cache attacks from side channels to fault attacks
play

Cache attacks: From side channels to fault attacks Clmentine Maurice - PowerPoint PPT Presentation

Mar 22, 2024 •330 likes •1.99k views

Cache attacks: From side channels to fault attacks Clmentine Maurice CNRS, Rennes, France November 16, 2017 Cryptacus Workshop, Nijmegen, Netherlands the attacker only needs unprivileged execution on the victims machine

  1. Cache attacks: Flush+Reload cached c a c h e d Victim address space Cache Attacker address space Step 1: Attacker maps shared library (shared memory, in cache) 10

  2. Cache attacks: Flush+Reload fl u s h e s Victim address space Cache Attacker address space Step 1: Attacker maps shared library (shared memory, in cache) Step 2: Attacker flushes the shared cache line 10

  3. Cache attacks: Flush+Reload loads data Victim address space Cache Attacker address space Step 1: Attacker maps shared library (shared memory, in cache) Step 2: Attacker flushes the shared cache line Step 3: Victim loads the data 10

  4. Cache attacks: Flush+Reload r e l o a d s d a t a Victim address space Cache Attacker address space Step 1: Attacker maps shared library (shared memory, in cache) Step 2: Attacker flushes the shared cache line Step 3: Victim loads the data Step 4: Attacker reloads the data 10

  5. • i.e. , every bit of the address except the lower 6 • with almost no false positives What did the attacker learn? 17 5 31 16 6 0 Address Tag Index Offset • the victim accessed a particular cache line 11

  6. What did the attacker learn? 17 5 31 16 6 0 Address Tag Index Offset • the victim accessed a particular cache line • i.e. , every bit of the address except the lower 6 • with almost no false positives 11

  7. • Cache Template Attacks: automatically finds information leakage side channel on keystrokes and AES T-tables implementation Flush+Reload: Applications • cross-VM side channel attacks on crypto algorithms • RSA: 96.7% of secret key bits in a single signature • AES: full key recovery in 30000 dec. (a few seconds) Y. Yarom and K. Falkner. “Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel Attack”. In: USENIX Security Symposium . 2014 B. Gülmezoglu, M. S. Inci, T. Eisenbarth, and B. Sunar. “A Faster and More Realistic Flush+Reload Attack on AES”. In: COSADE’15 . 2015 D. Gruss, R. Spreitzer, and S. Mangard. “Cache Template Attacks: Automating Attacks on Inclusive Last-Level Caches”. In: USENIX Security Symposium . 2015 https://github.com/IAIK/cache_template_attacks 12

  8. Flush+Reload: Applications • cross-VM side channel attacks on crypto algorithms • RSA: 96.7% of secret key bits in a single signature • AES: full key recovery in 30000 dec. (a few seconds) • Cache Template Attacks: automatically finds information leakage → side channel on keystrokes and AES T-tables implementation Y. Yarom and K. Falkner. “Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel Attack”. In: USENIX Security Symposium . 2014 B. Gülmezoglu, M. S. Inci, T. Eisenbarth, and B. Sunar. “A Faster and More Realistic Flush+Reload Attack on AES”. In: COSADE’15 . 2015 D. Gruss, R. Spreitzer, and S. Mangard. “Cache Template Attacks: Automating Attacks on Inclusive Last-Level Caches”. In: USENIX Security Symposium . 2015 https://github.com/IAIK/cache_template_attacks 12

  9. What if there is no shared memory?

  10. • data evicted from the LLC is also evicted from L1 and L2 • a core can evict lines in the private L1 of another core Inclusive property core 0 core 1 • inclusive LLC: superset of L1 and L2 L1 L2 LLC 14

  11. • data evicted from the LLC is also evicted from L1 and L2 • a core can evict lines in the private L1 of another core Inclusive property core 0 core 1 • inclusive LLC: superset of L1 and L2 L1 L2 LLC 14

  12. • data evicted from the LLC is also evicted from L1 and L2 • a core can evict lines in the private L1 of another core Inclusive property core 0 core 1 • inclusive LLC: superset of L1 and L2 L1 L2 inclusion LLC 14

