cache based attack on aes
play

Cache-based attack on AES Mikal Fourrier Contribution of this paper - PowerPoint PPT Presentation

Dec 15, 2022 •216 likes •378 views

Cache-based attack on AES Mikal Fourrier Contribution of this paper Get the secret key from AES in 3s + 3min Very weak assumptions No known plaintext needed No special rights needed, only to be able to spawn and control threads

  1. Cache-based attack on AES Mikaël Fourrier

  2. Contribution of this paper ● Get the secret key from AES in 3s + 3min ● Very weak assumptions ● No known plaintext needed ● No special rights needed, only to be able to spawn and control threads 2

  3. Side-channel attack ● Goal: attack the implementation instead of brute force or theoretical weaknesses – Timing attacks – Power-monitoring attacks – Electromagnetic attack – Acoustic cryptanalysis 3

  4. CPU Cache ● The CPU is way faster than the RAM, so we add caches so that we don't have to interact with the RAM – The caches are divided in blocks (64-128 bytes) – L1 ~10kb – L2 ~1M – L2 14x slower than L1 – RAM 20x slower than L2, 200x slower than L1 4

  5. AES 5

  6. AES implementation ● Exploit redundancy in the matrix multiplications to speedup the calculation ● Massive use of precomputed tables → If we know which entry is use when, we can deduce the private key → Each round we get a probability that a byte sequence is part of the key 6

  7. Main idea 1) Fill L1 with known data 2) Let the target execute one table load (will be a miss) 3) Detect which cache line has been changed 4) Deduce which part of the table has been loaded 5) Repeat! 7

  8. Completely fair scheduler ● Linux process scheduler ● Goal: as with n processes executing on n processors at 1/n the speed. → Execute first the process which had less execution time 8

  9. The attack ● DoS on CFS: hundreds of threads + one dummy thread 9

  10. The attack - 2 ● Read a big array, if response time above a threshold → cache miss → the target process used this cache line 10

  11. Neural networks ● One neuron has multiple inputs and one output ● Each input has an associated weight ● The networks learns by changing the weights 11

  12. Post-processing ● Use of two neural networks: – Noise reduction (right) – Estimation on the number of memory access at t 12

  13. Results ● 250 threads, 100 encryptions – 10ms → 2.8s ● Noise reduction: 21s, normal process ● Preparing key search by constructing a probability table: 63s ● Key search: 30-300s → 3 minutes to find the key → 60kB to transfer for post-processing 13

  14. Countermeasures (general) ● Don't use the cache – Not possible in real life ● Don't let process access high-res timers – A lot of legitimate apps use it ● Cache preloading by the OS ● Mark table as uncachable ● Limit the minimum time between context switch 14

  15. Contermeasures (AES) ● Use more efficient instructions to reduce table size ● Use hardware-supported encryption (Intel AES-NI) 15

  16. References ● Paper: https://eprint.iacr.org/2010/594.pdf ● Wikipedia: https://en.wikipedia.org/wiki/Artificial_neural _network 16

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

DNS Cache Poisoning Attack Introduction The purpose of this presentation is to dissect the

DNS Cache Poisoning Attack Introduction The purpose of this presentation is to dissect the

Anatomy of a DNS Cache Poisoning Attack Introduction The purpose of this presentation is to dissect the Domain Name System (DNS) Cache Poisoning Cyber attack. We will cover: - Real-world examples of DNS cache poisoning - A defjnition of

607 views • 58 slides
NetCAT : Practical Cache Attacks from the Network Michael Kurth , Ben Gras, Dennis Andriesse,

NetCAT : Practical Cache Attacks from the Network Michael Kurth , Ben Gras, Dennis Andriesse,

NetCAT : Practical Cache Attacks from the Network Michael Kurth , Ben Gras, Dennis Andriesse, Cristiano Giuffrida, Herbert Bos, Kaveh Razavi Cache Attack from the Network Client Server Remote Cache Attack SSH 2 Network Cache Attack 3

794 views • 32 slides
DNS cache poisoning CZ.NIC Ondrej Filip / ondrej.filip@nic.cz Study by Emanuel Petr CZ.NIC

DNS cache poisoning CZ.NIC Ondrej Filip / ondrej.filip@nic.cz Study by Emanuel Petr CZ.NIC

DNS cache poisoning CZ.NIC Ondrej Filip / ondrej.filip@nic.cz Study by Emanuel Petr CZ.NIC labs 8 Mar 2010 ccNSO techday, Nairobi 1 Agenda DNS, DNS resolver Cache Poisoning theory Kaminsky attack Attack theory Attack

503 views • 28 slides
DNS Cache Poisoning Attack Relo loaded: Revolutions wit ith Sid ide Channels Keyu Man, Zhiyun

DNS Cache Poisoning Attack Relo loaded: Revolutions wit ith Sid ide Channels Keyu Man, Zhiyun

