LOGO

New Cache Designs for Thwarting
Software Cache-based Side Channel
Attacks - Z. Wang & R. B. Lee

Anestis Bechtsoudis...
Cache Based Side Channel Attacks

Contents

1

Introduction

2

Threat Model and Attacks

3

Proposed Models

4

Evaluatio...
Cache Based Side Channel Attacks

1.

Introduction

3

COMPANY LOGO
Cache Based Side Channel Attacks

Introduction 1/4
 Information intensive society – imperative
need for security
 Design...
Cache Based Side Channel Attacks

Introduction 2/4
 Classical cryptanalysis approach
 Weaknesses in the algorithm – math...
Cache Based Side Channel Attacks

Introduction 3/4

6

COMPANY LOGO
Cache Based Side Channel Attacks

Introduction 4/4

7

COMPANY LOGO
Cache Based Side Channel Attacks

2.

Threat Model and Attacks

8

COMPANY LOGO
Cache Based Side Channel Attacks

Threat Model and Attacks 1/6
 Goal of the adversary is to learn information
that he has...
Cache Based Side Channel Attacks

Threat Model and Attacks 2/6
Percival’s attack on OpenSSL implementation
of RSA algorith...
Cache Based Side Channel Attacks

Threat Model and Attacks 3/6
 Attacker manages to run simultaneously
 Attack process s...
Cache Based Side Channel Attacks

Threat Model and Attacks 4/6
Cache

RAM

RSA

Attacker

 The attacker can identify whic...
Cache Based Side Channel Attacks

Threat Model and Attacks 5/6
Bernstein’s Attack on AES
 AES - “Black Box” software modu...
Cache Based Side Channel Attacks

Threat Model and Attacks 6/6

14

COMPANY LOGO
Cache Based Side Channel Attacks

3.

Proposed Models

15

COMPANY LOGO
Cache Based Side Channel Attacks

Proposed Models 1/4
 Problem -> Directly or indirectly cache
interference
 Learn from ...
Cache Based Side Channel Attacks

Proposed Models 2/4
Partition-Locked Cache (PLCache)
L

ID

Original Cache Line

17

COM...
Cache Based Side Channel Attacks

Proposed Models 3/4
Random Permutation Cache (RPCache)
 Introduce randomization factor ...
Cache Based Side Channel Attacks

Proposed Models 4/4

19

COMPANY LOGO
Cache Based Side Channel Attacks

4.

Evaluation

20

COMPANY LOGO
Cache Based Side Channel Attacks

Evaluation 1/

 OpenSSL 0.9.7a AES implementation
 Traditional cache, L1 PLCache and L...
Cache Based Side Channel Attacks

Evaluation 1/

 PLCache & RPCache implemented in M-Sim v2.0

22

COMPANY LOGO
Cache Based Side Channel Attacks

5.

Conclusions

23

COMPANY LOGO
Cache Based Side Channel Attacks

Conclusions
 Cache-based side channel attacks can harm
general purpose cache based syst...
LOGO

Anestis Bechtsoudis
mpechtsoud@ceid.upatras.gr
Patra 2010
Upcoming SlideShare
Loading in …5
×

Cache based side_channel_attacks Anestis Bechtsoudis

643 views

Published on

Cache based side_channel_attacks Anestis Bechtsoudis

Published in: Technology, News & Politics
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
643
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
27
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Cache based side_channel_attacks Anestis Bechtsoudis