  13. • data evicted from the LLC is also evicted from L1 and L2 • a core can evict lines in the private L1 of another core Inclusive property core 0 core 1 • inclusive LLC: superset of L1 and L2 L1 L2 LLC 14

  14. • a core can evict lines in the private L1 of another core Inclusive property core 0 core 1 • inclusive LLC: superset of L1 and L2 • data evicted from the LLC is also L1 evicted from L1 and L2 L2 LLC 14

  15. Inclusive property core 0 core 1 • inclusive LLC: superset of L1 and L2 • data evicted from the LLC is also L1 evicted from L1 and L2 L2 • a core can evict lines in the private L1 eviction of another core LLC 14

  16. Cache attacks: Prime+Probe Victim address space Cache Attacker address space 15

  17. Cache attacks: Prime+Probe Victim address space Cache Attacker address space Step 1: Attacker primes, i.e. , fills, the cache (no shared memory) 15

  18. Cache attacks: Prime+Probe loads data Victim address space Cache Attacker address space Step 1: Attacker primes, i.e. , fills, the cache (no shared memory) Step 2: Victim evicts cache lines while running 15

  19. Cache attacks: Prime+Probe loads data Victim address space Cache Attacker address space Step 1: Attacker primes, i.e. , fills, the cache (no shared memory) Step 2: Victim evicts cache lines while running 15

  20. Cache attacks: Prime+Probe s s c e a c t a s f Victim address space Cache Attacker address space Step 1: Attacker primes, i.e. , fills, the cache (no shared memory) Step 2: Victim evicts cache lines while running Step 3: Attacker probes data to determine if set has been accessed 15

  21. Cache attacks: Prime+Probe s e s c a c w o s l Victim address space Cache Attacker address space Step 1: Attacker primes, i.e. , fills, the cache (no shared memory) Step 2: Victim evicts cache lines while running Step 3: Attacker probes data to determine if set has been accessed 15

  22. • i.e. , the index bits, 11 bits in modern last-level caches • with false positives What did the attacker learn? 17 5 31 16 6 0 Address Tag Index Offset • a program accessed cache lines mapping to the same cache set 16

  23. What did the attacker learn? 17 5 31 16 6 0 Address Tag Index Offset • a program accessed cache lines mapping to the same cache set • i.e. , the index bits, ≈ 11 bits in modern last-level caches • with false positives 16

  24. Prime+Probe: Applications • cross-VM side channel attacks on crypto algorithms: • El Gamal (sliding window): full key recovery in 12 min. • tracking user behavior in the browser, in JavaScript • covert channels between virtual machines in the cloud F. Liu, Y. Yarom, Q. Ge, G. Heiser, and R. B. Lee. “Last-Level Cache Side-Channel Attacks are Practical”. In: S&P’15 . 2015. Y. Oren, V. P. Kemerlis, S. Sethumadhavan, and A. D. Keromytis. “The Spy in the Sandbox: Practical Cache Attacks in JavaScript and their Implications”. In: CCS’15 . 2015. C. Maurice, M. Weber, M. Schwarz, L. Giner, D. Gruss, C. A. Boano, S. Mangard, and K. Römer. “Hello from the Other Side: SSH over Robust Cache Covert Channels in the Cloud”. In: NDSS’17 . 2017. 17

  25. Is that it?

  26. Last-level cache addressing 35 17 6 0 physical address tag set offset 30 H 11 2 line slice 0 slice 1 slice 2 slice 3 19

  27. • but requires: 1. eviction sets, i.e. , addresses in the same cache set, in the same slice 2. actually evicting addresses, i.e. , accessing addresses with some strategy • issues: 1. the last-level cache addressing function is undocumented 2. the replacement policy is (mostly) undocumented Prime+Probe technical issues • no need for e.g., memory deduplication → more practical 20

