Abstract
Software cache-based side channel attacks are a serious new class of threats for computers. Unlike physical side channel attacks that mostly target embedded cryptographic devices, cache-based side channel attacks can also undermine general purpose systems. The attacks are easy to perform, effective on most platforms, and do not require special instruments or excessive computation power. In recently demonstrated attacks on software implementations of ciphers like AES and RSA, the full key can be recovered by an unprivileged user program performing simple timing measurements based on cache misses.
We first analyze these attacks, identifying cache interference as the root cause of these attacks. We identify two basic mitigation approaches: the partition-based approach eliminates cache interference whereas the randomization-based approach randomizes cache interference so that zero information can be inferred. We present new security-aware cache designs, the Partition-Locked cache (PLcache) and Random Permutation cache (RPcache), analyze and prove their security, and evaluate their performance. Our results show that our new cache designs with built-in security can defend against cache-based side channel attacks in general-rather than only specific attacks on a given cryptographic algorithm-with very little performance degradation and hardware cost.
- E. Biham and A. Shamir, "Differential Cryptanalysis of DES-like Cryptosystems," Journal of Cryptology, vol. 4, no. 1, pp.3--72, 1991.Google ScholarDigital Library
- M. Matsui, "Linear Cryptanalysis Method for DES Cipher", Advances in Cryptology-EUROCRYPT'93 (Lecture Notes in Computer Science no. 765), Springer-Verlag, pp. 386--397, 1994. Google ScholarDigital Library
- Paul Kocher, Ruby B. Lee, Gary McGraw, Anand Raghuna-than, and Srivaths Ravi, Security as a New Dimension in Embedded System Design, Proceedings of the Design Automation Conference (DAC), pp. 753--760, June 2004. Google ScholarDigital Library
- C. Kocher, J. Jaffe, and B. Jun. Differential power analysis, In Advances in Cryptology--CRYPTO'99, vol. 1666 of Lecture Notes in Computer Science, pp. 388--397. Springer-Verlag, 1999. Google ScholarDigital Library
- D.J. Bernstein, "Cache-timing Attacks on AES," available at: http://cr.yp.to/antiforgery/cachetiming-20050414.pdfGoogle Scholar
- C. Percival, "Cache Missing for Fun and Profit," available at: http://www.daemonology.net/papers/htt.pdfGoogle Scholar
- D. A. Osvik, A. Shamir and E. Tromer, "Cache attacks and Countermeasures: the Case of AES", Cryptology ePrint Archive, Report 2005/271, 2005.Google Scholar
- Michael Neve and Jean-Pierre Seifert. Advances on access-driven cache attacks on AES. In SAC'06, to appear.Google ScholarDigital Library
- Ernie Brickell and Gary Graunke and Michael Neve and Jean-Pierre Seifert. Software mitigations to hedge AES against cache-based software side channel vulnerabilities. IACR ePrint Archive, Report 2006/052, Feb 2006.Google Scholar
- P. Shivakumar and N. Jouppi. Cacti 3.0: An integrated cache timing, power, and area model. Technical report, COMPAQ Western Research Lab, 2001.Google Scholar
- T. Cover and J. Thomas, "Elements of Information Theory," John Wiley & Sons Inc., New York, 1991. Google ScholarDigital Library
- M-Sim v2.0, http://www.cs.binghamton.edu/~jsharke/m-sim/Google Scholar
- Wei-Ming Hu, Lattice scheduling and covert channels, IEEE Symposium on Security and Privacy, 52--61, IEEE, 1992. Google ScholarDigital Library
- Daniel Page, Theoretical use of cache memory as a crypt-analytic side-channel, technical report CSTR-02-003, Department of Computer Science, University of Bristol, 2002.Google Scholar
- Yukiyasu Tsunoo, Etsuko Tsujihara, Kazuhiko Minematsu, Hiroshi Miyauchi, Cryptanalysis of block ciphers implemented on computers with cache, proc. International Symposium on Information Theory and its Applications, pp.803--806, 2002.Google Scholar
- Yukiyasu Tsunoo, Teruo Saito, Tomoyasu Suzaki, Maki Shigeri, Hiroshi Miyauchi, "Cryptanalysis of DES implemented on computers with cache," Proc. CHES 2003, LNCS 2779, 62--76, 2003.Google Scholar
- Onur Aciçmez, Werner Schindler, and Çetin Kaya Koç, Cache Based Remote Timing Attack on the AES, to appear in RSA Conference 2007, Cryptographers' Track.Google Scholar
- D. Page, "Partitioned Cache Architecture as a Side-Channel Defense Mechanism", Cryptology ePrint Archive, Report 2005/280, 2005.Google Scholar
- X. Zhuang, T. Zhang, and S. Pande, "HIDE: an infrastruc-ture for efficiently protecting information leakage on the address bus", ACM 11thInternational Conference on Architecture Support for Programming Language and Operating Systems, 2004. Google ScholarDigital Library
Index Terms
- New cache designs for thwarting software cache-based side channel attacks
Recommendations
How secure is your cache against side-channel attacks?
MICRO-50 '17: Proceedings of the 50th Annual IEEE/ACM International Symposium on MicroarchitectureSecurity-critical data can leak through very unexpected side channels, making side-channel attacks very dangerous threats to information security. Of these, cache-based side-channel attacks are some of the most problematic. This is because caches are ...
New cache designs for thwarting software cache-based side channel attacks
ISCA '07: Proceedings of the 34th annual international symposium on Computer architectureSoftware cache-based side channel attacks are a serious new class of threats for computers. Unlike physical side channel attacks that mostly target embedded cryptographic devices, cache-based side channel attacks can also undermine general purpose ...
Secure Hierarchy-Aware Cache Replacement Policy (SHARP): Defending Against Cache-Based Side Channel Atacks
ISCA '17: Proceedings of the 44th Annual International Symposium on Computer ArchitectureIn cache-based side channel attacks, a spy that shares a cache with a victim probes cache locations to extract information on the victim's access patterns. For example, in evict+reload, the spy repeatedly evicts and then reloads a probe address, ...
Comments