Cache Based Power Analysis Attacks on AES

International audienceThis paper describes possible attacks against software implementations of AES running on processors with cache mechanisms, particularly in the case of smart cards. These attacks are based on sidechannel information gained by observing cache hits and misses in the current drawn by the smart card. Two dierent attacks are described. The first is a combination of ideas proposed in [2] and [11] to produce an attack that only requires the manipulation of the plain text and the observation of the current. The second is an attack based on specific implementations of the xtime function [10]. These attacks are shown to also work against algorithms using Boolean data masking techniques as a DPA countermeasure

CacheZoom: How SGX Amplifies The Power of Cache Attacks

In modern computing environments, hardware resources are commonly shared, and parallel computation is widely used. Parallel tasks can cause privacy and security problems if proper isolation is not enforced. Intel proposed SGX to create a trusted execution environment within the processor. SGX relies on the hardware, and claims runtime protection even if the OS and other software components are malicious. However, SGX disregards side-channel attacks. We introduce a powerful cache side-channel attack that provides system adversaries a high resolution channel. Our attack tool named CacheZoom is able to virtually track all memory accesses of SGX enclaves with high spatial and temporal precision. As proof of concept, we demonstrate AES key recovery attacks on commonly used implementations including those that were believed to be resistant in previous scenarios. Our results show that SGX cannot protect critical data sensitive computations, and efficient AES key recovery is possible in a practical environment. In contrast to previous works which require hundreds of measurements, this is the first cache side-channel attack on a real system that can recover AES keys with a minimal number of measurements. We can successfully recover AES keys from T-Table based implementations with as few as ten measurements.Comment: Accepted at Conference on Cryptographic Hardware and Embedded Systems (CHES '17

Search for TeV gamma-rays from SN 1987A in 2001

We searched for TeV gamma-rays from the remnant of SN 1987A around 5400 days after the supernova. The observations were carried out in 2001, from November 16 to December 11, using the CANGAROO-II Imaging Atmospheric Cherenkov Telescope. In total, 708 minutes of ON- and 1019 minutes of OFF-source data were obtained under good conditions. The detection threshold was estimated to be 1 TeV, due to the mean zenith angle of 39$^\circ$. The upper limits for the gamma-ray flux were obtained and compared with the previous observations and theoretical models. The observations indicate that the gamma-ray luminosity is lower than $1\times 10^{37}$ erg s$^{-1}$ at $\sim 10$ TeV.Comment: 8 pages, 3 figures, submitted for publication, style file adde

Detection of diffuse TeV gamma-ray emission from the nearby starburst galaxy NGC 253

We report the TeV gamma-ray observations of the nearby normal spiral galaxy NGC 253. At a distance of $\sim$2.5 Mpc, NGC 253 is one of the nearest starburst galaxies. This relative closeness, coupled with the high star formation rate in the galaxy, make it a good candidate TeV gamma-ray source. Observations were carried out in 2000 and 2001 with the CANGAROO-II 10 m imaging atmospheric Cerenkov telescope. TeV gamma-ray emission is detected at the $\sim 11\sigma$ level with a flux of $(7.8 \pm 2.5)\times 10^{-12} {\rm cm}^{-2} {\rm sec}^{-1}$ at energies $>$0.5 TeV. The data indicate that the emission region is broader than the point spread function of our telescope.Comment: 4 pages, double colomn, 3 figures, aa.cl

Evidence of TeV gamma-ray emission from the nearby starburst galaxy NGC 253

TeV gamma-rays were recently detected from the nearby normal spiral galaxy NGC 253 (Itoh et al., 2002). Observations to detect the Cherenkov light images initiated by gamma-rays from the direction of NGC 253 were carried out in 2000 and 2001 over a total period of $\sim$150 hours. The orientation of images in gamma-ray--like events is not consistent with emission from a point source, and the emission region corresponds to a size greater than 10 kpc in radius. Here, detailed descriptions of the analysis procedures and techniques are given.Comment: 16 pages, 27 figures, aa.cl

A Search for TeV Gamma-ray Emission from the PSR B1259-63/SS2883 Binary System with the CANGAROO-II 10-m Telescope

Observations of the PSR B1259-63/SS2883 binary system using the CANGAROO-II Cherenkov telescope are reported. This nearby binary consists of a 48msec radio pulsar in a highly eccentric orbit around a Be star, and offers a unique laboratory to investigate the interactions between the outflows of the pulsar and Be star at various distances. It has been pointed out that the relativistic pulsar wind and the dense mass outflow of the Be star may result in the emission of gamma rays up to TeV energies. We have observed the binary in 2000 and 2001, 47 and 157 days after the October 2000 periastron. Upper limits at the 0.13--0.54 Crab level are obtained. A new model calculation for high-energy gamma-ray emission from the Be star outflow is introduced and the estimated gamma-ray flux considering Bremsstrahlung, inverse Compton scattering, and the decay of neutral pions produced in proton-proton interactions, is found to be comparable to the upper limits of these observations. Comparing our results with these model calculations, the mass-outflow parameters of the Be star are constrained.Comment: 29 pages, 10 figures, accepted by Ap

Drive-by Key-Extraction Cache Attacks from Portable Code

We show how malicious web content can extract cryptographic secret keys from the user\u27s computer. The attack uses portable scripting languages supported by modern browsers to induce contention for CPU cache resources, and thereby gleans information about the memory accesses of other programs running on the user\u27s computer. We show how this side-channel attack can be realized in both WebAssembly and PNaCl; how to attain very fine-grained measurements; and how to use these to extract ElGamal, ECDH and RSA decryption keys from various cryptographic libraries. The attack does not rely on bugs in the browser\u27s nominal sandboxing mechanisms, or on fooling users. It applies even to locked-down platforms with strong confinement mechanisms and browser-only functionality, such as Chromebook devices. Moreover, on browser-based platforms the attacked software too may be written in portable JavaScript; and we show that in this case even implementations of supposedly-secure constant-time algorithms, such as Curve25519\u27s, are vulnerable to our attack