An Analytical Model for Tim e-Driven Cache Attacks Kris Tiri Onur - - PowerPoint PPT Presentation

an analytical model for tim e driven cache attacks
SMART_READER_LITE
LIVE PREVIEW

An Analytical Model for Tim e-Driven Cache Attacks Kris Tiri Onur - - PowerPoint PPT Presentation

May 18, 2023 486 likes •689 views

An Analytical Model for Tim e-Driven Cache Attacks Kris Tiri Onur Ac imez Michael Neve Flemming Andersen Outline Motivation Cache attacks: origins, time-driven attack Strength of an implementation Analytical model of

slide-1
SLIDE 1

An Analytical Model for Tim e-Driven Cache Attacks

Kris Tiri Onur Acıiçmez Michael Neve Flemming Andersen

slide-2
SLIDE 2

2

FSE 2007

Outline

Motivation Cache attacks: origins, time-driven attack Strength of an implementation Analytical model of time-driven attack Experimental results Conclusions

slide-3
SLIDE 3

3

FSE 2007

Side-Channels

Information leakage from implementation

– Example: safecracker “feels” tumblers impacting – Covert channel without conspiracy or consent

Cache Side-Channel Attacks

– 1996: presumed possible [Kocher] – 2002: theoretical work [Page] – 2003: first practical results on DES [Tsunoo] – 2005: first practical results on AES, RSA [Bernstein][Osvik][Percival]

slide-4
SLIDE 4

4

FSE 2007

Motivation

Attack depends on crypto implementation and on cache architecture Experimental results cumbersome to obtain Can we put a stake in the ground on strength of any implementation

  • f any symmetric key algorithm

running on any microprocessor w.r.t. a time-driven cache attack?

slide-5
SLIDE 5

5

FSE 2007

Information leaks resulting from the implementation of the cache Difference between cache hit & cache miss is observable/ measurable

MEMORY

Cache attack origins

CACHE CPU

slide-6
SLIDE 6

6

FSE 2007

Cache attacks in a nutshell

Cache is shared between processes Cache state persists despite context switch Data is protected, metadata is unprotected Cache access pattern depends on cache state and processed data Spy-process can observe key-dependent cache accesses of crypto-process Observation techniques: time-driven attack, trace-driven attack, access-driven attack

slide-7
SLIDE 7

7

FSE 2007

Tim e-driven cache attacks

Leakage: number of cache misses depend on data

0 1 0 0 0 0 0 0 1 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 1 0 0 if (P0==Pj) E = 0; else E = 1;

estimations device key fragment guess unknown secret key input model analysis measurements

slide-8
SLIDE 8

8

FSE 2007

location Te4 in cache 9 cache misses 7 cache misses

OpenSSL: 5 tables (Te0..4) of 1024 bytes

– 16 accesses to table Te4 in last round

empty cache

Exam ple: last round attack on AES

device: execution time ~ all cache misses model: if (collision) estimation = 0; else estimation = 1; cache line estimation

< sbox-1(RK0

(10)⊕C0)> = = < sbox-1(RKi (10)⊕Ci)>

table index estimation

C0= = RK0i

(10)⊕Ci with RK0i (10)= RK0 (10)⊕RKi (10)

plaintext A plaintext B

slide-9
SLIDE 9

9

FSE 2007

Strength/ Resistance

  • f an im plem entation

How many measurements are required?

[Mangard2005] Quantile of standard normal distribution for probability α How sure do you want to be? Correlation coefficient between estimations and measurements How accurate is your model?

  • 1. model the measurements
  • 2. compute ρ between estimations

and modeled measurements

2 2

. 2 ρ

α

Z N =

slide-10
SLIDE 10

1 0

FSE 2007

Model the m easurem ents

Assumptions:

  • 1. Cache is clean before cipher operation
  • 2. No collision between lookup tables
  • 3. Cache accesses are random, independent
  • 4. Cipher operation operates uninterrupted
  • 5. Execution time proportional

to number of cache misses

slide-11
SLIDE 11

1 1

FSE 2007

2 2 2 2

) ( ) ( ) ( ) ( ) ( ). ( ) . ( M E M E E E E E M E E E M E E

secret secret secret secret

K K K K

− − − = ρ

2 2 2 2

) ( ) ( ) ( ) ( ) ( ). ( ) . ( M E M E E E E E M E E E M E E

secret secret secret secret

K K K K

− − − = ρ

time ~ cache misses: independent accesses to T tables:

