Full AES key extraction in 65 milliseconds using cache attacks Dag Arne Osvik Adi Shamir 1 Eran Tromer 1 1 Weizmann Institute of Science
Main memory CPU CPU cache memory CPU core
Cache Attacks The state of the cache persists between processes, resulting in inter-process contention for cache resources. The data in the memory and caches is protected by virtual memory mechanisms, but the metadata is unprotected. This causes a leak of information about memory access patterns. … which can be exploited cryptanalytically (e.g., breaking AES) … very efficiently (e.g., just 300 encryptions for a known-plaintext attack) … or in a very powerful attack model (no knowledge of plaintexts or ciphertexts)
Past works on cache attacks Covert channels [Hu ‘92] Theoretical attacks [Page ‘02] Timing attacks using internal collisions in block ciphers [Tsunoo Tsujihara Minematsu Miyuachi ’02] [Tsunoo Saito Suzaki Shigeri Miyauchi ’03] Recently: Timing attacks on AES based on external collisions [Bernstein ’04] Cache probing attack, Improved timing attacks via cache modeling, “Hyper Attacks” on AES [Osvik Shamir Tromer ’05] “Hyper Attacks” on RSA [Percival ’05] UPDATES
A typical software implementation of AES char p[16], k[16]; // plaintext and key int32 T0[256],T1[256],T2[256],T3[256]; // lookup tables int32 Col[4]; // intermediate state ... /* Round 1 */ Col[0] T0[p[ 0]©k[ 0]] T1[p[ 5]©k[ 5]] T2[p[10]©k[10]] T3[p[15]©k[15]]; Col[1] T0[p[ 4]©k[ 4]] T1[p[ 9]©k[ 9]] T2[p[14]©k[14]] T3[p[ 3]©k[ 3]]; Col[2] T0[p[ 8]©k[ 8]] T1[p[13]©k[13]] T2[p[ 2]©k[ 2]] T3[p[ 7]©k[ 7]]; Col[3] T0[p[12]©k[12]] T1[p[ 1]©k[ 1]] T2[p[ 6]©k[ 6]] T3[p[11]©k[11]]; lookup index = plaintext key (and the parameters are favorable to the attack)
Associative memory cache memory block (64 bytes) main memory cache set (4 cache lines) cache line (64 bytes) cache
AES tables in memory T0 DRAM cache
Detecting access to AES tables (basic idea) Attacker memory T0 DRAM cache
Attack 1: Evict+Time Selectively manipulate the state of the cache (e.g., evict a full cache set) Trigger encryption Measure how long it took Deduce what cache sets it accessed … cryptanalyze Our experimental result When attacking OpenSSL AES encryptions, can recover full key using 35 seconds of measurements.
Attack 2: Prime+Probe Fill cache with attacker’s own data Trigger encryption Time access to attacker memory to see if it is still in cache Deduce what cache sets the encryption accessed … cryptanalyze Oblivious to timing variability in attacker code, hence applicable to larger real systems.
Attack 2 Our experimental results: When attacking OpenSSL AES encryptions: Full key recovery using 16 milliseconds of measurements (300 encryptions with known inputs). Next talk: If you have known outputs, 30 encryptions suffice. When attacking a Linux dm-crypt AES encrypted filesystem (complicated system call going through filesystem, VM, scheduler…): Full key recovery using 65 milliseconds of measurements (800 encryptions) and 3 seconds of off-line analysis.
Attack 3: “Hyper Attack” No explicit interaction between attacker and victim. No knowledge of specific plaintexts or ciphertexts. One implementation exploits HyperThreading. Fill cache with attacker’s data Wait for someone else to perform encryption Time access to attacker memory to see if it is still in cache Deduce what cache sets the encryption accessed … cryptanalyze based on knowledge of prior distribution of plaintexts/ciphertexts
Experimental results measuring OpenSSL AES encryption of English text
Implications Impact: Easy to deploy – pure software Hard to detect Multiuser systems VPNs Virtual machines Trusted computing Sandboxes (JVM, JavaScript) Remote attacks Easy to deploy – pure software Hard to detect Hard to protect efficiently Full paper on my webpage: http://www.wisdom.weizmann.ac.il/~tromer