Cache Games -- Bringing Access-Based Cache Attacks on AES to Practice

Side channel attacks on cryptographic systems exploit information gained from physical implementations rather than theoretical weaknesses of a scheme. In recent years, major achievements were made for the class of so called access-driven cache attacks. Such attacks exploit the leakage of the memory locations accessed by a victim process. In this paper we consider the AES block cipher and present an attack which is capable of recovering the full secret key in almost real time for AES-128, requiring only a very limited number of observed encryptions. Unlike previous attacks, we do not require any information about the plaintext (such as its distribution, etc.). Moreover, for the first time, we also show how the plaintext can be recovered without having access to the cipher text at all. It is the first working attack on AES implementations using compressed tables. There, no efficient techniques to identify the beginning of AES rounds is known, which is the fundamental assumption underlying previous attacks. We have a fully working implementation of our attack which is able to recover AES keys after observing as little as 100 encryptions. It works against the OpenS SL 0.9.8n implementation of AES on Linux systems. Our spy process does not require any special privileges beyond those of a standard Linux user. A contribution of probably independent interest is a denial of service attack on the task scheduler of current Linux systems (CFS), which allows one to observe (on average) every single memory access of a victim process.

[1]  PRAVIN B. GHEWARI,et al.  Efficient Hardware Design and Implementation of AES Cryptosystem , 2010 .

[2]  Robert Könighofer,et al.  A Fast and Cache-Timing Resistant Implementation of the AES , 2008, CT-RSA.

[3]  Franc Novak,et al.  HARDWARE IMPLEMENTATION OF AES ALGORITHM , 2005 .

[4]  Michael I. Jordan,et al.  Neural networks , 1996, CSUR.

[5]  Jean-Pierre Seifert,et al.  A refined look at Bernstein's AES side-channel analysis , 2006, ASIACCS '06.

[6]  Jean-Pierre Seifert,et al.  Advances on Access-Driven Cache Attacks on AES , 2006, Selected Areas in Cryptography.

[7]  Daniel J. Bernstein,et al.  Cache-timing attacks on AES , 2005 .

[8]  Joan Daemen,et al.  AES Proposal : Rijndael , 1998 .

[9]  J. Nocedal,et al.  A Limited Memory Algorithm for Bound Constrained Optimization , 1995, SIAM J. Sci. Comput..

[10]  No License,et al.  Intel ® 64 and IA-32 Architectures Software Developer ’ s Manual Volume 3 A : System Programming Guide , Part 1 , 2006 .

[11]  Tao Wang,et al.  Improved Cache Trace Attack on AES and CLEFIA by Considering Cache Miss and S-box Misalignment , 2010, IACR Cryptol. ePrint Arch..

[12]  W. Pitts,et al.  A Logical Calculus of the Ideas Immanent in Nervous Activity (1943) , 2021, Ideas That Created the Future.

[13]  Onur Aciiçmez,et al.  Cache Based Remote Timing Attack on the AES , 2007, CT-RSA.

[14]  Jean-Pierre Seifert,et al.  Software mitigations to hedge AES against cache-based software side channel vulnerabilities , 2006, IACR Cryptol. ePrint Arch..

[15]  Patrice Y. Simard,et al.  Best practices for convolutional neural networks applied to visual document analysis , 2003, Seventh International Conference on Document Analysis and Recognition, 2003. Proceedings..

[16]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[17]  Bodo Möller Algorithms for Multi-exponentiation , 2001, Selected Areas in Cryptography.

[18]  Colin Percival CACHE MISSING FOR FUN AND PROFIT , 2005 .

[19]  Adi Shamir,et al.  Efficient Cache Attacks on AES, and Countermeasures , 2010, Journal of Cryptology.

[20]  Risto M. Hakala,et al.  Cache-Timing Template Attacks , 2009, ASIACRYPT.

[21]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[22]  T. Bayes An essay towards solving a problem in the doctrine of chances , 2003 .

[23]  W S McCulloch,et al.  A logical calculus of the ideas immanent in nervous activity , 1990, The Philosophy of Artificial Intelligence.

[24]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[25]  Hiroshi Miyauchi,et al.  Cryptanalysis of DES Implemented on Computers with Cache , 2003, CHES.

[26]  OpenSSL OpenSSL : The open source toolkit for SSL/TSL , 2002 .

[27]  Dan Page,et al.  Theoretical Use of Cache Memory as a Cryptanalytic Side-Channel , 2002, IACR Cryptol. ePrint Arch..

[28]  Christopher M. Bishop,et al.  Neural networks for pattern recognition , 1995 .

[29]  Onur Aciiçmez,et al.  Trace-Driven Cache Attacks on AES , 2006, IACR Cryptol. ePrint Arch..

[30]  Cédric Lauradoux,et al.  Collision attacks on processors with cache and countermeasures , 2005, WEWoRC.

[31]  Onur Aciiçmez,et al.  An Analytical Model for Time-Driven Cache Attacks , 2007, FSE.

[32]  Dan Page,et al.  Defending against cache-based side-channel attacks , 2003, Inf. Secur. Tech. Rep..

[33]  Joseph Bonneau,et al.  Cache-Collision Timing Attacks Against AES , 2006, CHES.

[34]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[35]  Vittorio Zaccaria,et al.  AES power attack based on induced cache miss and countermeasure , 2005, International Conference on Information Technology: Coding and Computing (ITCC'05) - Volume II.

[36]  Simon Heron,et al.  Encryption: Advanced Encryption Standard (AES) , 2009 .

[37]  Dan Tsafrir,et al.  Secretly Monopolizing the CPU Without Superuser Privileges , 2007, USENIX Security Symposium.

[38]  Michael Tunstall,et al.  Improved Trace-Driven Cache-Collision Attacks against Embedded AES Implementations , 2010, WISA.

[39]  Onur Aciiçmez,et al.  New Results on Instruction Cache Attacks , 2010, CHES.

[40]  Bruce Schneier,et al.  Side channel cryptanalysis of product ciphers , 2000 .