Presentation
description
Transcript of Presentation
Full AES key extraction in 65 milliseconds
using cache attacks
Dag Arne OsvikAdi Shamir 1
Eran Tromer 1
1 Weizmann Institute of Science
CPUcore
CPUcachememory
Mainmemory
CPU
Cache Attacks• The state of the cache persists between processes, resulting
in inter-process contention for cache resources.
• The data in the memory and caches is protected by virtual memory mechanisms, but the metadata is unprotected.
• This causes a leak of information about memory access patterns.
• … which can be exploited cryptanalytically (e.g., breaking AES)
• … very efficiently (e.g., just 300 encryptions for a known-plaintext attack)
• … or in a very powerful attack model (no knowledge of plaintexts or ciphertexts)
Past works on cache attacks• Theoretical attacks
[Page 2002]
• Timing attacks using internal collisions in block ciphers[Tsunoo Saito Suzaki Shigeri Miyauchi ’03]
Recently:
• Timing attacks on AES based on external collisions[Bernstein ’04]
• Cache probing attack,Improved timing attacks via cache modeling, “Hyper Attacks” on AES
[Osvik Shamir Tromer ’05]
• “Hyper Attacks” on RSA [Percival ’05]
UPDATES
char p[16], k[16]; // plaintext and keyint32 T0[256],T1[256],T2[256],T3[256]; // lookup tablesint32 Col[4]; // intermediate state
...
/* Round 1 */
Col[0] T0[p[ 0]©k[ 0]] T1[p[ 5]©k[ 5]] T2[p[10]©k[10]] T3[p[15]©k[15]];
Col[1] T0[p[ 4]©k[ 4]] T1[p[ 9]©k[ 9]] T2[p[14]©k[14]] T3[p[ 3]©k[ 3]];
Col[2] T0[p[ 8]©k[ 8]] T1[p[13]©k[13]] T2[p[ 2]©k[ 2]] T3[p[ 7]©k[ 7]];
Col[3] T0[p[12]©k[12]] T1[p[ 1]©k[ 1]] T2[p[ 6]©k[ 6]] T3[p[11]©k[11]];
A typical software implementation of AES
lookup index = plaintext key (and the parameters are favorable to the attack)
Associative memory cachem
ain
m
em
ory
cach
e
cache line
(64 bytes)
memory block(64 bytes)
cache set
(4 cache lines)
AES tables in memoryD
RA
Mca
che
T0
Detecting access to AES tables (basic idea)D
RA
Mca
che
T0Attacker
memory
Attack 1: Evict+Time• Selectively manipulate the state of the cache
(e.g., evict a full cache set)• Trigger encryption• Measure how long it took• Deduce what cache sets it accessed• … cryptanalyze
Our experimental result
When attacking OpenSSL AES encryptions, can recover full key using 35 seconds of measurements.
Attack 2: Prime+Probe
• Fill cache with attacker’s own data• Trigger encryption• Time access to attacker memory to see if it is
still in cache• Deduce what cache sets the encryption
accessed• … cryptanalyze
Oblivious to timing variability in attacker code, hence applicable to larger real systems.
Attack 2Our experimental results:• When attacking OpenSSL AES encryptions:
Full key recovery using 16 milliseconds of measurements (300 encryptions with known inputs).
Next talk:If you have known outputs, 30 encryptions suffice.
• When attacking a Linux dm-crypt AES encrypted filesystem (complicated system call going through filesystem, VM, scheduler…):Full key recovery using 65 milliseconds of measurements (800 encryptions) and 3 seconds of off-line analysis.
Attack 3: “Hyper Attack”
No explicit interaction between attacker and victim.No knowledge of specific plaintexts or ciphertexts.One implementation exploits HyperThreading.
• Fill cache with attacker’s data• Wait for someone else to perform encryption• Time access to attacker memory to see if it is still
in cache• Deduce what cache sets the encryption
accessed• … cryptanalyze based on knowledge of prior
distribution of plaintexts/ciphertexts
Experimental resultsmeasuring OpenSSL AES encryption of English text
Implications• Impact:
• Multiuser systems• VPNs• Virtual machines• Trusted computing• Sandboxes (JVM, JavaScript)• Remote attacks
• Easy to deploy – pure software• Hard to detect• Hard to protect efficiently
Full paper on my webpage:http://www.wisdom.weizmann.ac.il/~tromer