An Analytical Model for Tim e-Driven Cache Attacks Kris Tiri Onur - PowerPoint PPT Presentation

An Analytical Model for Tim e-Driven Cache Attacks Kris Tiri Onur Ac ı içmez Michael Neve Flemming Andersen

Outline � Motivation � Cache attacks: origins, time-driven attack � Strength of an implementation � Analytical model of time-driven attack � Experimental results � Conclusions 2 FSE 2007

Side-Channels � Information leakage from implementation – Example: safecracker “feels” tumblers impacting – Covert channel without conspiracy or consent � Cache Side-Channel Attacks – 1996: presumed possible [Kocher] – 2002: theoretical work [Page] – 2003: first practical results on DES [Tsunoo] – 2005: first practical results on AES, RSA [Bernstein][Osvik][Percival] 3 FSE 2007

Motivation � Attack depends on crypto implementation and on cache architecture � Experimental results cumbersome to obtain � Can we put a stake in the ground on strength of any implementation of any symmetric key algorithm running on any microprocessor w.r.t. a time-driven cache attack? 4 FSE 2007

Cache attack origins � Information leaks resulting from the implementation of the cache MEMORY CACHE CPU � Difference between cache hit & cache miss is observable/ measurable 5 FSE 2007

Cache attacks in a nutshell � Cache is shared between processes � Cache state persists despite context switch � Data is protected, metadata is unprotected � Cache access pattern depends on cache state and processed data � Spy -process can observe key-dependent cache accesses of crypto- process � Observation techniques: time-driven attack, trace-driven attack, access-driven attack 6 FSE 2007

Tim e-driven cache attacks � Leakage: number of cache misses depend on data unknown secret key device measurements input analysis if (P 0 ==P j ) E = 0; 0 1 0 0 0 0 0 0 1 estimations model 0 0 1 0 1 0 0 0 0 else E = 1; 0 0 0 0 0 0 1 0 0 key fragment guess 7 FSE 2007

Exam ple: last round attack on AES � OpenSSL: 5 tables (Te0..4) of 1024 bytes – 16 accesses to table Te4 in last round plaintext B plaintext A � device: execution time ~ all cache misses location Te4 in cache � model: if (collision) estimation = 0; else estimation = 1; � cache line estimation (10) ⊕ C 0 )> = = < sbox -1 (RK i (10) ⊕ C i )> < sbox -1 (RK 0 � table index estimation (10) ⊕ C i with RK 0i (10) ⊕ RK i 7 cache misses 9 cache misses empty cache (10) = RK 0 (10) C 0 = = RK 0i 8 FSE 2007

Strength/ Resistance of an im plem entation � How many measurements are required? � Quantile of standard normal [Mangard2005] distribution for probability α 2 2 . Z α N = How sure do you want to be? � Correlation coefficient between ρ 2 estimations and measurements How accurate is your model? 1. model the measurements 2. compute ρ between estimations and modeled measurements 9 FSE 2007

Model the m easurem ents Assumptions: 1. Cache is clean before cipher operation 2. No collision between lookup tables 3. Cache accesses are random, independent 4. Cipher operation operates uninterrupted 5. Execution time proportional to number of cache misses 1 0 FSE 2007

Com pute ρ betw een estim ations and m odeled m easurem ents − − E E ( ( E E . . M M ) ) E E ( ( E E ). ). E E ( ( M M ) ) K K K K ρ ρ = = secret secret secret secret − − − − 2 2 2 2 2 2 2 2 E E ( ( E E ) ) E E ( ( E E ) ) E E ( ( M M ) ) E E ( ( M M ) ) K K K K secret secret secret secret � time ~ cache misses: � measurement model with k accesses to l lines: ρ = ρ ( E , M ) ( E , M ) ( ) ∑ time misses l μ = k , l j . P ( j ) � independent accesses to M k , l = j 1 T tables: l = ∑ T ∑ ( ) ( ) σ − μ = 2 2 2 k , l j . P ( j ) k , l E ( M ) E ( M ) M k , l M t = = j 1 1 t 1 1 FSE 2007

Com pute ρ betw een estim ations and m odeled m easurem ents − − E E ( ( E E . . M M ) ) E E ( ( E E ). ). E E ( ( M M ) ) K K K K ρ ρ = = secret secret secret secret − − − − 2 2 2 2 2 2 2 2 E E ( ( E E ) ) E E ( ( E E ) ) E E ( ( M M ) ) E E ( ( M M ) ) K K K K secret secret secret secret � let’s estimate cache hits � independent accesses � correct prediction ρ = ρ ( E , M ) ( E , M ) miss hits = + E ( E . M ) E ( E . M ) to ease K K T secret secret − T 1 ∑ = = + = E ( E ) 1 . P ( E 1 ) 0 . P ( E 0 ) E ( E ). E ( M ) K t secret = t 1 TIE CLE 1 1 μ = μ − ( ) ( ) k , l k 1 , l r l H M T T 1 2 FSE 2007

Putting the pieces together… analytical model for time-driven cache attacks � probability α to find key 2 2 . Z α = � k t accesses to table t N μ μ ( ) 2 2 k , l consisting of r t elements E D T T . σ 2 T occupying l t cache lines ∑ E σ ( ) 2 k , l � T tables in cipher operation M t t � table T is table of interest = t 1 1 3 FSE 2007

Exam ple: attack on last round AES � cache line estimation � cache line estimation 2 2 . Z α = N � 99% success � 99% success μ μ ( ) 2 2 k , l � 16 accesses to table of � 16 accesses to table of E D T T . σ 2 T interest Te4 of 16 lines interest Te4 of 16 lines ∑ E σ ( ) 2 � 36 accesses to 4 tables � 36 accesses to 4 tables k , l 2 M t t 1 l T Te0..3 each of 16 lines Te0..3 each of 16 lines = − 2 t 1 1 l 1 l � measured: 10000 T T 11 = = N 6592 μ ( ) 2 2 1 16 16 , 16 D . σ ( ) + σ ( ) − 2 2 2 4 . 36 , 16 16 , 16 1 16 1 16 M M 1 4 FSE 2007

Experim ental results last round, table index estim ation setup: � single process � perf-counters experiments: 1. observe only Te4 2. OpenSSL version 3. 2 encryptions 4. no Te4 5. compact last round 1 5 FSE 2007

Further insights � Cache line estimation is l T / r T times more effective than table index estimation � Yet 2 16 key search space instead of 2 8 μ 2 E σ 2 e.g. 64 byte cache line: N r E = ≈ CLE T TIE time TIE = 16.N.2 8 . Δ time μ 2 N l time CLE = N.2 16 . Δ time T CLE E σ 2 E TIE 1 6 FSE 2007

Universal m odel � Metric is based on signal-to-noise ratio ( ) ( ) μ μ 2 2 k , l k , l N SNR = D T T D T T = B A A A B B T T ∑ ∑ N SNR A B A B ( ) ( ) σ σ 2 2 k , l k , l M t t M t t A A B B = = t 1 t 1 A B μ D cache miss f (X)/ σ distribution cache miss of all tables √ Σ σ M 2 distribution with cache of all tables collision in table of interest T -1 T cache misses Σ μ M + μ H Σ μ M 1 7 FSE 2007

Conclusions � Analytical model forecasts resistance of block cipher implementations against time-driven cache attacks using: 1. Number of lookup tables 2. Size of lookup tables 3. Size of cache line � Model accuracy verified with measurement results for different implementations, attack scenarios and platforms 1 8 FSE 2007

1 9 FSE 2007