  28. 1. eviction sets, i.e. , addresses in the same cache set, in the same slice 2. actually evicting addresses, i.e. , accessing addresses with some strategy • issues: 1. the last-level cache addressing function is undocumented 2. the replacement policy is (mostly) undocumented Prime+Probe technical issues • no need for e.g., memory deduplication → more practical • but requires: 20

  29. 2. actually evicting addresses, i.e. , accessing addresses with some strategy • issues: 1. the last-level cache addressing function is undocumented 2. the replacement policy is (mostly) undocumented Prime+Probe technical issues • no need for e.g., memory deduplication → more practical • but requires: 1. eviction sets, i.e. , addresses in the same cache set, in the same slice 20

  30. • issues: 1. the last-level cache addressing function is undocumented 2. the replacement policy is (mostly) undocumented Prime+Probe technical issues • no need for e.g., memory deduplication → more practical • but requires: 1. eviction sets, i.e. , addresses in the same cache set, in the same slice 2. actually evicting addresses, i.e. , accessing addresses with some strategy 20

  31. 1. the last-level cache addressing function is undocumented 2. the replacement policy is (mostly) undocumented Prime+Probe technical issues • no need for e.g., memory deduplication → more practical • but requires: 1. eviction sets, i.e. , addresses in the same cache set, in the same slice 2. actually evicting addresses, i.e. , accessing addresses with some strategy • issues: 20

  32. 2. the replacement policy is (mostly) undocumented Prime+Probe technical issues • no need for e.g., memory deduplication → more practical • but requires: 1. eviction sets, i.e. , addresses in the same cache set, in the same slice 2. actually evicting addresses, i.e. , accessing addresses with some strategy • issues: 1. the last-level cache addressing function is undocumented 20

  33. Prime+Probe technical issues • no need for e.g., memory deduplication → more practical • but requires: 1. eviction sets, i.e. , addresses in the same cache set, in the same slice 2. actually evicting addresses, i.e. , accessing addresses with some strategy • issues: 1. the last-level cache addressing function is undocumented 2. the replacement policy is (mostly) undocumented 20

  34. Reverse-engineering last-level cache addressing We reverse-engineered this function! Intuition 1. find some way to map one address to one slice 2. repeat for every address with a 64B stride 3. infer a function out of it 21

  35. Mapping addresses to slices with performance counters • event UNC_CBO_CACHE_LOOKUP counts accesses to a slice address H CBo 0 CBo 1 CBo 2 CBo 3 slice 0 slice 1 slice 2 slice 3 UNC_CBO_CACHE_LOOKUP 0 0 0 0 22

  36. Mapping addresses to slices with performance counters • event UNC_CBO_CACHE_LOOKUP counts accesses to a slice 0x3a0071010 H CBo 0 CBo 0 CBo 1 CBo 2 CBo 3 slice 0 slice 0 slice 1 slice 2 slice 3 UNC_CBO_CACHE_LOOKUP 1 0 0 0 22

  37. Mapping addresses to slices with performance counters • event UNC_CBO_CACHE_LOOKUP counts accesses to a slice 0x3a0071090 H CBo 0 CBo 1 CBo 2 CBo 2 CBo 3 slice 0 slice 1 slice 2 slice 2 slice 3 UNC_CBO_CACHE_LOOKUP 1 0 1 0 22

  38. Mapping addresses to slices with performance counters • event UNC_CBO_CACHE_LOOKUP counts accesses to a slice 0x3a00710d0 H CBo 0 CBo 1 CBo 2 CBo 3 CBo 3 slice 0 slice 1 slice 2 slice 3 slice 3 UNC_CBO_CACHE_LOOKUP 1 0 1 1 22

  39. Last-level cache linear functions 3 functions, depending on the number of cores Address bit 3 3 3 3 3 3 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1 0 0 0 0 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 2 cores o 0 ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ 4 cores o 0 ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ o 1 ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ o 0 ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ 8 cores o 1 ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ o 2 ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ • valid for Sandy Bridge, Ivy Bridge, Haswell, Broadwell, whether Core or Xeon • different for 6, 10, 12… cores → non-linear • different for Skylake 23

