Abstract
We describe several software side-channel attacks based on inter-process leakage through the state of the CPU’s memory cache. This leakage reveals memory access patterns, which can be used for cryptanalysis of cryptographic primitives that employ data-dependent table lookups. The attacks allow an unprivileged process to attack other processes running in parallel on the same processor, despite partitioning methods such as memory protection, sandboxing and virtualization. Some of our methods require only the ability to trigger services that perform encryption or MAC using the unknown key, such as encrypted disk partitions or secure network links. Moreover, we demonstrate an extremely strong type of attack, which requires knowledge of neither the specific plaintexts nor ciphertexts, and works by merely monitoring the effect of the cryptographic process on the cache. We discuss in detail several such attacks on AES, and experimentally demonstrate their applicability to real systems, such as OpenSSL and Linux’s dm-crypt encrypted partitions (in the latter case, the full key can be recovered after just 800 writes to the partition, taking 65 milliseconds). Finally, we describe several countermeasures for mitigating such attacks.
This is a preview of subscription content, log in via an institution to check access.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Anderson, R.J., Biham, E., Knudsen, L.R.: Serpent: A proposal for the Advanced Encryption Standard. AES submission (1998), http://www.cl.cam.ac.uk/~rja14/serpent.html
Bernstein, D.: Cache-timing attacks on AES (2005) (preprint), http://cr.yp.to/papers.html#cachetiming
Biham, E.: A fast new DES implementation in software. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 260–272. Springer, Heidelberg (1997)
Daemen, J., Rijmen, V.: AES Proposal: Rijndael, version 2, AES submission (1999), http://csrc.nist.gov/CryptoToolkit/aes/rijndael/Rijndael-ammended.pdf
Goldreich, O., Ostrovsky, R.: Software protection and simulation on oblivious RAMs. Journal of the ACM 43(3), 431–473 (1996)
Koeune, F., Quisquater, J.: A timing attack against Rijndael, technical report CG-1999/1, Université catholique de Louvain, http://www.dice.ucl.ac.be/crypto/tech_reports/CG1999_1.ps.gz
Hu, W.-M.: Lattice scheduling and covert channels. In: IEEE Symposium on Security and Privacy, pp. 52–61. IEEE, Los Alamitos (1992)
Kelsey, J., Schneier, B., Wagner, D., Hall, C.: Side channel cryptanalysis of product ciphers. In: Quisquater, J.-J., Deswarte, Y., Meadows, C., Gollmann, D. (eds.) ESORICS 1998. LNCS, vol. 1485, pp. 97–110. Springer, Heidelberg (1998)
Page, D.: Theoretical use of cache memory as a cryptanalytic side-channel, technical report CSTR-02-003, Department of Computer Science, University of Bristol (2002), http://www.cs.bris.ac.uk/Publications/pub_info.jsp?id=1000625
Meushaw, R.V., Schneider, M.S., Simard, D.N., Wagner, G.M.: Device for and method of secure computing using virtual machines, US patent 6,922,774 (2005)
National Institute of Standards and Technology, Advanced Encryption Standard (AES), FIPS PUB 197 (2001)
National Institute of Standards and Technology, Secure Hash Standard (SHS), FIPS PUB 180-2 (2002)
Oswald, E., Mangard, S., Pramstaller, N., Rijmen, V.: A side-channel analysis resistant description of the AES S-box. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 413–423. Springer, Heidelberg (2005) (to appear)
Percival, C.: Cache missing for fun and profit, BSDCan 2005, Ottawa (2005); see, http://www.daemonology.net/hyperthreading-considered-harmful/
Tsunoo, Y., Saito, T., Suzaki, T., Shigeri, M., Miyauchi, H.: Cryptanalysis of DES implemented on computers with cache. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 62–76. Springer, Heidelberg (2003)
Zhuang, X., Zhang, T., Lee, H.S., Pande, S.: Hardware assisted control flow obfuscation for embedded processors. In: Proc. Intl. Conference on Compilers, Architectures and Synthesis for Embedded Systems, pp. 292–302. ACM, New York (2004)
Zhuang, X., Zhang, T., Pande, S.: HIDE: An Infrastructure for Efficiently protecting information leakage on the address bus. In: Proc. Architectural Support for Programming Languages and Operating Systems, pp. 82–84. ACM, New York (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Osvik, D.A., Shamir, A., Tromer, E. (2006). Cache Attacks and Countermeasures: The Case of AES. In: Pointcheval, D. (eds) Topics in Cryptology – CT-RSA 2006. CT-RSA 2006. Lecture Notes in Computer Science, vol 3860. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11605805_1
Download citation
DOI: https://doi.org/10.1007/11605805_1
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-31033-4
Online ISBN: 978-3-540-32648-9
eBook Packages: Computer ScienceComputer Science (R0)