DNS Cache Poisoning Attack Relo loaded: Revolutions wit ith Sid ide Channels Keyu Man, Zhiyun Qian, Zhongjie Wang, Xiaofeng Zheng, Youjun Huang, Haixin Duan Contents Background DNS Cache Poisoning Part I: Infer

934 views • 23 slides
1 Classifying cache misses Cache Organization Classifying misses by causes (3Cs) Cache size,

1 Classifying cache misses Cache Organization Classifying misses by causes (3Cs) Cache size,

Cache Performance Metrics Cache miss rate: number of cache misses divided by number of accesses Lecture 14: Hardware Approaches for Cache Optimizations Cache hit time: the time between sending address and data returning from cache Cache

608 views • 4 slides
Web Cache Consistency Web Cache Consistency Web Cache Consistency Web Cache Consistency

Web Cache Consistency Web Cache Consistency Web Cache Consistency Web Cache Consistency

Web Cache Consistency Web Cache Consistency Web Cache Consistency Web Cache Consistency Requirements of performance, availability, and disconnected operation require us to relax the goal of semantic transparency. - HTTP 1.1 specification

598 views • 13 slides
Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr.

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr.

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr. Principal Software Engineer 2019/02/19 What are cache based attacks ? In cryptography In cryptographic operations, leaking the internal state of a

338 views • 8 slides
Design and Implementation of an Espionage Network for Cache- based Side Channel Attacks on AES

Design and Implementation of an Espionage Network for Cache- based Side Channel Attacks on AES

Design and Implementation of an Espionage Network for Cache- based Side Channel Attacks on AES Bholanath Roy Research Scholar Advanced Encryption Standard(AES) Design of an Espionage Network : Attack Architecture Espionage Infrastructure

435 views • 4 slides
A Cache Poisoning Attack Targeting DNS Forwarding Devices Xiaofeng Zheng , Chaoyi Lu, Jian Peng,

A Cache Poisoning Attack Targeting DNS Forwarding Devices Xiaofeng Zheng , Chaoyi Lu, Jian Peng,

Poison Over Troubled Forwarders: A Cache Poisoning Attack Targeting DNS Forwarding Devices Xiaofeng Zheng , Chaoyi Lu, Jian Peng, Qiushi Yang, Dongjie Zhou, Baojun Liu, Keyu Man, Shuang Hao, Haixin Duan and Zhiyun Qian DNS Forwarder Devices

593 views • 20 slides
Meltdown & Spectre Attacks Overview An analogy CPU cache and use it as side channel

Meltdown & Spectre Attacks Overview An analogy CPU cache and use it as side channel

Meltdown & Spectre Attacks Overview An analogy CPU cache and use it as side channel Meltdown attack Spectre attack Microsoft Interview Question Stealing A Secret Secret: 7 Guard with Memory Eraser Restricted Room CPU

732 views • 30 slides
Directory-based Cache Coherency 1 To read more This days papers: Lenoski et al, The

Directory-based Cache Coherency 1 To read more This days papers: Lenoski et al, The

Directory-based Cache Coherency 1 To read more This days papers: Lenoski et al, The Directory-Based Cache Coherence Protocol for the DASH Multiprocessor Supplementary readings: Hennessy and Patterson, section 5.4 Molka et al,

792 views • 57 slides
Attack- based Domain Transition Analysis Susan Hinrichs shinrich@ uiuc.edu Prasad Naldurg

Attack- based Domain Transition Analysis Susan Hinrichs shinrich@ uiuc.edu Prasad Naldurg

Attack- based Domain Transition Analysis Susan Hinrichs shinrich@ uiuc.edu Prasad Naldurg prasadn@ microsoft.com SE Linux Symposium Attack- based DTA 1 06 Outline Motivation Review of type enforcement transitions Attack

471 views • 18 slides
L09: Cache Name: ID: Question: Direct Mapping Cache Hit Rate Consider a 4-block empty Cache,

L09: Cache Name: ID: Question: Direct Mapping Cache Hit Rate Consider a 4-block empty Cache,

L09: Cache Name: ID: Question: Direct Mapping Cache Hit Rate Consider a 4-block empty Cache, and all blocks initially marked as not valid , Given the main memory word addresses 0 1 2 3 4 3 4 15, calculate Cache hit rate. Cache Index

654 views • 9 slides
CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming Zhao Location: Frnczk 408, North campus Time: Monday, 5:20 PM - 8:10 PM Todays Agenda 1. Cache side channel attack Speed Gap Between CPU and

535 views • 42 slides
TLBleed Translation leak-aside buffer: Defeating cache side-channel protections with TLB

TLBleed Translation leak-aside buffer: Defeating cache side-channel protections with TLB

TLBleed Translation leak-aside buffer: Defeating cache side-channel protections with TLB attack B. Gras, K. Razavi, H. Bos, and C. Giuffrida Presented by Ayoosh Bansal Translation Lookaside Buffer (TLB) It is a cache, where every entry

1.04k views • 25 slides
Cache-Timing Attacks Matteo BOCCHI System Research & Applications STMicroelectronics S.r.l.