  40. but not for long :) • removing clflush does not address the root causes of vulnerabilities • fixing crypto is (relatively) easy, but mitigating all cache attacks is hard Lessons learned from cache side-channel attacks • undocumented hardware can be a problem, 24

  41. • removing clflush does not address the root causes of vulnerabilities • fixing crypto is (relatively) easy, but mitigating all cache attacks is hard Lessons learned from cache side-channel attacks • undocumented hardware can be a problem, but not for long :) 24

  42. • fixing crypto is (relatively) easy, but mitigating all cache attacks is hard Lessons learned from cache side-channel attacks • undocumented hardware can be a problem, but not for long :) • removing clflush does not address the root causes of vulnerabilities 24

  43. Lessons learned from cache side-channel attacks • undocumented hardware can be a problem, but not for long :) • removing clflush does not address the root causes of vulnerabilities • fixing crypto is (relatively) easy, but mitigating all cache attacks is hard 24

  44. How do we make fault attacks out of that?

  45. • attack entirely in software, again no physical access how can we flip bits without accessing them? • we’ll conduct attacks on the cache to create the right conditions • (but we’re not flipping bits on the cache) DRAM fault attacks • we’re now exploring fault attacks on DRAM 26

  46. how can we flip bits without accessing them? • we’ll conduct attacks on the cache to create the right conditions • (but we’re not flipping bits on the cache) DRAM fault attacks • we’re now exploring fault attacks on DRAM • attack entirely in software, again no physical access 26

  47. • we’ll conduct attacks on the cache to create the right conditions • (but we’re not flipping bits on the cache) DRAM fault attacks • we’re now exploring fault attacks on DRAM • attack entirely in software, again no physical access → how can we flip bits without accessing them? 26

  48. • (but we’re not flipping bits on the cache) DRAM fault attacks • we’re now exploring fault attacks on DRAM • attack entirely in software, again no physical access → how can we flip bits without accessing them? • we’ll conduct attacks on the cache to create the right conditions 26

  49. DRAM fault attacks • we’re now exploring fault attacks on DRAM • attack entirely in software, again no physical access → how can we flip bits without accessing them? • we’ll conduct attacks on the cache to create the right conditions • (but we’re not flipping bits on the cache) 26

  50. back of DIMM: rank 1 channel 0 front of DIMM: rank 0 chip channel 1 Background: DRAM organization 27

  51. back of DIMM: rank 1 front of DIMM: rank 0 chip Background: DRAM organization channel 0 channel 1 27

  52. chip Background: DRAM organization back of DIMM: rank 1 channel 0 front of DIMM: rank 0 channel 1 27

  53. Background: DRAM organization back of DIMM: rank 1 channel 0 front of DIMM: rank 0 chip channel 1 27

  54. Background: DRAM organization bank 0 chip row 0 • bits in cells in rows row 1 • access: activate row, row 2 copy to row buffer … row 32767 row buffer 28

  55. Software-Based Fault Attack: Rowhammer Rowhammer (Kim et al., 2014) “It’s like breaking into an apartment by repeatedly slamming a neighbor’s door until the vibrations open the door you were after” – Motherboard Vice DRAM bank 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 … 1 1 1 1 1 1 1 1 1 1 1 1 1 1 row buffer 29

  56. Software-Based Fault Attack: Rowhammer Rowhammer (Kim et al., 2014) “It’s like breaking into an apartment by repeatedly slamming a neighbor’s door until the vibrations open the door you were after” – Motherboard Vice DRAM bank 1 1 1 1 1 1 1 1 1 1 1 1 1 1 activate 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 … copy 1 1 1 1 1 1 1 1 1 1 1 1 1 1 row buffer row buffer 29

  57. Software-Based Fault Attack: Rowhammer Rowhammer (Kim et al., 2014) “It’s like breaking into an apartment by repeatedly slamming a neighbor’s door until the vibrations open the door you were after” – Motherboard Vice DRAM bank 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 activate 1 1 1 1 1 1 1 1 1 1 1 1 1 1 … copy 1 1 1 1 1 1 1 1 1 1 1 1 1 1 row buffer row buffer 29

