A Vulnerability in RSA Implementations Due to Instruction Cache Analysis and Its Demonstration on OpenSSL

Acıiçmez, Onur; Schindler, Werner

doi:10.1007/978-3-540-79263-5_16

Cited by 70 publications

(78 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Consequently, an attacker process that can trace the execution of the square-and-multiply exponentiation algorithm can recover the exponent [2,45,47]. We now show how we can attack this algorithm using the technique developed in Section IV.…”

Section: A Square-and-multiply Exponentiationmentioning

confidence: 99%

Last-Level Cache Side-Channel Attacks are Practical

Liu

Yarom

et al. 2015

2015 IEEE Symposium on Security and Privacy

806

712

View full text Add to dashboard Cite

We present an effective implementation of the PRIME+PROBE side-channel attack against the lastlevel cache. We measure the capacity of the covert channel the attack creates and demonstrate a cross-core, cross-VM attack on multiple versions of GnuPG. Our technique achieves a high attack resolution without relying on weaknesses in the OS or virtual machine monitor or on sharing memory between attacker and victim.

show abstract

Section: A Square-and-multiply Exponentiationmentioning

confidence: 99%

Last-Level Cache Side-Channel Attacks are Practical

Liu

Yarom

et al. 2015

2015 IEEE Symposium on Security and Privacy

806

712

View full text Add to dashboard Cite

show abstract

“…Our approach is low cost, and it draws upon earlier work in quelling control and data timing leakage, but 2 A control hammock is a CFG construct where control diverges from a single point based on a predicate and then reconverges again to a single point. This construct is typically formed by IF and SWITCH statements.…”

Section: B Eliminating Timing Attacks With Ozonementioning

confidence: 99%

“…Examples of resource sharing timing side-channel attacks include L1 instruction cache based attacks [2], L1 data cache based attacks [20], branch predictor based attacks [1] and most recently last-level cache based attacks [17], [25].…”

Section: Resource Sharingmentioning

confidence: 99%

Øzone: Efficient execution with zero timing leakage for modern microarchitectures

Aweke

Austin

2017

2017 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)

View full text Add to dashboard Cite

Abstract-Time variation during program execution can leak sensitive information. Time variations due to program control flow and hardware resource contention have been used to steal encryption keys in cipher implementations such as AES and RSA. A number of approaches to mitigate timing-based side-channel attacks have been proposed including cache partitioning, controlflow obfuscation and injecting timing noise into the outputs of code. While these techniques make timing-based side-channel attacks more difficult, they do not eliminate the risks. Prior techniques are either too specific or too expensive, and all leave remnants of the original timing side channel for later attackers to attempt to exploit.In this work, we show that the state-of-the-art techniques in timing side-channel protection, which limit timing leakage but do not eliminate it, still have significant vulnerabilities to timing-based side-channel attacks. To provide a means for total protection from timing-based side-channel attacks, we develop Ozone, the first zero timing leakage execution resource for a modern microarchitecture. Code in Ozone execute under a special hardware thread that gains exclusive access to a single core's resources for a fixed (and limited) number of cycles during which it cannot be interrupted. Memory access under Ozone thread execution is limited to a fixed size uncached scratchpad memory, and all Ozone threads begin execution with a known fixed microarchitectural state. We evaluate Ozone using a number of security sensitive kernels that have previously been targets of timing side-channel attacks, and show that Ozone eliminates timing leakage with minimal performance overhead. I. INTRODUCTIONPerhaps the most fruitful hardware security vulnerability has been timing-based side-channel attacks. A timing-based sidechannel attack 1 is one in which the time it takes to perform specific operations reveals information about secrets within the system. There are three characteristics of modern systems that enable timing-based side-channel attacks: 1. Variable-latency operations: In an effort to improve the performance of a system, common operations are made to take less time to execute than uncommon ones; thus, it becomes possible to infer the constituency of instructions a program executes simply by examining its latency. Furthermore, control flow, speculation, caches, and a variety of other system features render execution latencies that are a function of the program's code and data, thereby creating opportunities to learn about such things. Kocher used this characteristic to attack RSA authentication [11], after noting that early RSA implentations performed different amounts of work for "0" and "1" key bits. 2. Resource sharing: To keep costs in check, functional and storage resources in a modern microarchitecture are shared concurrently among threads and processes; thus, it becomes possible for an attacker program to create contention on these resources and examine, by virtue of its own performance, the extent to which the sha...

show abstract

“…Aciiçmez and Schindler [1] demonstrate that not only data cache, but also instruction cache attacks are also effective. Over the last decade, researchers have developed abstract models of cryptography that capture side-channels, and developed constructions that are secure in these models, see e.g.…”

Section: Related Workmentioning

confidence: 99%

System-level Non-interference for Constant-time Cryptography

Barthe

Betarte

Campo

et al. 2014

Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

122

View full text Add to dashboard Cite

Abstract. Cache-based attacks are a class of side-channel attacks that are particularly effective in virtualized or cloud-based environments, where they have been used to recover secret keys from cryptographic implementations. One common approach to thwart cache-based attacks is to use constant-time implementations, i.e. which do not branch on secrets and do not perform memory accesses that depend on secrets. However, there is no rigorous proof that constant-time implementations are protected against concurrent cache-attacks in virtualization platforms with shared cache; moreover, many prominent implementations are not constant-time. An alternative approach is to rely on system-level mechanisms. One recent such mechanism is stealth memory, which provisions a small amount of private cache for programs to carry potentially leaking computations securely. Stealth memory induces a weak form of constant-time, called S-constant-time, which encompasses some widely used cryptographic implementations. However, there is no rigorous analysis of stealth memory and S-constant-time, and no tool support for checking if applications are S-constant-time. We propose a new information-flow analysis that checks if an x86 application executes in constant-time, or in S-constant-time. Moreover, we prove that constant-time (resp. S-constant-time) programs do not leak confidential information through the cache to other operating systems executing concurrently on virtualization platforms (resp. platforms supporting stealth memory). The soundness proofs are based on new theorems of independent interest, including isolation theorems for virtualization platforms (resp. platforms supporting stealth memory), and proofs that constant-time implementations (resp. S-constant-time implementations) are non-interfering with respect to a strict information flow policy which disallows that control flow and memory accesses depend on secrets. We formalize our results using the Coq proof assistant and we demonstrate the effectiveness of our analyses on cryptographic implementations, including PolarSSL AES, DES and RC4, SHA256 and Salsa20.

show abstract

A Vulnerability in RSA Implementations Due to Instruction Cache Analysis and Its Demonstration on OpenSSL

Cited by 70 publications

References 23 publications

Last-Level Cache Side-Channel Attacks are Practical

Last-Level Cache Side-Channel Attacks are Practical

Øzone: Efficient execution with zero timing leakage for modern microarchitectures

System-level Non-interference for Constant-time Cryptography

Contact Info

Product

Resources

About