2018
DOI: 10.1007/s10766-018-0611-9
|View full text |Cite
|
Sign up to set email alerts
|

MemJam: A False Dependency Attack Against Constant-Time Crypto Implementations

Abstract: Cache attacks exploit memory access patterns of cryptographic implementations. Constant-Time implementation techniques have become an indispensable tool in fighting cache timing attacks. These techniques engineer the memory accesses of cryptographic operations to follow a uniform key independent pattern. However, the constant-time behavior is dependent on the underlying architecture, which can be highly complex and often incorporates unpublished features. CacheBleed attack targets cache bank conflicts and ther… Show more

Help me understand this report
View preprint versions

Search citation statements

Order By: Relevance

Paper Sections

Select...
1
1
1
1

Citation Types

1
49
0

Year Published

2019
2019
2024
2024

Publication Types

Select...
4
2
2

Relationship

0
8

Authors

Journals

citations
Cited by 56 publications
(50 citation statements)
references
References 48 publications
1
49
0
Order By: Relevance
“…8 Related work 8.1 Microarchitectural side/covert channel attacks This paper builds on a rich literature on microarchitectural side/covert channel attacks. Many processor structures have been shown to leak privacy over these channels, including a variety of cache architectures [57, 87ś89], branch predictors [1,27], pipeline components [5,7,34], and other structures [26,33,53,63,83,85]. All these channels reveal information about data łin transit, ž i.e., being operated on by specific instructions in the sender (victim) program.…”
Section: Colocating Attacker-controlled Datamentioning
confidence: 99%
“…8 Related work 8.1 Microarchitectural side/covert channel attacks This paper builds on a rich literature on microarchitectural side/covert channel attacks. Many processor structures have been shown to leak privacy over these channels, including a variety of cache architectures [57, 87ś89], branch predictors [1,27], pipeline components [5,7,34], and other structures [26,33,53,63,83,85]. All these channels reveal information about data łin transit, ž i.e., being operated on by specific instructions in the sender (victim) program.…”
Section: Colocating Attacker-controlled Datamentioning
confidence: 99%
“…Vectors 4, 5: sub-address optimizations: Numerous data oblivious codes, e.g., "constant time" cryptography [50], [51], make an assumption that modulating certain bits in a memory address (e.g., the bits indicating offset within a cache line) does not create observable behaviors. This assumption doesn't hold on some microarchitectures due to hardware optimizations such as speculative store forwarding (Vector 4) and cache banking (Vector 5), and attacks exploiting these features have been shown to lead to full cryptographic breaks [52], [53].…”
Section: B Security Issues In Existing Data Oblivious Codementioning
confidence: 99%
“…Case study: constant time AES: An important commercial use-case for data oblivious code today is "constant time" cryptography. Many papers have demonstrated how unprotected codes-e.g., T-table AES [35] and naive modular exponentiation for RSA-leak privacy over microarchitectural side channels [4], [53], [52]. As a result, practitioners use slower codes to improve security-e.g., S-box or bitslice AES [36] and montgomery ladder exponentiation for RSA.…”
Section: )mentioning
confidence: 99%
See 1 more Smart Citation
“…It is worth noting that since no shared memory exists between the victim enclave and the attacker, "Flush+Reload" [YF14] and "Flush+Flush" [GMWM16] cannot be used. According to Table 6, Bluethunder is able to recover instruction-level information, whose spatial resolution is much higher than pagelevel [GRBG18] or cache-level attacks [OST06,MWES19]. Also, since Bluethunder does not require cache eviction [OST06] or executing a large number of jump instructions for training [ERAG + 18], its detectability is low.…”
Section: Abusing Collisionsmentioning
confidence: 99%