  58. Software-Based Fault Attack: Rowhammer Rowhammer (Kim et al., 2014) “It’s like breaking into an apartment by repeatedly slamming a neighbor’s door until the vibrations open the door you were after” – Motherboard Vice DRAM bank 1 1 1 1 1 1 1 1 1 1 1 1 1 1 activate 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 … copy 1 1 1 1 1 1 1 1 1 1 1 1 1 1 row buffer row buffer 29

  59. Software-Based Fault Attack: Rowhammer Rowhammer (Kim et al., 2014) “It’s like breaking into an apartment by repeatedly slamming a neighbor’s door until the vibrations open the door you were after” – Motherboard Vice DRAM bank 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 activate 1 1 1 1 1 1 1 1 1 1 1 1 1 1 … copy 1 1 1 1 1 1 1 1 1 1 1 1 1 1 row buffer row buffer 29

  60. Software-Based Fault Attack: Rowhammer Rowhammer (Kim et al., 2014) “It’s like breaking into an apartment by repeatedly slamming a neighbor’s door until the vibrations open the door you were after” – Motherboard Vice DRAM bank 1 1 1 1 1 1 1 1 1 1 1 1 1 1 bit flips in row 2! 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 1 1 1 1 1 0 1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 … 1 1 1 1 1 1 1 1 1 1 1 1 1 1 row buffer row buffer 29

  61. Impact of the CPU cache CPU core • only non-cached accesses reach DRAM CPU • original attacks use clflush instruction cache → flush line from cache → next access will be served from DRAM DRAM 30

  62. Rowhammer (with clflush ) DRAM bank cache set 1 cache set 2 31

  63. Rowhammer (with clflush ) DRAM bank cache set 1 clflush clflush cache set 2 31

  64. Rowhammer (with clflush ) DRAM bank cache set 1 clflush clflush cache set 2 31

  65. Rowhammer (with clflush ) DRAM bank cache set 1 cache set 2 31

  66. Rowhammer (with clflush ) DRAM bank cache set 1 r e l o a d cache set 2 31

  67. Rowhammer (with clflush ) DRAM bank cache set 1 r r e e l l o o a a d d r r e e l l o o a a d d cache set 2 31

  68. Rowhammer (with clflush ) DRAM bank cache set 1 clflush clflush cache set 2 31

  69. Rowhammer (with clflush ) DRAM bank cache set 1 r e l o a d r e l o a d cache set 2 31

  70. Rowhammer (with clflush ) DRAM bank cache set 1 clflush clflush cache set 2 31

  71. Rowhammer (with clflush ) DRAM bank cache set 1 r e l o a d r e l o a d cache set 2 31

Recommend

Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of Technology, The Netherlands May 6, 2018 Outline 1 Side-channels 2 Implementation Attacks 3 Side-channel Attacks 4 Fault Injection 2 / 48

825 views • 48 slides
Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr.

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr.

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr. Principal Software Engineer 2019/02/19 What are cache based attacks ? In cryptography In cryptographic operations, leaking the internal state of a

338 views • 8 slides
System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud Taesoo Kim, Marcus

System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud Taesoo Kim, Marcus

System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud Taesoo Kim, Marcus Peinado, Gloria Mainar-Ruiz MIT CSAIL Microsoft Research Security is a big concern in cloud adoption Why are cache-based side channel

588 views • 38 slides
PHYSICAL FUNCTIONS : THE COMMON FACTOR OF SIDE-CHANNEL AND FAULT ATTACKS ? Proofs 2014, Busan,

PHYSICAL FUNCTIONS : THE COMMON FACTOR OF SIDE-CHANNEL AND FAULT ATTACKS ? Proofs 2014, Busan,

PHYSICAL FUNCTIONS : THE COMMON FACTOR OF SIDE-CHANNEL AND FAULT ATTACKS ? Proofs 2014, Busan, Korea Bruno Robisson, Hlne Le Bouder Secure Architecture and Systems Laboratory Joint team between CEA and Ecole des Mines de Saint-Etienne

