Cache timing attacks on NoC-based MPSoCs

Rising demands for increased performance, lower energy consumption, connectivity and programming exibility are nowadays driving the platforms, so-called Multi-Processor Systems-on-Chips (MPSoCs). These platforms are composed of several processing elements, custom IP cores, and memories, all of which are in general interconnected by a Network-on-Chip (NoC). As attractive as these characteristics are, they introduce several security concerns, specially when applications with different trust and protection levels share resources. When a malicious software acquires access to an IP, it opens a door to external surveillance of the cache-memory, processing units and the NoC communication structure. The cache memory was already exploited by several authors in ASICs and Systems-on-Chips through Side-Channel Attacks (SCAs). In this work, we expand this concept, exploring the timing attacks on caches in the MPSoC scenario. We implement two well established attacks in the literature on a real hardware platform, the MPSoC Glass. Furthermore, we present the NoC as a novel vulnerability to increase attack eciency, resulting in the Earthquake Attack. Results show that the attacks from literature can succeed inside the MPSoC, and obtain better results. Additionally, Earthquake improves the base attack by using the NoC timing attack, reducing the remaining attack complexity from 236:9 to 232 with 216:6 encryptions instead of 227:97.

[1]  Catherine H. Gebotys,et al.  Secure Elliptic Curve Implementations: An Analysis of Resistance to Power-Attacks in a DSP Processor , 2002, CHES.

[2]  Gianluca Palermo,et al.  A security monitoring service for NoCs , 2008, CODES+ISSS '08.

[3]  Gorka Irazoqui Apecechea,et al.  Fine Grain Cross-VM Attacks on Xen and VMware , 2014, 2014 IEEE Fourth International Conference on Big Data and Cloud Computing.

[4]  Martha Johanna Sepúlveda,et al.  NoC-Based Protection for SoC Time-Driven Attacks , 2015, IEEE Embedded Systems Letters.

[5]  Francis Olivier,et al.  Electromagnetic Analysis: Concrete Results , 2001, CHES.

[6]  Bruce Schneier,et al.  Side Channel Cryptanalysis of Product Ciphers , 1998, J. Comput. Secur..

[7]  Mahmoud Ahmadian,et al.  A practical differential power analysis attack against an FPGA implementation of AES cryptosystem , 2010, 2010 International Conference on Information Society.

[8]  G. Edward Suh,et al.  Efficient Timing Channel Protection for On-Chip Networks , 2012, 2012 IEEE/ACM Sixth International Symposium on Networks-on-Chip.

[9]  Ahmed Amine Jerraya,et al.  Multiprocessor System-on-Chip (MPSoC) Technology , 2008, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[10]  Raphael Spreitzer,et al.  Towards More Practical Time-Driven Cache Attacks , 2014, WISTP.

[11]  Martha Johanna Sepúlveda,et al.  Elastic security zones for NoC-based 3D-MPSoCs , 2014, 2014 21st IEEE International Conference on Electronics, Circuits and Systems (ICECS).

[12]  Joseph Bonneau,et al.  Cache-Collision Timing Attacks Against AES , 2006, CHES.

[13]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[14]  Cezar Reinbrecht,et al.  Gossip NoC -- Avoiding Timing Side-Channel Attacks through Traffic Management , 2016, 2016 IEEE Computer Society Annual Symposium on VLSI (ISVLSI).

[15]  Vincent Rijmen,et al.  The Design of Rijndael , 2002, Information Security and Cryptography.

[16]  Onur Aciiçmez,et al.  Trace-Driven Cache Attacks on AES , 2006, IACR Cryptol. ePrint Arch..

[17]  Cédric Lauradoux,et al.  Collision attacks on processors with cache and countermeasures , 2005, WEWoRC.

[18]  Michael Hutter,et al.  The Temperature Side Channel and Heating Fault Attacks , 2013, CARDIS.

[19]  Martha Johanna Sepúlveda,et al.  Efficient and flexible NoC-based group communication for secure MPSoCs , 2015, 2015 International Conference on ReConFigurable Computing and FPGAs (ReConFig).

[20]  Benedikt Heinz,et al.  A Cache Timing Attack on AES in Virtualization Environments , 2012, Financial Cryptography.

[21]  Bart Preneel,et al.  Power-analysis attack on an ASIC AES implementation , 2004, International Conference on Information Technology: Coding and Computing, 2004. Proceedings. ITCC 2004..

[22]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[23]  Hiroshi Miyauchi,et al.  Cryptanalysis of DES Implemented on Computers with Cache , 2003, CHES.

[24]  Andrey Bogdanov,et al.  Differential Cache-Collision Timing Attacks on AES with Applications to Embedded CPUs , 2010, CT-RSA.

[25]  Onur Aciiçmez,et al.  Cache Based Remote Timing Attack on the AES , 2007, CT-RSA.

[26]  Cezar Reinbrecht,et al.  Timing attack on NoC-based systems: Prime+Probe attack and NoC-based protection , 2017, Microprocess. Microsystems.

[27]  Cezar Reinbrecht,et al.  Earthquake — A NoC-based optimized differential cache-collision attack for MPSoCs , 2018, 2018 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[28]  Georg Sigl,et al.  On Cache Timing Attacks Considering Multi-core Aspects in Virtualized Embedded Systems , 2014, INTRUST.

[29]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .