Cache Attacks and Countermeasures: the Case of AES Dag Arne Osvik, Adi Shamir and Eran Tromer...
-
Upload
agatha-farmer -
Category
Documents
-
view
220 -
download
0
Transcript of Cache Attacks and Countermeasures: the Case of AES Dag Arne Osvik, Adi Shamir and Eran Tromer...
![Page 1: Cache Attacks and Countermeasures: the Case of AES Dag Arne Osvik, Adi Shamir and Eran Tromer Presented by Ophir Arbiv ophirarb@post.tau.ac.il.](https://reader035.fdocuments.net/reader035/viewer/2022062409/56649f575503460f94c7b566/html5/thumbnails/1.jpg)
Cache Attacks and Countermeasures: the Case of AES
Dag Arne Osvik, Adi Shamir and Eran Tromer
Presented byOphir Arbiv
![Page 2: Cache Attacks and Countermeasures: the Case of AES Dag Arne Osvik, Adi Shamir and Eran Tromer Presented by Ophir Arbiv ophirarb@post.tau.ac.il.](https://reader035.fdocuments.net/reader035/viewer/2022062409/56649f575503460f94c7b566/html5/thumbnails/2.jpg)
Sources
[1] Cache Attacks and Countermeasures: the Case of AES (Extended Version),2005, Dag Arne Osvik, Adi Shamir and Eran Tromer.
[2] theory.csail.mit.edu/~tromer/SKC2006/cache-skc06.ppt – Tromer’s lecture in MIT.
[3] www.l-sec.be/calit/present/AdiShamir.pdf - Adi Shamir’s lecture in Weizman Inst.
![Page 3: Cache Attacks and Countermeasures: the Case of AES Dag Arne Osvik, Adi Shamir and Eran Tromer Presented by Ophir Arbiv ophirarb@post.tau.ac.il.](https://reader035.fdocuments.net/reader035/viewer/2022062409/56649f575503460f94c7b566/html5/thumbnails/3.jpg)
• 1997 - DES becoming outdated NIST announces competition to design a successor.
• Evaluation criteria - Security, Cost, Algorithm & Implementation
Characteristics
• 21 Algorithms were received. In 2001 - NIST selected Rijndael as the
proposed AES algorithm.
• Rijndael was proposed by Dr. Vincent Rijmen and Dr. Joan Daemen from
Belgium
• Properties:
– Symmetric
– Block Cipher
– Based in finite mathematics
– 128 bit Data and Key size of 128, 192 and 256 bits.
– Resistant to known attacks.
AES – Advanced Encryption Standard
![Page 4: Cache Attacks and Countermeasures: the Case of AES Dag Arne Osvik, Adi Shamir and Eran Tromer Presented by Ophir Arbiv ophirarb@post.tau.ac.il.](https://reader035.fdocuments.net/reader035/viewer/2022062409/56649f575503460f94c7b566/html5/thumbnails/4.jpg)
Source: http://klabs.org/mapld05/presento/103_swankoski_p.ppt
AES Algoritrhm
KPX 0
101010 KTXC
• The mathematical description of the algorithm:
![Page 5: Cache Attacks and Countermeasures: the Case of AES Dag Arne Osvik, Adi Shamir and Eran Tromer Presented by Ophir Arbiv ophirarb@post.tau.ac.il.](https://reader035.fdocuments.net/reader035/viewer/2022062409/56649f575503460f94c7b566/html5/thumbnails/5.jpg)
Efficient Implementation
• Originally proposed in the Rijndael spec, and is now widely used.• Uses pre-computed table lookups.
=
)10(3
)10(2
)10(1
)10(03210 ,,, & ,,, TTTTTTTTTables:
Key:
Round implementation:
• Each round - 16 table lookups, 16 xor’s, and 12 shifts.•.Tables occupy – 4 KB (X2)
![Page 6: Cache Attacks and Countermeasures: the Case of AES Dag Arne Osvik, Adi Shamir and Eran Tromer Presented by Ophir Arbiv ophirarb@post.tau.ac.il.](https://reader035.fdocuments.net/reader035/viewer/2022062409/56649f575503460f94c7b566/html5/thumbnails/6.jpg)
• During AES selection, only branch statements, arithmetic, and data-dependent shift were considered vulnerable.
• Proposed Algorithms was widely analyzed.
• Apparently, since it uses only table lookup, xor & shift, NIST declared Rijndael “not vulnerable to timing attacks.• 2003 - NSA declared AES-128 can be used to protect all US Government data except Top Secret data which needs AES-256 (at least).• No known direct attacks as for today.• Expected to be the standard for 20+ years.
AES - summary
![Page 7: Cache Attacks and Countermeasures: the Case of AES Dag Arne Osvik, Adi Shamir and Eran Tromer Presented by Ophir Arbiv ophirarb@post.tau.ac.il.](https://reader035.fdocuments.net/reader035/viewer/2022062409/56649f575503460f94c7b566/html5/thumbnails/7.jpg)
Side Channels
Plaintext
Cipher
Ciphertext
K
• Any observable information emitted as a byproduct of the physical implementation of the cryptosystem.
Side Channels
Source: www.stanford.edu/~jbonneau/AES_side_channel.ppt
![Page 8: Cache Attacks and Countermeasures: the Case of AES Dag Arne Osvik, Adi Shamir and Eran Tromer Presented by Ophir Arbiv ophirarb@post.tau.ac.il.](https://reader035.fdocuments.net/reader035/viewer/2022062409/56649f575503460f94c7b566/html5/thumbnails/8.jpg)
Examples for side-channels :
•Power consumption (simple, differential…)
• Time
• Heat
• Acoustic Noise (Keyboards..)
• Cache
• Fault (power glitch, jitter..)
• Electromagnetic radiation
• Visual
Side Channels
![Page 9: Cache Attacks and Countermeasures: the Case of AES Dag Arne Osvik, Adi Shamir and Eran Tromer Presented by Ophir Arbiv ophirarb@post.tau.ac.il.](https://reader035.fdocuments.net/reader035/viewer/2022062409/56649f575503460f94c7b566/html5/thumbnails/9.jpg)
CPU core60% (until recently)
Main memory7-9%
cacheAnnual speedincrease:
Typicallatency:
50-150ns0.3ns → timing gap
Why Cache Analysis?
![Page 10: Cache Attacks and Countermeasures: the Case of AES Dag Arne Osvik, Adi Shamir and Eran Tromer Presented by Ophir Arbiv ophirarb@post.tau.ac.il.](https://reader035.fdocuments.net/reader035/viewer/2022062409/56649f575503460f94c7b566/html5/thumbnails/10.jpg)
• The cache is a shared resource.
=> cache state affects and affected by all processes.
=> possible crosstalk between processes.
• Process memory is usually protected but…
• Information about memory access patterns of other processes is
leaked.
• Cache attacks are pure software attacks.
• Very cheap.
• A process with no special privileges & no interaction with the
cryptographic code (some variants) can attack the cryptographic code.
Cache Attacks
![Page 11: Cache Attacks and Countermeasures: the Case of AES Dag Arne Osvik, Adi Shamir and Eran Tromer Presented by Ophir Arbiv ophirarb@post.tau.ac.il.](https://reader035.fdocuments.net/reader035/viewer/2022062409/56649f575503460f94c7b566/html5/thumbnails/11.jpg)
DR
AM
cach
e
cache line
(B bytes)
cache s
et
(W ca
che lines)
memory block(B bytes)
How Cache Works?
Memory Access
Cache
•The cache holds copies of aligned blocks of B bytes in main memory (blocks). •When a memory access instruction is processed, memory cell is searched in the cache first. •If a cache miss occurs, a full memory block is copied into the appropriate set (S possible sets) into one of the W cache lines.
![Page 12: Cache Attacks and Countermeasures: the Case of AES Dag Arne Osvik, Adi Shamir and Eran Tromer Presented by Ophir Arbiv ophirarb@post.tau.ac.il.](https://reader035.fdocuments.net/reader035/viewer/2022062409/56649f575503460f94c7b566/html5/thumbnails/12.jpg)
DR
AM
cach
e
S-box
table
How Does a Cached Table Look Like?
![Page 13: Cache Attacks and Countermeasures: the Case of AES Dag Arne Osvik, Adi Shamir and Eran Tromer Presented by Ophir Arbiv ophirarb@post.tau.ac.il.](https://reader035.fdocuments.net/reader035/viewer/2022062409/56649f575503460f94c7b566/html5/thumbnails/13.jpg)
Notation
•δ – the cache line size B divided by the size of each table entry (usually 64/4 =16).
•<y> = the memory block of y in Tl.
<y> = <z> iff when used as lookup indices into the same table T`, they would cause access to the same memory block
• Qk(p,l,y) = 1 - iff the AES encryption of the plaintext p under the encryption key k accesses the memory block of index y in Tl at least once (during the 10 rounds).
![Page 14: Cache Attacks and Countermeasures: the Case of AES Dag Arne Osvik, Adi Shamir and Eran Tromer Presented by Ophir Arbiv ophirarb@post.tau.ac.il.](https://reader035.fdocuments.net/reader035/viewer/2022062409/56649f575503460f94c7b566/html5/thumbnails/14.jpg)
Cache Attacks on AES
• The efficient implementation of the algorithm has a big weakness:
The lookup addresses strongly rely on the encryption key ( The Secret).
• Therefore, by knowing which memory cells were accessed we can extract the key (suppose a BUS attack).
• Usually the attacker doesn’t have access to the BUS and the memory is partitioned and protected by the OS.
•The Solution : The cache is a shared resource through which we can learn about the memory access patterns of other processes.
![Page 15: Cache Attacks and Countermeasures: the Case of AES Dag Arne Osvik, Adi Shamir and Eran Tromer Presented by Ophir Arbiv ophirarb@post.tau.ac.il.](https://reader035.fdocuments.net/reader035/viewer/2022062409/56649f575503460f94c7b566/html5/thumbnails/15.jpg)
Synchronous Attacks• The plaintext or cipher-text is known
• The attacker can operate synchronously with the encryption (on the same processor).
• Examples:– sending data packets through a secure channel in a VPN.
– Linux’s dm-crypt and cryptoloop services.
• The Attack Scheme1. Obtain a set of random samples, Mk(p,l,y) of the predicate Qk(p,l,y).
2. Perform off-line cryptanalysis:a) Guess small parts of the key.
b) Use the guess to predict memory accesses.
c) Check whether the predictions are consistent with the collected data.
![Page 16: Cache Attacks and Countermeasures: the Case of AES Dag Arne Osvik, Adi Shamir and Eran Tromer Presented by Ophir Arbiv ophirarb@post.tau.ac.il.](https://reader035.fdocuments.net/reader035/viewer/2022062409/56649f575503460f94c7b566/html5/thumbnails/16.jpg)
One Round Attack• Consider one of the memory accesses in the 1st round: T0[p0 k0]
• Given a candidate value k’0 and samples of Q(p,l,y):
– The useful samples are those that fulfill: p0 k’0y
– If k’0k0 then for all useful samples:
• p0 k0 p0 k’0 y so
• T0[p0 k0] accesses address y => Q(p,l,y)=1
– Otherwise:• p0 k0 p0 k’0 y => Q(p,l,y)=0
• But there are 35 more “random” accesses to T0…
with probability (1-1/16)350.104 A few hundred (!) random samples suffice to eliminate all bad
candidates.
High nibble of all key bytes (log2(256/ δ)) are extracted (64 bits).
![Page 17: Cache Attacks and Countermeasures: the Case of AES Dag Arne Osvik, Adi Shamir and Eran Tromer Presented by Ophir Arbiv ophirarb@post.tau.ac.il.](https://reader035.fdocuments.net/reader035/viewer/2022062409/56649f575503460f94c7b566/html5/thumbnails/17.jpg)
Full Key Extraction• We managed to narrow down each byte of the key to δ possibities, with a straightforward method.
(in the common case it means extracting half the key - 64 bits)
•This is all the possible information from 1st round accesses.
• By moving to 2nd round and taking advantage of the non-linearity of the S-box we can extract the full key!!
![Page 18: Cache Attacks and Countermeasures: the Case of AES Dag Arne Osvik, Adi Shamir and Eran Tromer Presented by Ophir Arbiv ophirarb@post.tau.ac.il.](https://reader035.fdocuments.net/reader035/viewer/2022062409/56649f575503460f94c7b566/html5/thumbnails/18.jpg)
• These equations for the 2nd round are easily derived from the Rijndael specification:
{ s(·) denotes the Rijndael S-box function and • denotes multiplication over GF(256).}
• is used as an index to T2.
• The only relevant unknowns in the index are the low nibbles of k0,k5,k10 and k15 (216 candidates).•Can test a candidate as before:
– Predict this lookup according to guess {k’0,k’5,k’10, k’15} (lower nibble k2 irrelevant).– Identify useful samples, i.e., those where y is in the same memory block as the prediction–Check whether Q(p,l,y)=1 for all useful samples.
•There are 3 more accesses of this special form, with disjoint sets of relevant low nibbles.=> full key recovery using ~2000 random samples.
Two Round Attack
![Page 19: Cache Attacks and Countermeasures: the Case of AES Dag Arne Osvik, Adi Shamir and Eran Tromer Presented by Ophir Arbiv ophirarb@post.tau.ac.il.](https://reader035.fdocuments.net/reader035/viewer/2022062409/56649f575503460f94c7b566/html5/thumbnails/19.jpg)
• How do we obtain the measurements Mk(p,l,y) of predicate Qk(p,l,y) ??
• Inter-process crosstalk can be exploited in two ways:– Effect of the cache on the encryption
(timing).– Effect of the encryption on the cache.
Measurement Methods
![Page 20: Cache Attacks and Countermeasures: the Case of AES Dag Arne Osvik, Adi Shamir and Eran Tromer Presented by Ophir Arbiv ophirarb@post.tau.ac.il.](https://reader035.fdocuments.net/reader035/viewer/2022062409/56649f575503460f94c7b566/html5/thumbnails/20.jpg)
1. Make sure the tables are cached
2. Evict one cache set
3. Time an encryption and see if it’s slow
Measurement Method 1: Evict + Time D
RA
Mca
che
T0A
ttac
ker
mem
ory
![Page 21: Cache Attacks and Countermeasures: the Case of AES Dag Arne Osvik, Adi Shamir and Eran Tromer Presented by Ophir Arbiv ophirarb@post.tau.ac.il.](https://reader035.fdocuments.net/reader035/viewer/2022062409/56649f575503460f94c7b566/html5/thumbnails/21.jpg)
Results• Weakness of this method:
– It relies on timing the triggered encryption
=> it is very sensitive to variations in the operation (noise due
scheduling, branches, cache contention and ect.)
• The authors were able to extract key only from artificial service (using OpenSSL libs) but not from real services.
![Page 22: Cache Attacks and Countermeasures: the Case of AES Dag Arne Osvik, Adi Shamir and Eran Tromer Presented by Ophir Arbiv ophirarb@post.tau.ac.il.](https://reader035.fdocuments.net/reader035/viewer/2022062409/56649f575503460f94c7b566/html5/thumbnails/22.jpg)
Att
acke
rm
emor
y
1. Completely evict tables from cache
2. Trigger a single encryption
3. Access attacker memory again and see which cache sets are slow
DR
AM
cach
e
S-box
table
Measurement Method 2: Prime + Probe• Trying to discover the set of memory blocks read by the encryption a posteriori, by examining the state of the cache after encryption.
![Page 23: Cache Attacks and Countermeasures: the Case of AES Dag Arne Osvik, Adi Shamir and Eran Tromer Presented by Ophir Arbiv ophirarb@post.tau.ac.il.](https://reader035.fdocuments.net/reader035/viewer/2022062409/56649f575503460f94c7b566/html5/thumbnails/23.jpg)
Results• Yields more information (4 · 256/ δ) from a single encryption• Not a timing attack! Attacker is timing a simple operation performed by itself!• Insensitive to timing variance in encryption code path (crucial for effective attacks on complicated systems).• No real need to trigger the encryption – can wait until it happens by itself… :
![Page 24: Cache Attacks and Countermeasures: the Case of AES Dag Arne Osvik, Adi Shamir and Eran Tromer Presented by Ophir Arbiv ophirarb@post.tau.ac.il.](https://reader035.fdocuments.net/reader035/viewer/2022062409/56649f575503460f94c7b566/html5/thumbnails/24.jpg)
Synchronous Attacks - summary• For a known plain-text & sync. attacker • Two Measurement methods.• Results:
– OpenSLL libs on Athlon 64:• Evict + Time – 500,000 encryptions. (why?)• Prime & Probe – 300 encryptions, (16K on P4E).
– Real Linux dm_crypt:• Prime & Probe – 800 write operations – 65 ms + 3 sec offline analysis.
• Variants …
![Page 25: Cache Attacks and Countermeasures: the Case of AES Dag Arne Osvik, Adi Shamir and Eran Tromer Presented by Ophir Arbiv ophirarb@post.tau.ac.il.](https://reader035.fdocuments.net/reader035/viewer/2022062409/56649f575503460f94c7b566/html5/thumbnails/25.jpg)
Asynchronous Attack• Someone runs encryptions computations using a secret key.• Attacker process runs on the same CPU at (roughly) the same time.• Assume the plaintext/ciphertext has a non-uniform (conditional) distribution:
–English–Formatted data–Headers–Ciphertext gleaned from wire
•Examples: just about any use of crypto on a multi-user system
Finding the key• Compare two distributions:
– Measured memory accesses statistics.– Predicted memory accesses statistics, under the given plaintext distribution and the
key hypothesis.
• Find key that yields best correlation
![Page 26: Cache Attacks and Countermeasures: the Case of AES Dag Arne Osvik, Adi Shamir and Eran Tromer Presented by Ophir Arbiv ophirarb@post.tau.ac.il.](https://reader035.fdocuments.net/reader035/viewer/2022062409/56649f575503460f94c7b566/html5/thumbnails/26.jpg)
Countermeasures• The authors consider numerous countermeasures e.g.:
– Avoiding Memory Accesses– Alternative Lookup Tables– Data-Oblivious Memory Access Pattern– Cache State Normalization and Process Blocking– Disabling Cache Sharing– Static or Disabled Cache– Dynamic Table Storage– Hiding the Timing
• None of the them solves the problem completely. Some are architecture/application dependant or require changes in the system.•None are both secure, efficient (or cheap) and generic.
=> Case specific solutions – probably a combination of the methods.
![Page 27: Cache Attacks and Countermeasures: the Case of AES Dag Arne Osvik, Adi Shamir and Eran Tromer Presented by Ophir Arbiv ophirarb@post.tau.ac.il.](https://reader035.fdocuments.net/reader035/viewer/2022062409/56649f575503460f94c7b566/html5/thumbnails/27.jpg)
Thank you!
Questions?
![Page 28: Cache Attacks and Countermeasures: the Case of AES Dag Arne Osvik, Adi Shamir and Eran Tromer Presented by Ophir Arbiv ophirarb@post.tau.ac.il.](https://reader035.fdocuments.net/reader035/viewer/2022062409/56649f575503460f94c7b566/html5/thumbnails/28.jpg)
Homework
1. What is the difference between Evict+Time and Prime+Probe measurement methods.
2. In the case of known cipher-text, how would the attack change?
(hint: can be more efficient – see paper)
3. Why does a first round synchronous attack able to extract only half the key bits? (on a δ=16 platform)
4. Does the addition of random delay to the encryption algorithm improve the immunity against synchronous attacks? Why?