Cache-Timing Attacks Matteo BOCCHI System Research & Applications STMicroelectronics S.r.l.

Cache-Timing Attacks Matteo BOCCHI System Research & Applications STMicroelectronics S.r.l. 2018/12/06 Agenda 2 STM32 Nucleo Boards STM32 Firewall Cache-Timing Attack Evict&Time vs. MbedTLS AES on STM32

477 views • 20 slides
CEE 370 Environmental Engineering Principles Lecture #24 Water Quality Management II: Rivers

CEE 370 Environmental Engineering Principles Lecture #24 Water Quality Management II: Rivers

CEE 370 Lecture #24 11/4/2019 Print version Updated: 4 November 2019 CEE 370 Environmental Engineering Principles Lecture #24 Water Quality Management II: Rivers Reading: Mihelcic & Zimmerman, Chapter 7 (7.7 focus) Reading: Davis

952 views • 26 slides
THE LINUX SCHEDULER: A DECADE OF WASTED CORES Jean-Pierre Lozi Baptiste Lepers Fabien Gaud

THE LINUX SCHEDULER: A DECADE OF WASTED CORES Jean-Pierre Lozi Baptiste Lepers Fabien Gaud

THE LINUX SCHEDULER: A DECADE OF WASTED CORES Jean-Pierre Lozi Baptiste Lepers Fabien Gaud jplozi@unice.fr baptiste.lepers@epfl.ch me@fabiengaud.net Vivien Quma Alexandra Fedorova vivien.quema@imag.fr sasha@ece.ubc.ca Justin Funston

1.21k views • 100 slides
CFPB Servicing Rules Episode VI: Return of the Rulemakings Melanie Brody Jonathan D. Jaffe

CFPB Servicing Rules Episode VI: Return of the Rulemakings Melanie Brody Jonathan D. Jaffe

CFPB Servicing Rules Episode VI: Return of the Rulemakings Melanie Brody Jonathan D. Jaffe David A. Tallman Partner, Washington DC Partner, Palo Alto Partner, Houston Jeremy M. McLaughlin Christopher E. Shelton September 2016 Associate,

739 views • 62 slides
CPU Scheduling Chester Rebeiro IIT Madras Execution phases of a process 2 Types of Processes

CPU Scheduling Chester Rebeiro IIT Madras Execution phases of a process 2 Types of Processes

CPU Scheduling Chester Rebeiro IIT Madras Execution phases of a process 2 Types of Processes 3 CPU Scheduler Running Process i n t e r r u p t e v e r y 1 0 0 m s Queue of Ready Processes CPU Scheduler Scheduler

977 views • 75 slides
MODELING THE FUNCTIONAL ARCHITECTURE OF HUMAN DECISION MAKING (11RH08COR) PI: Dr. Robert E.

MODELING THE FUNCTIONAL ARCHITECTURE OF HUMAN DECISION MAKING (11RH08COR) PI: Dr. Robert E.

MODELING THE FUNCTIONAL ARCHITECTURE OF HUMAN DECISION MAKING (11RH08COR) PI: Dr. Robert E. Patterson (AFRL) Senior Personnel: Dr. Alan Boydstun Dr. Christine Covas-Smith Dr. Lisa Tripp AFOSR Program Review: Cognition, Decision, and

346 views • 33 slides
201 VERDE Mussetter Testimony: - Verde River fits in 3b or 3a category. - Braided rivers can be

201 VERDE Mussetter Testimony: - Verde River fits in 3b or 3a category. - Braided rivers can be

201 VERDE Mussetter Testimony: - Verde River fits in 3b or 3a category. - Braided rivers can be navigable. Fuller Rebuttal Slides p. 1 Q2 @ Clarkdale = 6600 cfs Q10 @ Tangle Ck = 61,000 cfs Fuller Rebuttal Slides p. 2 Where are the

581 views • 17 slides
Subverting Operating System Properties through Evolutionary DKOM Attacks Mariano Graziano,

Subverting Operating System Properties through Evolutionary DKOM Attacks Mariano Graziano,

Subverting Operating System Properties through Evolutionary DKOM Attacks Mariano Graziano, Lorenzo Flore, Andrea Lanzi, Davide Balzarotti Cisco Systems, Inc. Universita degli Studi di

703 views • 22 slides
On Utilization of Contributory On Utilization of Contributory Storage in Desktop Grids Storage

On Utilization of Contributory On Utilization of Contributory Storage in Desktop Grids Storage

On Utilization of Contributory On Utilization of Contributory Storage in Desktop Grids Storage in Desktop Grids Chreston Miller , Ali R. Butt, and Patrick Butler Department of Computer Science Contributory Storage: Cheap Contributory Storage:

683 views • 30 slides

More recommend