Cache based side_channel_attacks Anestis Bechtsoudis
Download as PPT, PDF1 like793 views
This document discusses cache-based side channel attacks and proposes new cache designs to prevent them. It begins with an introduction to side channel attacks and two examples: an RSA attack using cache interference and an AES attack analyzing computation times. It then proposes two new cache architectures: a partitioned locked cache that isolates sensitive processes and a randomly permuting cache that obscures which cache lines are evicted. The models are evaluated using an OpenSSL AES implementation, finding the proposed designs prevent attacks with minimal performance overhead.
Cache based side_channel_attacks Anestis Bechtsoudis
- 1. LOGO New Cache Designs for Thwarting Software Cache-based Side Channel Attacks - Z. Wang & R. B. Lee Anestis Bechtsoudis mpechtsoud@ceid.upatras.gr Patra 2010
- 2. Cache Based Side Channel Attacks Contents 1 Introduction 2 Threat Model and Attacks 3 Proposed Models 4 Evaluation 5 Conclusions 2 COMPANY LOGO
- 3. Cache Based Side Channel Attacks 1. Introduction 3 COMPANY LOGO
- 4. Cache Based Side Channel Attacks Introduction 1/4 Information intensive society – imperative need for security Design of cryptographic systems to ensure the data protection Extensive test to cryptosystems over time Cryptanalysis: the study of techniques to reveal the secret parameters of a security system 4 COMPANY LOGO
- 5. Cache Based Side Channel Attacks Introduction 2/4 Classical cryptanalysis approach Weaknesses in the algorithm – mathematical model Attacks based on: ciphertext-only, known plaintext, chosen plaintext/ciphertext … Black box approach of the cryptosystem The cryptographic primitive is actually implemented in hardware Modern cryptanalysis: attacker knows much more for the device – side channel leakage 5 COMPANY LOGO
- 6. Cache Based Side Channel Attacks Introduction 3/4 6 COMPANY LOGO
- 7. Cache Based Side Channel Attacks Introduction 4/4 7 COMPANY LOGO
- 8. Cache Based Side Channel Attacks 2. Threat Model and Attacks 8 COMPANY LOGO
- 9. Cache Based Side Channel Attacks Threat Model and Attacks 1/6 Goal of the adversary is to learn information that he has no legitimate access to Adversary: one or more unprivileged user processes, including remote clients, in the server where the secrets are processed No physical access to the device Goal achieved by performing legitimate operations – normal process Victim and adversary are isolated processes 9 COMPANY LOGO
- 10. Cache Based Side Channel Attacks Threat Model and Attacks 2/6 Percival’s attack on OpenSSL implementation of RSA algorithm in a SMT CPU RSA core operation: modulo exponentiation – implemented with a series of ^2 and * The encryption key is divided into segments For each *, a multiplier is selected from precomputed constants stored in a LUT Segment of key is used to index the LUT 10 COMPANY LOGO
- 11. Cache Based Side Channel Attacks Threat Model and Attacks 3/6 Attacker manages to run simultaneously Attack process sequentially and repeatedly accesses an array, thus loading data to occupy all cache lines At the same time he measures the delay for each access to detect cache misses (ex. rdtsc timer in intel x86) Victim’s cache accesses evict attacker’s data, enabling detection from the attacker 11 COMPANY LOGO
- 12. Cache Based Side Channel Attacks Threat Model and Attacks 4/6 Cache RAM RSA Attacker The attacker can identify which table entry is accessed -> the index used -> segment of the key 12 COMPANY LOGO
- 13. Cache Based Side Channel Attacks Threat Model and Attacks 5/6 Bernstein’s Attack on AES AES - “Black Box” software module Give inputs and measure computation time The execution time is input dependant and can be exploited to recover secret key Attack consists of three phases: Learning, Attacking and Key Recovery Statistical correlation analysis 13 COMPANY LOGO
- 14. Cache Based Side Channel Attacks Threat Model and Attacks 6/6 14 COMPANY LOGO
- 15. Cache Based Side Channel Attacks 3. Proposed Models 15 COMPANY LOGO
- 16. Cache Based Side Channel Attacks Proposed Models 1/4 Problem -> Directly or indirectly cache interference Learn from attacks and rewrite software Solutions are attack specific and performance degradation (2x, 4x slower) Authors attempt to eliminate the root cause with minimum impact and low cost Ideas -> Partitioning - Randomization 16 COMPANY LOGO
- 17. Cache Based Side Channel Attacks Proposed Models 2/4 Partition-Locked Cache (PLCache) L ID Original Cache Line 17 COMPANY LOGO
- 18. Cache Based Side Channel Attacks Proposed Models 3/4 Random Permutation Cache (RPCache) Introduce randomization factor – no useful information about which cache lines evicted Memory-to-cache mappings 18 COMPANY LOGO
- 19. Cache Based Side Channel Attacks Proposed Models 4/4 19 COMPANY LOGO
- 20. Cache Based Side Channel Attacks 4. Evaluation 20 COMPANY LOGO
- 21. Cache Based Side Channel Attacks Evaluation 1/ OpenSSL 0.9.7a AES implementation Traditional cache, L1 PLCache and L1 RPCache 5KByte AES protected data L2 large enough – no performance impact 21 COMPANY LOGO
- 22. Cache Based Side Channel Attacks Evaluation 1/ PLCache & RPCache implemented in M-Sim v2.0 22 COMPANY LOGO
- 23. Cache Based Side Channel Attacks 5. Conclusions 23 COMPANY LOGO
- 24. Cache Based Side Channel Attacks Conclusions Cache-based side channel attacks can harm general purpose cache based systems Software solution -> attack specific Hardware solutions -> general purpose PLCache: minimal hardware cost – software developer must use different API RPCache: area & complexity in hardware – no special treatment from software developers 24 COMPANY LOGO