Lucky 13 Strikes Back

In this work we show how the Lucky 13 attack can be resurrected in the cloud by gaining access to a virtual machine co-located with the target. Our version of the attack exploits distinguishable cache access times enabled by VM deduplication to detect dummy function calls that only happen in case of an incorrectly CBC-padded TLS packet. Thereby, we gain back a new covert channel not considered in the original paper that enables the Lucky 13 attack. In fact, the new side channel is significantly more accurate, thus yielding a much more effective attack. We briefly survey prominent cryptographic libraries for this vulnerability. The attack currently succeeds to compromise PolarSSL, GnuTLS and CyaSSL on deduplication enabled platforms while the Lucky 13 patches in OpenSSL, Mozilla NSS and MatrixSSL are immune to this vulnerability. We conclude that, any program that follows secret data dependent execution flow is exploitable by side-channel attacks as shown in (but not limited to) our version of the Lucky 13 attack.

[1]  Wei-Ming Hu,et al.  Lattice scheduling and covert channels , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[2]  Bruce Schneier,et al.  Side Channel Cryptanalysis of Product Ciphers , 1998, J. Comput. Secur..

[3]  Carl A. Waldspurger,et al.  Memory resource management in VMware ESX server , 2002, OSDI '02.

[4]  Serge Vaudenay,et al.  Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS , 2002, EUROCRYPT.

[5]  Dan Page,et al.  Theoretical Use of Cache Memory as a Cryptanalytic Side-Channel , 2002, IACR Cryptol. ePrint Arch..

[6]  OpenSSL OpenSSL : The open source toolkit for SSL/TSL , 2002 .

[7]  Hiroshi Miyauchi,et al.  Cryptanalysis of DES Implemented on Computers with Cache , 2003, CHES.

[8]  Gregory V. Bard,et al.  The Vulnerability of SSL to Chosen Plaintext Attack , 2004, IACR Cryptol. ePrint Arch..

[9]  Daniel J. Bernstein,et al.  Cache-timing attacks on AES , 2005 .

[10]  Joseph Bonneau,et al.  Robust Final-Round Cache-Trace Attacks Against AES , 2006, IACR Cryptol. ePrint Arch..

[11]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[12]  Joseph Bonneau,et al.  Cache-Collision Timing Attacks Against AES , 2006, CHES.

[13]  Gregory V. Bard,et al.  A Challenging but Feasible Blockwise-Adaptive Chosen-Plaintext Attack on SSL , 2006, SECRYPT.

[14]  Onur Aciiçmez,et al.  Yet another MicroArchitectural Attack:: exploiting I-Cache , 2007, CSAW '07.

[15]  Adi Shamir,et al.  Efficient Cache Attacks on AES, and Countermeasures , 2010, Journal of Cryptology.

[16]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[17]  Cyrille Artho,et al.  Software Side Channel Attack on Memory Deduplication , 2011, SOSP 2011.

[18]  Stephan Krenn,et al.  Cache Games -- Bringing Access-Based Cache Attacks on AES to Practice , 2011, 2011 IEEE Symposium on Security and Privacy.

[19]  Wang Tao,et al.  An Improved Trace Driven Instruction Cache Timing Attack on RSA , 2011, IACR Cryptol. ePrint Arch..

[20]  Cyrille Artho,et al.  Memory deduplication as a threat to the guest OS , 2011, EUROSEC '11.

[21]  Kenneth G. Paterson,et al.  Tag Size Does Matter: Attacks and Proofs for the TLS Record Protocol , 2011, ASIACRYPT.

[22]  An Improved Trace Driven Instruction Cache Timing Attack on RSA. , 2011 .

[23]  Michael K. Reiter,et al.  Cross-VM side channels and their use to extract private keys , 2012, CCS.

[24]  Graham Steel,et al.  Efficient Padding Oracle Attacks on Cryptographic Hardware , 2012, IACR Cryptol. ePrint Arch..

[25]  Kenneth G. Paterson,et al.  Lucky Thirteen: Breaking the TLS and DTLS Record Protocols , 2013, 2013 IEEE Symposium on Security and Privacy.

[26]  Kenneth G. Paterson,et al.  On the Security of RC4 in TLS , 2013, USENIX Security Symposium.

[27]  Gorka Irazoqui Apecechea,et al.  Fine Grain Cross-VM Attacks on Xen and VMware , 2014, 2014 IEEE Fourth International Conference on Big Data and Cloud Computing.

[28]  Naomi Benger,et al.  "Ooh Aah... Just a Little Bit" : A Small Amount of Side Channel Can Go a Long Way , 2014, CHES.

[29]  Yuval Yarom,et al.  FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack , 2014, USENIX Security Symposium.