Com pute ρ betw een estim ations and m odeled m easurem ents

measurement model with k accesses to l lines:

=

=

T t t

M E M E

1

) ( ) (

( ) ( )

l k j P j l k

M l j l k M

, ) ( . ,

2 1 , 2 2

μ σ − =∑

=

( ) ∑

=

=

l j l k M

j P j l k

1 ,

) ( . , μ ) , ( ) , (

misses time

M E M E ρ ρ =

slide-12
SLIDE 12

1 2

FSE 2007

2 2 2 2

) ( ) ( ) ( ) ( ) ( ). ( ) . ( M E M E E E E E M E E E M E E

secret secret secret secret

K K K K

− − − = ρ

let’s estimate cache hits to ease

TIE CLE

2 2 2 2

) ( ) ( ) ( ) ( ) ( ). ( ) . ( M E M E E E E E M E E E M E E

secret secret secret secret

K K K K

− − − = ρ

Com pute ρ betw een estim ations and m odeled m easurem ents

independent accesses correct prediction

) , ( ) , ( M E M E

hits miss

ρ ρ = ) ( . ) 1 ( . 1 ) ( = + = = E P E P E E

T

l 1

T

r 1 ( ) ( ) l k l k

M H

, 1 , − = μ μ

− =

+ =

1 1

) ( ). ( ) . ( ) . (

T t t K T K K

M E E E M E E M E E

secret secret secret

slide-13
SLIDE 13

1 3

FSE 2007

Putting the pieces together…

analytical model for time-driven cache attacks

k k

( ) ( )

=

=

T t t t M T T D E E

l l Z N

1 2 2 2 2 2

, , . . 2 σ μ σ μ

α

probability α to find key kt accesses to table t consisting of rt elements

  • ccupying lt cache lines

T tables in cipher operation table T is table of interest

slide-14
SLIDE 14

1 4

FSE 2007

cache line estimation 99% success 16 accesses to table of interest Te4 of 16 lines 36 accesses to 4 tables Te0..3 each of 16 lines measured: 10000 cache line estimation 99% success 16 accesses to table of interest Te4 of 16 lines 36 accesses to 4 tables Te0..3 each of 16 lines

k k

( ) ( )

=

=

T t t t M T T D E E

l l Z N

1 2 2 2 2 2

, , . . 2 σ μ σ μ

α

16 36 16

( ) ( ) ( )

6592 16 , 16 , . 4 16 , . 16 1 16 1 16 1 11

2 2 2 2 2

= + − =

M M D

N σ σ μ

Exam ple: attack on last round AES

2 2

1 1 1

T T T

l l l −

slide-15
SLIDE 15

1 5

FSE 2007

Experim ental results last round, table index estim ation

setup:

single process perf-counters

experiments:

  • 1. observe only Te4
  • 2. OpenSSL version
  • 3. 2 encryptions
  • 4. no Te4
  • 5. compact last

round

slide-16
SLIDE 16

1 6

FSE 2007

Further insights

Cache line estimation is lT/ rT times more effective than table index estimation Yet 216 key search space instead of 28

e.g. 64 byte cache line: timeTIE = 16.N.28.Δtime timeCLE = N.216.Δtime T T TIE E E CLE E E CLE TIE

l r N N ≈ =

2 2 2 2

σ μ σ μ

slide-17
SLIDE 17

1 7

FSE 2007

Universal m odel

Metric is based on signal-to-noise ratio

√ΣσM

2

μD cache misses cache miss distribution

  • f all tables

with cache collision in table of interest f(X)/σ cache miss distribution

  • f all tables

T-1

ΣμM+μH

T

ΣμM

( ) ( ) ( ) ( )

B A T t t t M T T D T t t t M T T D A B

SNR SNR l k l k l k l k N N

B B B B B B A A A A A A

= =

∑ ∑

= = 1 2 2 1 2 2

, , , , σ μ σ μ

slide-18
SLIDE 18

1 8

FSE 2007

Conclusions

Analytical model forecasts resistance of block cipher implementations against time-driven cache attacks using:

  • 1. Number of lookup tables
  • 2. Size of lookup tables
  • 3. Size of cache line

Model accuracy verified with measurement results for different implementations, attack scenarios and platforms

slide-19
SLIDE 19

1 9

FSE 2007