883 views • 28 slides
Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks Juraj

Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks Juraj

Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks Juraj Somorovsky Ruhr University Bochum 3curity GmbH juraj.somorovsky@3curity.de About me Security Researcher at: Chair for Network and Data Security,

818 views • 53 slides
Threshold Implementations (Efficient TI on AES) Begl Bilgin, Benedikt Gierlichs, Svetla Nikova,

Threshold Implementations (Efficient TI on AES) Begl Bilgin, Benedikt Gierlichs, Svetla Nikova,

Threshold Implementations (Efficient TI on AES) Begl Bilgin, Benedikt Gierlichs, Svetla Nikova, Ventzislav Nikov, and Vincent Rijmen Introduction Physical Attacks Active Passive (Fault Attacks) (Observing Attacks) Side Channel Attacks

644 views • 45 slides
Automatic Synthesis of Fault Attack Resistant Cipher Implementations Chester Rebeiro IIT Madras

Automatic Synthesis of Fault Attack Resistant Cipher Implementations Chester Rebeiro IIT Madras

Automatic Synthesis of Fault Attack Resistant Cipher Implementations Chester Rebeiro IIT Madras Side Channel Analysis Electro magnetic Radiation Fault injection Power consumption Timing channels Preventing Side Channel Attacks is

468 views • 34 slides
Meltdown & Spectre Attacks Overview An analogy CPU cache and use it as side channel

Meltdown & Spectre Attacks Overview An analogy CPU cache and use it as side channel

Meltdown & Spectre Attacks Overview An analogy CPU cache and use it as side channel Meltdown attack Spectre attack Microsoft Interview Question Stealing A Secret Secret: 7 Guard with Memory Eraser Restricted Room CPU

732 views • 30 slides
Fresh Re-Keying: Security against Side-Channel and Fault Attacks for Low-Cost Devices Marcel

Fresh Re-Keying: Security against Side-Channel and Fault Attacks for Low-Cost Devices Marcel

VLSI Institute for Applied Information Processing and Communications (IAIK) VLSI & Security Fresh Re-Keying: Security against Side-Channel and Fault Attacks for Low-Cost Devices Marcel Medwed Franois-Xavier Standaert Johann

814 views • 28 slides
Design and Implementation of an Espionage Network for Cache- based Side Channel Attacks on AES

Design and Implementation of an Espionage Network for Cache- based Side Channel Attacks on AES

Design and Implementation of an Espionage Network for Cache- based Side Channel Attacks on AES Bholanath Roy Research Scholar Advanced Encryption Standard(AES) Design of an Espionage Network : Attack Architecture Espionage Infrastructure

436 views • 4 slides
Side-Channel & Fault Attacks Ruggero Susella System Research & Applications Security

Side-Channel & Fault Attacks Ruggero Susella System Research & Applications Security

Side-Channel & Fault Attacks Ruggero Susella System Research & Applications Security Rodmap STMicroelectronics 2018/12/06 2 ST Who are we ? STMicroelectronics 3 A global semiconductor leader 2017 revenues of $8.35B

1.32k views • 107 slides
Introduction to Fault Attacks Josep Balasch KU Leuven ESAT / COSIC IACR Summer School 2015 Chia

Introduction to Fault Attacks Josep Balasch KU Leuven ESAT / COSIC IACR Summer School 2015 Chia

Introduction to Fault Attacks Josep Balasch KU Leuven ESAT / COSIC IACR Summer School 2015 Chia Laguna, Sardinia (Italy) 19 October 2015 Introduction to Fault Attacks 19 October 2015 What are fault attacks? Active attacks against

571 views • 27 slides
Cache Storage Channels Alias-driven Attacks Formally Verified Platforms Formally Verified

