dealing with cache based attacks in cryptography
play

Dealing with cache based attacks in cryptography Speculating on - PowerPoint PPT Presentation

Apr 29, 2023 •256 likes •338 views

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr. Principal Software Engineer 2019/02/19 What are cache based attacks ? In cryptography In cryptographic operations, leaking the internal state of a

  1. Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr. Principal Software Engineer 2019/02/19

  2. What are cache based attacks ? In cryptography In cryptographic operations, leaking the internal state of a computation can lead directly to key compromises or, less dramatically, to the ability to create forgeries. Cache based attacks can be used to: ● Detect input dependent branch points ● Detect table lookups ● Detect error conditions All of these events can lead to knowledge about the outcome or path taken by an internal operation, in a ways similar to timing based attacks. 2 INSERT DESIGNATOR, IF NEEDED

  3. Classic Example Can be executed against data or instruction caches depending on what is more convenient ATTACKER VICTIM FLUSH or PRIME Execute conditional RELOAD or PROBE Use timing on reload to fgure out what has been cached by the CPU while executing the victim’s code, infer internal status. This simple attack may be too coarse in some cases. 3 INSERT DESIGNATOR, IF NEEDED

  4. Speculation aided cache attack Using Branch Predictor (should be mitigated by IBPB/STIBP) ATTACKER VICTIM Trainer Shadow branches FLUSH Conditional op. Spy Train the branch predictor then fush your own caches for the “spy” branch. Let the victim code run, then run your own “spy” branch. See if the “trainer offset” fushed line was loaded by the “spy” (measure time to access). If not, the victim branch fred and retrained the BP. 4 INSERT DESIGNATOR, IF NEEDED

  5. How do we handle these attacks ? In cryptographic libraries The only way is to avoid conditionals like the plague, even where previously they would have been undetectable via classic timing attacks. ● All computations must be time and memory access constant ● Remove table lookups ● Compute even after errors, and report errors in silent ways All of these tend to make code slower. Historically only timing attacks were considered likely, however since then running “untrusted” code on shared hosts has become a lot more common (VPSs, PaaSs, containers). Not all cryptographic libraries developers feel ready to fght local attacks, considered way too hard to defeat. 5 INSERT DESIGNATOR, IF NEEDED

  6. Example H Padding Message memcpy(message, terminator + 1, message_length); memcpy(message, terminator + 1, message_length); *length = message_length; *length = message_length; /* fill destination buffer fully regardless of outcome. Copies the message /* fill destination buffer fully regardless of outcome. Copies the message * in a memory access independent way. The destination message buffer will * in a memory access independent way. The destination message buffer will * be clobbered past the message length. */ * be clobbered past the message length. */ x3 - x5 shift = padded_message_length - buflen; shift = padded_message_length - buflen; cnd_memcpy(ok, message, padded_message + shift, buflen); cnd_memcpy(ok, message, padded_message + shift, buflen); offset -= shift; offset -= shift; /* In this loop, the bits of the 'offset' variable are used as shifting /* In this loop, the bits of the 'offset' variable are used as shifting * conditions, starting from the least significant bit. The end result is * conditions, starting from the least significant bit. The end result is * that the buffer is shifted left exactly 'offset' bytes. */ * that the buffer is shifted left exactly 'offset' bytes. */ for (shift = 1; shift < buflen; shift <<= 1, offset >>= 1) for (shift = 1; shift < buflen; shift <<= 1, offset >>= 1) { { /* 'ok' is both a least significant bit mask and a condition */ /* 'ok' is both a least significant bit mask and a condition */ cnd_memcpy(offset & ok, message, message + shift, buflen - shift); cnd_memcpy(offset & ok, message, message + shift, buflen - shift); } } /* update length only if we succeeded, otherwise leave unchanged */ /* update length only if we succeeded, otherwise leave unchanged */ *length = (msglen & (-(size_t) ok)) + (*length & ((size_t) ok - 1)); *length = (msglen & (-(size_t) ok)) + (*length & ((size_t) ok - 1)); 6

  7. Do we continue like this ? Considering that: ● It is very hard to reason in this way ● Compilers tend to optimize away safeguards ● Some “safer” higher level languages do not have a level of control that allows to deal with these issues in this way New instructions to protect critical sections by messing with caches ? 7 INSERT DESIGNATOR, IF NEEDED

  8. THANK YOU plus.google.com/+RedHat facebook.com/redhatinc linkedin.com/company/red-hat twitter.com/RedHat youtube.com/user/RedHatVideos

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Microarchitectural Attacks in the Cloud Thomas Eisenbarth 07.11.2017 Workshop on Cryptography

Microarchitectural Attacks in the Cloud Thomas Eisenbarth 07.11.2017 Workshop on Cryptography

Microarchitectural Attacks in the Cloud Thomas Eisenbarth 07.11.2017 Workshop on Cryptography for the Internet of Things and Cloud Ruhr-Universitt Bochum Outline Cloud and Cryptography Co-Location in the Cloud Cache Attacks in the

2.23k views • 37 slides
System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud Taesoo Kim, Marcus

System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud Taesoo Kim, Marcus

System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud Taesoo Kim, Marcus Peinado, Gloria Mainar-Ruiz MIT CSAIL Microsoft Research Security is a big concern in cloud adoption Why are cache-based side channel

588 views • 38 slides
Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria,

Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria,

Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria, team-project SECRET April 9, 2018 introduction 1. Code based cryptography Difficult problem in coding theory Problem 1. [Decoding] Input: n, r,

800 views • 53 slides
Eliminating cache-based timing attacks with instruction-based scheduling Deian Stefan , Pablo

Eliminating cache-based timing attacks with instruction-based scheduling Deian Stefan , Pablo

Eliminating cache-based timing attacks with instruction-based scheduling Deian Stefan , Pablo Buiras, Edward Z. Yang, Amit Levy, David Terei, Alejandro Russo, and David Mazires Motivation: IFC Web platforms Platforms allow 3rd-party developers

936 views • 61 slides
S CATTER C ACHE : Thwarting Cache Attacks via Cache Set Randomization Werner, Unterluggauer,

S CATTER C ACHE : Thwarting Cache Attacks via Cache Set Randomization Werner, Unterluggauer,

S CATTER C ACHE : Thwarting Cache Attacks via Cache Set Randomization Werner, Unterluggauer, Giner, Schwarz, Gruss, Mangard August 15, 2019 Graz University of Technology What is S CATTER C ACHE ? www.tugraz.at Alternative design for n-way

460 views • 27 slides
Design and Implementation of an Espionage Network for Cache- based Side Channel Attacks on AES

Design and Implementation of an Espionage Network for Cache- based Side Channel Attacks on AES

Design and Implementation of an Espionage Network for Cache- based Side Channel Attacks on AES Bholanath Roy Research Scholar Advanced Encryption Standard(AES) Design of an Espionage Network : Attack Architecture Espionage Infrastructure

435 views • 4 slides
Cache Attacks on the Cloud Thomas Eisenbarth Joint work with Gorka Irazoqui, Mehmet Sinan Inci,

Cache Attacks on the Cloud Thomas Eisenbarth Joint work with Gorka Irazoqui, Mehmet Sinan Inci,

Cache Attacks on the Cloud Thomas Eisenbarth Joint work with Gorka Irazoqui, Mehmet Sinan Inci, Berk Gulmezoglu and Berk Sunar Real World Cryptography 1/8/2016 Outline Cloud Computing and Isolation Extracting Information from Co-located

640 views • 24 slides
Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography 2019.08.28 Bo-Yeon Sim 1 ,

Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography 2019.08.28 Bo-Yeon Sim 1 ,

Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography 2019.08.28 Bo-Yeon Sim 1 , , Jihoon Kwon 2 , Kyu Young Choi 2 , Jihoon Cho 2 , Aesun Park 3, , and Dong-Guk Han 1,3, 1 Department of Mathematics, Kookmin University,

881 views • 58 slides
Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography

Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography

Cryptography Encryption and Attacks Encryption Building Blocks Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography Stream Cipher Design Principles Example: Brute School of Engineering and Technology

681 views • 51 slides
Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography

Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography

Cryptography Encryption and Attacks Encryption Building Blocks Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography Stream Cipher Design Principles Example: Brute School of Engineering and Technology

923 views • 51 slides
Cache attacks: From side channels to fault attacks Clmentine Maurice CNRS, Rennes, France

Cache attacks: From side channels to fault attacks Clmentine Maurice CNRS, Rennes, France

Cache attacks: From side channels to fault attacks Clmentine Maurice CNRS, Rennes, France November 16, 2017 Cryptacus Workshop, Nijmegen, Netherlands the attacker only needs unprivileged execution on the victims machine

1.99k views • 164 slides
NetCAT : Practical Cache Attacks from the Network Michael Kurth , Ben Gras, Dennis Andriesse,

NetCAT : Practical Cache Attacks from the Network Michael Kurth , Ben Gras, Dennis Andriesse,

NetCAT : Practical Cache Attacks from the Network Michael Kurth , Ben Gras, Dennis Andriesse, Cristiano Giuffrida, Herbert Bos, Kaveh Razavi Cache Attack from the Network Client Server Remote Cache Attack SSH 2 Network Cache Attack 3

794 views • 32 slides
Coerced Cache Evic-on and Discreet-Mode Journaling: Dealing with

Coerced Cache Evic-on and Discreet-Mode Journaling: Dealing with

Coerced Cache Evic-on and Discreet-Mode Journaling: Dealing with Misbehaving Disks Abhishek Rajimwale * , Vijay Chidambaram, Deepak Ramamurthi Andrea

772 views • 44 slides
Attacks on Ring Learning with Errors Kristin E. Lauter ** joint work with Yara Elias, Ekin

Attacks on Ring Learning with Errors Kristin E. Lauter ** joint work with Yara Elias, Ekin

Attacks on Ring Learning with Errors Kristin E. Lauter ** joint work with Yara Elias, Ekin Ozman, and Katherine Stange UC Irvine, August 31, 2015 Lattice-Based Cryptography Post-quantum cryptography Ajtai-Dwork: public-key crypto based

500 views • 27 slides
An Analytical Model for Tim e-Driven Cache Attacks Kris Tiri Onur Ac imez Michael Neve

An Analytical Model for Tim e-Driven Cache Attacks Kris Tiri Onur Ac imez Michael Neve

An Analytical Model for Tim e-Driven Cache Attacks Kris Tiri Onur Ac imez Michael Neve Flemming Andersen Outline Motivation Cache attacks: origins, time-driven attack Strength of an implementation Analytical model of

685 views • 19 slides
Evolution of White-Box Cryptography: From Table-Based Implementations to Recent Designs

Evolution of White-Box Cryptography: From Table-Based Implementations to Recent Designs

Evolution of White-Box Cryptography: From Table-Based Implementations to Recent Designs Michael J. Wiener 2016 August 14 1 Outline Why do we bother with white-box cryptography (WBC)? The origins of WBC Attacks and

379 views • 34 slides
Symmetric Key Cryptography Introduction to Symmetric Key Cryptography Myth Where does security

Symmetric Key Cryptography Introduction to Symmetric Key Cryptography Myth Where does security

PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Stefan Klbl June 19th, 2017 DTU Compute, Technical University of Denmark Symmetric Key Cryptography Introduction to Symmetric Key Cryptography Myth Where does security fail?

758 views • 72 slides
Number Theory and Cryptography Chapter 4 Chapter Motivation Number theory is the part of

Number Theory and Cryptography Chapter 4 Chapter Motivation Number theory is the part of

Number Theory and Cryptography Chapter 4 Chapter Motivation Number theory is the part of mathematics devoted to the study of the integers and their properties. Key ideas in number theory include divisibility and the primality of integers.

1.77k views • 103 slides
Introduction to Lattices Oded Regev (Tel Aviv University and CNRS, ENS-Paris) Bar-Ilan

Introduction to Lattices Oded Regev (Tel Aviv University and CNRS, ENS-Paris) Bar-Ilan

Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19/2/2012 Introduction to Lattices Oded Regev (Tel Aviv University and CNRS, ENS-Paris) Bar-Ilan University Dept. of Computer Science Lattices A

846 views • 41 slides
P ttt Prtts

P ttt Prtts

P ttt Prtts rt r tt rtr r

554 views • 31 slides
Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

CSS441 Block Ciphers Principles DES Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20

788 views • 50 slides
Mathematical Cryptography Diffie Hellman, Discrete Log Problem, Collision Algorithms Mentor: Tao

Mathematical Cryptography Diffie Hellman, Discrete Log Problem, Collision Algorithms Mentor: Tao

Mathematical Cryptography Diffie Hellman, Discrete Log Problem, Collision Algorithms Mentor: Tao Song , Mentee: Lisette del Pino University of Pennsylvania Directed Reading Program May 16, 2020 Mentor: Tao Song , Mentee: Lisette del Pino

1.35k views • 98 slides
Section 1 Commitment Schemes Commitment Schemes Commitment Schemes Digital analogue of a safe.

Section 1 Commitment Schemes Commitment Schemes Commitment Schemes Digital analogue of a safe.

Commitment Schemes Section 1 Commitment Schemes Commitment Schemes Commitment Schemes Digital analogue of a safe. Commitment Schemes Commitment Schemes Digital analogue of a safe. Definition 1 (Commitment scheme) An efficient two-stage

605 views • 23 slides
The legacy of export-grade cryptography in the 21st century Nadia Heninger University of

The legacy of export-grade cryptography in the 21st century Nadia Heninger University of

The legacy of export-grade cryptography in the 21st century Nadia Heninger University of Pennsylvania October 6, 2016 International Traffic in Arms Regulations April 1, 1992 version Category XIII--Auxiliary Military Equipment ... (b)

1.05k views • 79 slides

More recommend