  1. 1. LOGO New Cache Designs for Thwarting Software Cache-based Side Channel Attacks - Z. Wang & R. B. Lee Anestis Bechtsoudis mpechtsoud@ceid.upatras.gr Patra 2010
  2. 2. Cache Based Side Channel Attacks Contents 1 Introduction 2 Threat Model and Attacks 3 Proposed Models 4 Evaluation 5 Conclusions 2 COMPANY LOGO
  3. 3. Cache Based Side Channel Attacks 1. Introduction 3 COMPANY LOGO
  4. 4. Cache Based Side Channel Attacks Introduction 1/4  Information intensive society – imperative need for security  Design of cryptographic systems to ensure the data protection  Extensive test to cryptosystems over time  Cryptanalysis: the study of techniques to reveal the secret parameters of a security system 4 COMPANY LOGO
  5. 5. Cache Based Side Channel Attacks Introduction 2/4  Classical cryptanalysis approach  Weaknesses in the algorithm – mathematical model  Attacks based on: ciphertext-only, known plaintext, chosen plaintext/ciphertext …  Black box approach of the cryptosystem  The cryptographic primitive is actually implemented in hardware  Modern cryptanalysis: attacker knows much more for the device – side channel leakage 5 COMPANY LOGO
  6. 6. Cache Based Side Channel Attacks Introduction 3/4 6 COMPANY LOGO
  7. 7. Cache Based Side Channel Attacks Introduction 4/4 7 COMPANY LOGO
  8. 8. Cache Based Side Channel Attacks 2. Threat Model and Attacks 8 COMPANY LOGO
  9. 9. Cache Based Side Channel Attacks Threat Model and Attacks 1/6  Goal of the adversary is to learn information that he has no legitimate access to  Adversary: one or more unprivileged user processes, including remote clients, in the server where the secrets are processed  No physical access to the device  Goal achieved by performing legitimate operations – normal process  Victim and adversary are isolated processes 9 COMPANY LOGO
  10. 10. Cache Based Side Channel Attacks Threat Model and Attacks 2/6 Percival’s attack on OpenSSL implementation of RSA algorithm in a SMT CPU  RSA core operation: modulo exponentiation – implemented with a series of ^2 and *  The encryption key is divided into segments  For each *, a multiplier is selected from precomputed constants stored in a LUT  Segment of key is used to index the LUT 10 COMPANY LOGO
  11. 11. Cache Based Side Channel Attacks Threat Model and Attacks 3/6  Attacker manages to run simultaneously  Attack process sequentially and repeatedly accesses an array, thus loading data to occupy all cache lines  At the same time he measures the delay for each access to detect cache misses (ex. rdtsc timer in intel x86)  Victim’s cache accesses evict attacker’s data, enabling detection from the attacker 11 COMPANY LOGO
  12. 12. Cache Based Side Channel Attacks Threat Model and Attacks 4/6 Cache RAM RSA Attacker  The attacker can identify which table entry is accessed -> the index used -> segment of the key 12 COMPANY LOGO
  13. 13. Cache Based Side Channel Attacks Threat Model and Attacks 5/6 Bernstein’s Attack on AES  AES - “Black Box” software module  Give inputs and measure computation time  The execution time is input dependant and can be exploited to recover secret key  Attack consists of three phases: Learning, Attacking and Key Recovery  Statistical correlation analysis 13 COMPANY LOGO
  14. 14. Cache Based Side Channel Attacks Threat Model and Attacks 6/6 14 COMPANY LOGO
  15. 15. Cache Based Side Channel Attacks 3. Proposed Models 15 COMPANY LOGO
  16. 16. Cache Based Side Channel Attacks Proposed Models 1/4  Problem -> Directly or indirectly cache interference  Learn from attacks and rewrite software  Solutions are attack specific and performance degradation (2x, 4x slower)  Authors attempt to eliminate the root cause with minimum impact and low cost  Ideas -> Partitioning - Randomization 16 COMPANY LOGO
  17. 17. Cache Based Side Channel Attacks Proposed Models 2/4 Partition-Locked Cache (PLCache) L ID Original Cache Line 17 COMPANY LOGO
  18. 18. Cache Based Side Channel Attacks Proposed Models 3/4 Random Permutation Cache (RPCache)  Introduce randomization factor – no useful information about which cache lines evicted  Memory-to-cache mappings 18 COMPANY LOGO
  19. 19. Cache Based Side Channel Attacks Proposed Models 4/4 19 COMPANY LOGO
  20. 20. Cache Based Side Channel Attacks 4. Evaluation 20 COMPANY LOGO
  21. 21. Cache Based Side Channel Attacks Evaluation 1/  OpenSSL 0.9.7a AES implementation  Traditional cache, L1 PLCache and L1 RPCache  5KByte AES protected data  L2 large enough – no performance impact 21 COMPANY LOGO
  22. 22. Cache Based Side Channel Attacks Evaluation 1/  PLCache & RPCache implemented in M-Sim v2.0 22 COMPANY LOGO
  23. 23. Cache Based Side Channel Attacks 5. Conclusions 23 COMPANY LOGO
  24. 24. Cache Based Side Channel Attacks Conclusions  Cache-based side channel attacks can harm general purpose cache based systems  Software solution -> attack specific  Hardware solutions -> general purpose  PLCache: minimal hardware cost – software developer must use different API  RPCache: area & complexity in hardware – no special treatment from software developers 24 COMPANY LOGO
  25. 25. LOGO Anestis Bechtsoudis mpechtsoud@ceid.upatras.gr Patra 2010

×