Cache-timing attack against aes crypto system - countermeasures review

Side channel attacks are based on side channel information, which is information that is leaked from encryption systems. Implementing side channel attacks is possible if and only if an attacker has access to a cryptosystem (victim) or can interact with cryptosystem remotely to compute time statistics of information that collected from targeted system. Cache timing attack is a special type of side channel attack. Here, timing information caused by cache effect is collected and analyzed by an attacker to guess sensitive information such as encryption key or plaintext. Cache timing attack against AES was known theoretically until Bernstein carry out a real implementation of the attack. Fortunately, this attack can be a success only by exploiting bad implementation in software or hardware, not for algorithm structure weaknesses, and that means attack could be prevented if proper implementation has been used. For that reason, modification in software and hardware has been proposed as countermeasures. This paper reviews the technique applied in this attack, surveys the countermeasures against it, and evaluates the feasibility and usability of each countermeasure. We made comparison between these countermeasure based on certain aspect furthermore

SIDECHANNEL ATTACKS THAT EXPLOIT VULNERABILITIES OF ARCHITECTURES WITH SPECULATIVE EXECUTION

U ovom radu prikazani su koncepti na kojima su zasnovani novootkriveni tipovi napada poznati pod nazivom Spectre i Meltdown. Obe vrste napada koriste isključivo sigurnosnu ranjivost samog hardware-a ne slabosti softwarea što ih čini neovisnim o OS-u. Princip, zajednički svim modernim procesorima, po kojem instrukcije koje se izvode spekulativno ne podižu signal prekida u trenutku kad se detektira da je korisnički proces pristupio zaštićenoj/privilegiranoj memoriji drugog procesa već tek kad se za nju izvodi „commit“/“retire“ otvara dovoljno velik vremenski prozor koji omogućava izvođenje side-channel napada. Implementacija upravljanja spekulativnim i izvođenjem s poremećenim redoslijedom, priručnom memorijom, dubina cjevovoda i druge karakteristike mogu imati utjecaja na efikasnost side- channel napada do mjere da na nekom platformama izvedljivost pojedinih tipova napada nije mogla biti potvrđena, ali potencijalna prijetnja pronalaženja optimalnijeg koda napada i novih iskoristivih sporednih svojstava ostaje.Concepts on which are founded recently discovered Spectre and Meltdown attacks have been described in this paper. Both attacks with their variants are addressing only hardware vulnerabilities and are not exploiting any software weakness which makes them operating system independent. Speculative execution is basic architectural concept of all modern processor designs on various levels. Principle according to which instruction, while executed in speculative mode or during outoforder execution, does not raise interrupt in case of memory permission access violation instantly, but only then instruction is retired, opens big enough time frame window, which enables information leaking through the sidechannel. Implementation of speculative and out-of-order execution logic, cache control, pipeline depth and other characteristics can influence performance and possibility of the sidechannel attack in the way that on certain microarchitectures some variants of the attack were not currently reproducible, but potential threat from attack code optimization and discovery of the new exploitable covert channels stays

HardIDX: Practical and Secure Index with SGX

Software-based approaches for search over encrypted data are still either challenged by lack of proper, low-leakage encryption or slow performance. Existing hardware-based approaches do not scale well due to hardware limitations and software designs that are not specifically tailored to the hardware architecture, and are rarely well analyzed for their security (e.g., the impact of side channels). Additionally, existing hardware-based solutions often have a large code footprint in the trusted environment susceptible to software compromises. In this paper we present HardIDX: a hardware-based approach, leveraging Intel's SGX, for search over encrypted data. It implements only the security critical core, i.e., the search functionality, in the trusted environment and resorts to untrusted software for the remainder. HardIDX is deployable as a highly performant encrypted database index: it is logarithmic in the size of the index and searches are performed within a few milliseconds rather than seconds. We formally model and prove the security of our scheme showing that its leakage is equivalent to the best known searchable encryption schemes. Our implementation has a very small code and memory footprint yet still scales to virtually unlimited search index sizes, i.e., size is limited only by the general - non-secure - hardware resources

Are AES x86 Cache Timing Attacks Still Feasible?

We argue that five recent software and hardware developments — the AES-NI instructions, multicore processors with per-core caches, complex modern software, sophisticated prefetchers, and physically tagged caches — combine to make it substantially more difficult to mount data-cache side-channel attacks on AES than previously realized. We propose ways in which some of the challenges posed by these developments might be overcome. We also consider scenarios where sidechannel attacks are attractive, and whether our proposed workarounds might be applicable to these scenarios

Jackpot Stealing Information From Large Caches via Huge Pages

The cloud computing infrastructure relies on virtualized servers that provide isolation across guest OS\u27s through sandboxing. This isolation was demonstrated to be imperfect in past work which exploited hardware level information leakages to gain access to sensitive information across co-located virtual machines (VMs). In response virtualization companies and cloud services providers have disabled features such as deduplication to prevent such attacks. In this work, we introduce a fine-grain cross-core cache attack that exploits access time variations on the last level cache. The attack exploits huge pages to work across VM boundaries without requiring deduplication. No configuration changes on the victim OS are needed, making the attack quite viable. Furthermore, only machine co-location is required, while the target and victim OS can still reside on different cores of the machine. Our new attack is a variation of the prime and probe cache attack whose applicability at the time is limited to L1 cache. In contrast, our attack works in the spirit of the flush and reload attack targeting the shared L3 cache instead. Indeed, by adjusting the huge page size our attack can be customized to work virtually at any cache level/size. We demonstrate the viability of the attack by targeting an OpenSSL1.0.1f implementation of AES. The attack recovers AES keys in the cross-VM setting on Xen 4.1 with deduplication disabled, being only slightly less efficient than the flush and reload attack. Given that huge pages are a standard feature enabled in the memory management unit of OS\u27s and that besides co-location no additional assumptions are needed, the attack we present poses a significant risk to existing cloud servers

Cache-based Side-Channel Attacks in Multi-Tenant Public Clouds and Their Countermeasures

Cloud computing is gaining traction due to the business agility, resource scalability and operational efficiency that it enables. However, the murkiness of the security assurances offered by public clouds to their tenants is one of the major impediments to enterprise and government adoption of cloud computing. This dissertation explores one of the major design flaws in modern public clouds, namely insufficient isolation among cloud tenants as evidenced by the cloud's inability to prevent side-channel attacks between co-located tenants, in both Infrastructure-as-a-Service (IaaS) clouds and Platform-as-a-Service (PaaS) clouds. Specifically, we demonstrate that one virtual machine (VM) can successfully exfiltrate cryptographic private keys from another VM co-located on the same physical machine using a cache-based side-channel attack, which calls into question the established belief that the security isolation provided by modern virtualization technologies remains adequate under the new threat model in multi-tenant public IaaS clouds. We have also demonstrated in commercial PaaS clouds that cache-based side channels can penetrate container-based isolation by extracting sensitive information from the execution paths of the victim applications, thereby subverting their security. Finally, we devise two defensive techniques for the IaaS setting, which can be adopted by cloud tenants immediately on modern cloud platforms without extra help from cloud providers, to address side-channel threats: (1) for tenants requiring a high degree of security and physical isolation, a tool to facilitate cloud auditing of such isolation; and (2) for tenants who use multi-tenant cloud services, an operating-system-level defense to defend against cache-based side-channel threats on their own.Doctor of Philosoph