Micro-Architectural Analysis of Time-Driven Cache Attacks: Quest for the Ideal Implementation

Time-driven attacks on the data cache are a lethal form of cryptanalytic attacks for block-ciphers implemented with look-up tables. The difference of means (DOM) observed in the execution time of a block cipher is often used as a distinguisher to glean information about the secret key. The root cause for the distinguisher to work has long been attributed to the number of cache-misses that occur during the encryption. In this paper, we show that micro-architectural acceleration features in cache memories that are used to reduce miss-penalty (such as pipelining, parallelism, out-of-order, and non-blocking memory accesses) contribute significantly to the leakage. We develop a framework to analyze the DOM distinguisher considering architectural as well as micro-architectural acceleration components in the cache memory. Our findings, which are experimentally verified, show that the two contributing leakage factors (namely the number of cache misses and the micro-architectural acceleration features) affect the DOM in opposite directions. One leakage source results in a positive DOM while the other causes a negative DOM. This opposing characteristic of the leakages makes it feasible to implement block ciphers in a way such that the two leakages cancel each other, thus leading to implementations with higher resistance against time-driven cache-attacks.

[1]  Joseph Bonneau,et al.  Cache-Collision Timing Attacks Against AES , 2006, CHES.

[2]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[3]  Dan S. Wallach,et al.  Opportunities and Limits of Remote Timing Attacks , 2009, TSEC.

[4]  Billy Bob Brumley,et al.  Remote Timing Attacks Are Still Practical , 2011, ESORICS.

[5]  John C. Wray,et al.  An analysis of covert timing channels , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[6]  Wei-Ming Hu,et al.  Lattice scheduling and covert channels , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[7]  Debdeep Mukhopadhyay Cryptanalysis of CLEFIA Using Differential Methods with Cache Trace Patterns , 2011, CT-RSA.

[8]  Tao Wang,et al.  Improved Cache Trace Attack on AES and CLEFIA by Considering Cache Miss and S-box Misalignment , 2010, IACR Cryptol. ePrint Arch..

[9]  Andrey Bogdanov,et al.  Differential Cache-Collision Timing Attacks on AES with Applications to Embedded CPUs , 2010, CT-RSA.

[10]  Onur Aciiçmez,et al.  Cache Based Remote Timing Attack on the AES , 2007, CT-RSA.

[11]  Chester Rebeiro,et al.  Formalizing the Effect of Feistel Cipher Structures on Differential Cache Attacks , 2013, IEEE Transactions on Information Forensics and Security.

[12]  Stefan Mangard,et al.  Power analysis attacks - revealing the secrets of smart cards , 2007 .

[13]  Chester Rebeiro,et al.  Improved Differential Cache Attacks on SMS4 , 2012, Inscrypt.

[14]  Y. Tsunoo,et al.  Cryptanalysis of Block Ciphers Implemented on Computers with Cache , 2002 .

[15]  Colin Percival CACHE MISSING FOR FUN AND PROFIT , 2005 .

[16]  Anne Canteaut,et al.  Understanding cache attacks , 2006 .

[17]  Onur Aciiçmez,et al.  Trace-Driven Cache Attacks on AES (Short Paper) , 2006, ICICS.

[18]  David Brumley,et al.  Remote timing attacks are practical , 2003, Comput. Networks.

[19]  Hiroshi Miyauchi,et al.  Cryptanalysis of DES Implemented on Computers with Cache , 2003, CHES.

[20]  Vincent Rijmen,et al.  The Cipher SHARK , 1996, FSE.

[21]  Chester Rebeiro,et al.  Boosting Profiled Cache Timing Attacks With A Priori Analysis , 2012, IEEE Transactions on Information Forensics and Security.

[22]  John C. Wray An Analysis of Covert Timing Channels , 1992, J. Comput. Secur..

[23]  Stephan Krenn,et al.  Cache Games -- Bringing Access-Based Cache Attacks on AES to Practice , 2011, 2011 IEEE Symposium on Security and Privacy.

[24]  Michael Tunstall,et al.  Improved Trace-Driven Cache-Collision Attacks against Embedded AES Implementations , 2010, WISA.

[25]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[26]  Michael Tunstall,et al.  Cache Based Power Analysis Attacks on AES , 2006, ACISP.

[27]  Dan Page,et al.  Theoretical Use of Cache Memory as a Cryptanalytic Side-Channel , 2002, IACR Cryptol. ePrint Arch..

[28]  Adi Shamir,et al.  Efficient Cache Attacks on AES, and Countermeasures , 2010, Journal of Cryptology.

[29]  Vittorio Zaccaria,et al.  AES power attack based on induced cache miss and countermeasure , 2005, International Conference on Information Technology: Coding and Computing (ITCC'05) - Volume II.

[30]  David A. Patterson,et al.  Computer Architecture - A Quantitative Approach (4. ed.) , 2007 .

[31]  Laurent Mauborgne,et al.  Automatic Quantification of Cache Side-Channels , 2012, CAV.

[32]  S WallachDan,et al.  Opportunities and Limits of Remote Timing Attacks , 2009 .

[33]  Chester Rebeiro,et al.  An Enhanced Differential Cache Attack on CLEFIA for Large Cache Lines , 2011, INDOCRYPT.

[34]  Jean-Pierre Seifert,et al.  Advances on Access-Driven Cache Attacks on AES , 2006, Selected Areas in Cryptography.

[35]  Daniel J. Bernstein,et al.  Cache-timing attacks on AES , 2005 .

[36]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[37]  Benedikt Heinz,et al.  A Cache Timing Attack on AES in Virtualization Environments , 2012, Financial Cryptography.

[38]  Kazuhiko Minematsu,et al.  Improving cache attacks by considering cipher structure , 2005, International Journal of Information Security.

[39]  Onur Aciiçmez,et al.  An Analytical Model for Time-Driven Cache Attacks , 2007, FSE.

[40]  Bruce Schneier,et al.  Side Channel Cryptanalysis of Product Ciphers , 1998, J. Comput. Secur..

[41]  Chester Rebeiro,et al.  Cache Timing Attacks on Clefia , 2009, INDOCRYPT.