Cache Storage Channels Alias-driven Attacks Formally Verified Platforms Formally Verified

Roberto Guanciale Mads Dam Hamed Nemati Christoph Baumann Cache Storage Channels Alias-driven Attacks Formally Verified Platforms Formally Verified Platforms Caches Excluded Formally Verified from the analysis Platforms Caches Excluded

675 views • 64 slides
HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume

HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume

HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume that secret keys are utilized by implementations of the algorithm in a secure fashion, with access only allowed through the I/Os Unfortunately,

363 views • 12 slides
Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph

Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph

Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph Dobraunig, Maria Eichlseder, Hannes Gross, Stefan Mangard, Florian Mendel, Robert Primas ASIACRYPT 2018 IAIK - Graz University of Technology www.tugraz.at

1.01k views • 78 slides
Remote Timing Attacks on TPMs, AKA TPM-Fail Daniel Moghimi About Me Daniel Moghimi

Remote Timing Attacks on TPMs, AKA TPM-Fail Daniel Moghimi About Me Daniel Moghimi

Remote Timing Attacks on TPMs, AKA TPM-Fail Daniel Moghimi About Me Daniel Moghimi @danielmgmi https://moghimi.org Security Researcher PhD Candidate @ WPI Microarchitectural Attacks Side Channels Breaking Crypto

1.2k views • 71 slides
Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from

Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from

Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from Christopher W. Fletcher Reminder Lab assignment will be released 09/21 Monday Recommend to read Cache missing for fun and profit. (2005).

563 views • 38 slides
Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from

Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from

Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from Christopher W. Fletcher Reminder Lab assignment will be released 09/21 Monday Recommend to read Cache missing for fun and profit. (2005).

1.03k views • 66 slides
CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis

CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis

CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu Despite the same origin policy Many things can go wrong at the client-side of a web application Popular attacks Cross-site

266 views • 15 slides
S CATTER C ACHE : Thwarting Cache Attacks via Cache Set Randomization Werner, Unterluggauer,

S CATTER C ACHE : Thwarting Cache Attacks via Cache Set Randomization Werner, Unterluggauer,

S CATTER C ACHE : Thwarting Cache Attacks via Cache Set Randomization Werner, Unterluggauer, Giner, Schwarz, Gruss, Mangard August 15, 2019 Graz University of Technology What is S CATTER C ACHE ? www.tugraz.at Alternative design for n-way

460 views • 27 slides
Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of

Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of

Introduction Threats Setups Attacks Countermeasures Conclusion 1 / 31 Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of Cryptographic Algorithms and Devices for Real-World Applications Sibenik,

849 views • 31 slides
Defeating TLS client authentication using fault attacks Who are we ? R&D dept. @

Defeating TLS client authentication using fault attacks Who are we ? R&D dept. @

Defeating TLS client authentication using fault attacks Who are we ? R&D dept. @ Security Evaluation Kudelski Security Lab @ Kudelski IoT Embedded systems Hardware attacks security research Glitch / EM Reverse

889 views • 51 slides
The Temperature Side Channel and Heating Fault Attacks Michael Hutter and J orn-Marc Schmidt

The Temperature Side Channel and Heating Fault Attacks Michael Hutter and J orn-Marc Schmidt

Introduction SCA Faults Remanence Conclusions 1 / 24 The Temperature Side Channel and Heating Fault Attacks Michael Hutter and J orn-Marc Schmidt Michael Hutter and J orn-Marc Schmidt CARDIS 2013, November 27-29, 2013 Introduction

687 views • 24 slides
An Analytical Model for Tim e-Driven Cache Attacks Kris Tiri Onur Ac imez Michael Neve

An Analytical Model for Tim e-Driven Cache Attacks Kris Tiri Onur Ac imez Michael Neve

An Analytical Model for Tim e-Driven Cache Attacks Kris Tiri Onur Ac imez Michael Neve Flemming Andersen Outline Motivation Cache attacks: origins, time-driven attack Strength of an implementation Analytical model of

685 views • 19 slides

More recommend