036.vdocument.in/reader036/viewer/2022062318/551aa832550346e0158b5d69/html5/thumbnails/26.jpg)
Eliminate Non-Crypto Computation
S RRR MMM ……RR RRSRMRS
MultiSquare Reduce Unkn
![Page 27: Cross-VM Side Channels and Their Use to Extract Private Keys Yinqian Zhang (UNC-Chapel Hill) Ari Juels (RSA Labs) Michael K. Reiter (UNC-Chapel Hill) Thomas](https://reader036.vdocument.in/reader036/viewer/2022062318/551aa832550346e0158b5d69/html5/thumbnails/27.jpg)
Eliminate Non-Crypto Computation
• Key Observations
• S:M Ratio should be roughly 2:1 for long enough sequences!
• “MM” signals an error (never two sequential multiply operations)
![Page 28: Cross-VM Side Channels and Their Use to Extract Private Keys Yinqian Zhang (UNC-Chapel Hill) Ari Juels (RSA Labs) Michael K. Reiter (UNC-Chapel Hill) Thomas](https://reader036.vdocument.in/reader036/viewer/2022062318/551aa832550346e0158b5d69/html5/thumbnails/28.jpg)
Virtualization (Xen)
Key Extraction
L1I-Cache
Attacker
VCPU
Victim
VCPU
L1I-Cache
L1I-Cache
L1I-Cache
ReduceSquare
Unkn Unkn Unkn
Reduce Multi Reduce
Square
Start Decryption
![Page 29: Cross-VM Side Channels and Their Use to Extract Private Keys Yinqian Zhang (UNC-Chapel Hill) Ari Juels (RSA Labs) Michael K. Reiter (UNC-Chapel Hill) Thomas](https://reader036.vdocument.in/reader036/viewer/2022062318/551aa832550346e0158b5d69/html5/thumbnails/29.jpg)
Multi-Core Processors
AttackerVCPU
IPIVCPU
VictimVCPU
AnotherVCPU
Dom0VCPU
0100011...
L1I-Cache
L1I-Cache
L1I-Cache
L1I-Cache
![Page 30: Cross-VM Side Channels and Their Use to Extract Private Keys Yinqian Zhang (UNC-Chapel Hill) Ari Juels (RSA Labs) Michael K. Reiter (UNC-Chapel Hill) Thomas](https://reader036.vdocument.in/reader036/viewer/2022062318/551aa832550346e0158b5d69/html5/thumbnails/30.jpg)
Multi-Core Processors
AttackerVCPU
IPIVCPU
VictimVCPU
AnotherVCPU
Dom0VCPU
..#####...
L1I-Cache
L1I-Cache
L1I-Cache
L1I-Cache
![Page 31: Cross-VM Side Channels and Their Use to Extract Private Keys Yinqian Zhang (UNC-Chapel Hill) Ari Juels (RSA Labs) Michael K. Reiter (UNC-Chapel Hill) Thomas](https://reader036.vdocument.in/reader036/viewer/2022062318/551aa832550346e0158b5d69/html5/thumbnails/31.jpg)
Multi-Core Processors
AttackerVCPU
IPIVCPU
VictimVCPU
AnotherVCPU
Dom0VCPU
##10100...
L1I-Cache
L1I-Cache
L1I-Cache
L1I-Cache
![Page 32: Cross-VM Side Channels and Their Use to Extract Private Keys Yinqian Zhang (UNC-Chapel Hill) Ari Juels (RSA Labs) Michael K. Reiter (UNC-Chapel Hill) Thomas](https://reader036.vdocument.in/reader036/viewer/2022062318/551aa832550346e0158b5d69/html5/thumbnails/32.jpg)
From an Attacker’s Perspective
#####1001111010#####0111101011############110101101#####0 1101110############ ###########........
![Page 33: Cross-VM Side Channels and Their Use to Extract Private Keys Yinqian Zhang (UNC-Chapel Hill) Ari Juels (RSA Labs) Michael K. Reiter (UNC-Chapel Hill) Thomas](https://reader036.vdocument.in/reader036/viewer/2022062318/551aa832550346e0158b5d69/html5/thumbnails/33.jpg)
Outline
Cross-VM Side Channel
Probing
Cache Pattern Classification
Noise Reduction
Code-Path Reassembly
Vectors of cache measurements
Sequences of SVM-classified labels
Fragments of code path
Stage 1 Stage 2
Stage 3 Stage 4
![Page 34: Cross-VM Side Channels and Their Use to Extract Private Keys Yinqian Zhang (UNC-Chapel Hill) Ari Juels (RSA Labs) Michael K. Reiter (UNC-Chapel Hill) Thomas](https://reader036.vdocument.in/reader036/viewer/2022062318/551aa832550346e0158b5d69/html5/thumbnails/34.jpg)
Code-Path Reassembly
1001110010
1101011010111101111
11101110
100111*01*1101110No error bit!DNA ASSEMBLY
![Page 35: Cross-VM Side Channels and Their Use to Extract Private Keys Yinqian Zhang (UNC-Chapel Hill) Ari Juels (RSA Labs) Michael K. Reiter (UNC-Chapel Hill) Thomas](https://reader036.vdocument.in/reader036/viewer/2022062318/551aa832550346e0158b5d69/html5/thumbnails/35.jpg)
Outline
Cross-VM Side Channel
Probing
Cache Pattern Classification
Noise Reduction
Code-Path Reassembly
Vectors of cache measurements
Sequences of SVM-classified labels
Fragments of code path
Stage 1 Stage 2
Stage 3 Stage 4
![Page 36: Cross-VM Side Channels and Their Use to Extract Private Keys Yinqian Zhang (UNC-Chapel Hill) Ari Juels (RSA Labs) Michael K. Reiter (UNC-Chapel Hill) Thomas](https://reader036.vdocument.in/reader036/viewer/2022062318/551aa832550346e0158b5d69/html5/thumbnails/36.jpg)
Evaluation• Intel Yorkfield processor– 4 cores, 32KB L1 instruction cache
• Xen + linux + GnuPG + libgcrypt– Xen 4.0– Ubuntu 10.04, kernel version 2.6.32.16– Victim runs GnuPG v.2.0.19 (latest)– libgcrypt 1.5.0 (latest)– ElGamal, 4096 bits
![Page 37: Cross-VM Side Channels and Their Use to Extract Private Keys Yinqian Zhang (UNC-Chapel Hill) Ari Juels (RSA Labs) Michael K. Reiter (UNC-Chapel Hill) Thomas](https://reader036.vdocument.in/reader036/viewer/2022062318/551aa832550346e0158b5d69/html5/thumbnails/37.jpg)
Results
• Work-Conserving Scheduler– 300,000,000 prime-probe results (6 hours)– Over 300 key fragments– Brute force the key in ~9800 guesses
• Non-Work-Conserving Scheduler– 1,900,000,000 prime-probe results (45 hours)– Over 300 key fragments– Brute force the key in ~6600 guesses
![Page 38: Cross-VM Side Channels and Their Use to Extract Private Keys Yinqian Zhang (UNC-Chapel Hill) Ari Juels (RSA Labs) Michael K. Reiter (UNC-Chapel Hill) Thomas](https://reader036.vdocument.in/reader036/viewer/2022062318/551aa832550346e0158b5d69/html5/thumbnails/38.jpg)
Conclusion
• A combination of techniques – IPI + SVM + HMM + Sequence Assembly
• Demonstrate a cross-VM access-driven cache-based side-channel attack– Multi-core processors without SMT– Sufficient fidelity to exfiltrate cryptographic keys