Cache Misses and the Recovery of the Full AES 256 Key

Briongos, Samira; Malagón, Pedro; Goyeneche, Juan-Mariano de; Moya, José Manuel Huidobro

doi:10.20944/preprints201902.0088.v1

Cited by 5 publications

(6 citation statements)

References 29 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…While the threat of side channels and the availability of AES-NI hardware have resulted in declining usage of T-table AES for encryption and decryption operations, similar lessons do not seem to have been learned for the case of random number generation. Remarkably, even after more than a decade of attacks, [5,13,32,57,64] we show that unprotected and leaky T-tables are still used for encrypting the counter inside CTR_DRBG by the following popular implementations:…”

Section: A Our Contributionmentioning

confidence: 99%

Pseudorandom Black Swans: Cache Attacks on CTR_DRBG

Cohney

Kwong

Paz

et al. 2020

2020 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

Section: A Our Contributionmentioning

confidence: 99%

Pseudorandom Black Swans: Cache Attacks on CTR_DRBG

Cohney

Kwong

Paz

et al. 2020

2020 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

“…The accesses to the tables are key dependant and not all of them are used during the encryption process. This fact has been exploited multiple times to recover the secret keys [4,9,36].…”

Section: Aes S-box Implementation In Opensslmentioning

confidence: 99%

“…The Flush+Reload [69] technique has revealed itself as one of the most reliable sources of information in cache attacks, especially when compared to the Prime+Probe technique [4,9,22,36]. The main reason is that, in the former case, observations are made on a shared memory block, whereas in the latter case, any other process running in the machine could force an eviction and the attacker would not be able to distinguish the origin of the eviction.…”

Section: Shared Memory and Detectionmentioning

confidence: 99%

“…We use the non-access approach described in [9]. In a nutshell, they used information from cache misses, that is whenever the victim did not load the data into the cache.…”

Section: Attack Against the Aesmentioning

confidence: 99%

“…Traditionally, cache side channel attacks have focused on cryptographic implementations. For instance, cache attacks have successfully retrieved ECDSA [68], RSA [22,33,70] and AES [4,9,36] keys, even breaking the isolation between virtual machines (VMs) [34,36,56]. As these attacks do not require any special privileges to succeed, side channel attacks pose a great threat and keep gaining attention.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

CACHE SNIPER : Accurate timing control of cache evictions

Briongos,

Bruhns,

Malagón

et al. 2020

Preprint

Self Cite

View full text Add to dashboard Cite

Microarchitectural side channel attacks have been very prominent in security research over the last few years. Caches have been an outstanding covert channel, as they provide high resolution and generic cross-core leakage even with simple user-mode code execution privileges. To prevent these generic cross-core attacks, all major cryptographic libraries now provide countermeasures to hinder key extraction via cross-core cache attacks, for instance avoiding secret dependent access patterns and prefetching data. In this paper, we show that implementations protected by 'good-enough' countermeasures aimed at preventing simple cache attacks are still vulnerable. We present a novel attack that uses a special timing technique to determine when an encryption has started and then evict the data precisely at the desired instant. This new attack does not require special privileges nor explicit synchronization between the attacker and the victim.One key improvement of our attack is a method to evict data from the cache with a single memory access and in absence of shared memory by leveraging the transient capabilities of TSX and relying on the recently reverse-engineered L3 replacement policy. We demonstrate the efficiency by performing an asynchronous last level cache attack to extract an RSA key from the latest wolfSSL library, which has been especially adapted to avoid leaky access patterns, and by extracting an AES key from the S-Box implementation included in OpenSSL bypassing the per round prefetch intended as a protection against cache attacks.

show abstract

A Survey of Microarchitectural Side-channel Vulnerabilities, Attacks, and Defenses in Cryptography

et al. 2021

View full text Add to dashboard Cite

Side-channel attacks have become a severe threat to the confidentiality of computer applications and systems. One popular type of such attacks is the microarchitectural attack, where the adversary exploits the hardware features to break the protection enforced by the operating system and steal the secrets from the program. In this article, we systematize microarchitectural side channels with a focus on attacks and defenses in cryptographic applications. We make three contributions. (1) We survey past research literature to categorize microarchitectural side-channel attacks. Since these are hardware attacks targeting software, we summarize the vulnerable implementations in software, as well as flawed designs in hardware. (2) We identify common strategies to mitigate microarchitectural attacks, from the application, OS, and hardware levels. (3) We conduct a large-scale evaluation on popular cryptographic applications in the real world and analyze the severity, practicality, and impact of side-channel vulnerabilities. This survey is expected to inspire side-channel research community to discover new attacks, and more importantly, propose new defense solutions against them.

show abstract

Cache Misses and the Recovery of the Full AES 256 Key

Cited by 5 publications

References 29 publications

Pseudorandom Black Swans: Cache Attacks on CTR_DRBG

Pseudorandom Black Swans: Cache Attacks on CTR_DRBG

CACHE SNIPER : Accurate timing control of cache evictions

A Survey of Microarchitectural Side-channel Vulnerabilities, Attacks, and Defenses in Cryptography

Contact Info

Product

Resources

About