WIXLIB

is able to observe a “few cache accesses per encryption”and which works on single threaded CPUs. They thendescribe a theoretical known ciphertext attack to recoverkeys by analyzing the last round of AES. The practicalityof their attack remains unclear, since they do not provide animplementation and leave various conceptual issues (e.g.,quality of noise reduction, etc.) open.We improve over prior work by providing a first practicalaccess-driven cache attack on AES in the asynchronousmodel. The attack works under weaker assumptions thanprevious ones, as no information about plain- and ciphertextis required1 , and it is more efficient in the sense that weonly need to observe about 100 encryptions. We also reach anovelly high granularity when monitoring memory-accesses.Further, our attack also works against compressed tables,which were not considered before.Finally, several hardware and software based mitigationsstrategies for AES have been proposed, e.g., [24]–[26].C. Organization of this DocumentIn §II we briefly recapitulate the structure of a CPU cache,and the logics underlying it. We also describe the AdvancedEncryption Standard (AES) to the extent necessary for ourattack. In §III we then explain how to recover the AESkey under the assumption that one was able to perfectlyobserve the single cache-accesses performed by the victimprocess. We drop this idealization in §IV and show how bycombining a novel attack on the task scheduler and neuralnetworks sufficiently good measurements can be obtained inpractice. We give some real measurements and extensionsof our attack in §V. In particular, we there sketch how toobtain the plaintext without knowing the ciphertext. Finally,we propose some countermeasures in §VI.II. P RELIMINARIESWe first summarize the functioning of the CPU cacheas far as necessary for understanding our attack. We thendescribe AES, and give some details on how it is typicallyimplemented. We close this section by describing the testenvironment on which we obtained our measurements.A. The CPU Cache and its Side ChannelsWe next describe the behavior of the CPU cache, andhow it can be exploited as a side channel. The CPU cacheis a very fast memory which is placed between the mainmemory and the CPU [27]. Its size typically ranges fromsome hundred kilobytes up to a few megabytes.Typically, data the CPU attempts to access is first loadedinto the cache, provided that it is not already there. Thislatter case is called a cache hit, and the requested data1 To be precise, the statement is true whenever AES is used, e.g., in CBCor CTR mode, which is the case for (all) relevant protocols and applications.In the pathological and practically irrelevant case, where the ECB mode(which is known to be insecure by design) is used we have to require thatthere is some randomness in the plaintext.can be supplied to the CPU core with almost no latency.However, if a cache miss occurs, the data first has to befetched via the front side bus and copied into the cache, withthe resulting latency being roughly two orders of magnitudehigher than in the former case. Consequently, although beinglogically transparent, the mechanics of the CPU cache leakinformation about memory accesses to an adversary who iscapable of monitoring cache hits and misses.To understand this problem in more detail it is necessaryto know the functioning of an n-way associative cache,where each address in the main memory can be mapped intoexactly n different positions in the cache. The cache consistsof 2a cache-sets of n cache-lines each. A cache-line is thesmallest amount of data the cache can work with, and itholds 2b bytes of data, which are accompanied by tag andstate bits. Cache line sizes of 64 or 128 bytes (correspondingto b 6 and b 7, respectively) are prevalent on modernx86- and x64-architectures.To locate the cache-line holding data from address A (Amax , . . . , A0 ), the b least significant bits of A can beignored, as a cache-line always holds 2b bytes. The nexta bits, i.e., (Aa b 1 , . . . , Ab ) identify the cache-set. Theremaining bits, i.e., (Amax , . . . , Aa b ) serve as a tag. Now,when requesting data from some address A, the cache logiccompares the tag corresponding to A with all tags of the(unique) possible cache-set, to either successfully find thesought cache-line or to signal a cache miss. The state bitsindicate if the data is, e.g., valid, shared or modified (theexact semantics are implementation defined). We typicallyhave max 31 on x86-architectures and max 63 onx64-architectures (however, the usage of physical addressextension techniques may increase the value of max [28]).Addresses mapping into the same cache-set are said toalias in the cache. When more then n memory accesses todifferent aliasing addresses have occurred, the cache logicneeds to evict cache-lines (i.e. modified data needs to bewritten back to RAM and the cacheline is reused). Thisis done according to a predetermined replacement strategy,most often an undocumented algorithm (e.g. PseudoLRU inx86 CPUs), approximating the eviction of the least recentlyused (LRU) entry.With these mechanics in mind, one can see that thereare at least two situations where information can leak toan adversary in multi-tasking operating systems (OS). Let’stherefore assume that a victim process V , and a spy processS are executed concurrently, and that the cache has beeninitialized by S. After running V for some (small) amountof time, the OS switches back to S. If S and V physically share main memory (i.e., theirvirtual memories map into the same memory pages inRAM), S starts by flushing the whole cache. Afterregaining control over the CPU, S reads from memory locations and monitors cache hits and misses byobserving the latency.

If S and V do not physically share memory, thenthey typically have access to cache aliasing memory.In this case, S initializes the cache with some data D,and using its knowledge of the replacement strategy,it deterministically prepares the individual cache-linestates. When being scheduled again, S again accessesD, and notes which data had been evicted from thecache. This again allows S to infer information aboutthe memory accesses of V .Our target is the OpenSSL library on Linux, which inpractice resides at only one place in physical memory andis mapped into the virtual memory of every process that usesit. In this paper we are therefore concerned with the sharedmemory scenario, where V uses lookup tables with 2c entries of 2d bytes each, and uses a secret variable to index intoit. We will further make the natural assumption of cache-linealignment, i.e., that the starting point of these lookup tablesin memory corresponds to a cache-line boundary. For mostcompilers, this is a standard option for larger structures.Exploiting the previously mentioned information leakagewill allow S to infer the memory locations V accesses into,up to cache-line granularity. That is, S is able to reconstructl c max(0, b d) bits of the secret index for a cache-linesize of 2b bytes. Note that l 0 whenever the lookup tabledoes not entirely fit into a single cache-line. Starting fromthese l bits, we will reconstruct the whole encryption key inour attack.B. AES – The Advanced Encryption StandardThe Advanced Encryption Standard (AES) [16] is a symmetric block cipher, and has been adopted as an encryptionstandard by the U.S. government [17]. For self-containment,and to fix notation, we next recapitulate the steps of the AESalgorithm [29, §4.2].AES always processes blocks (x0 . . . xF ) of 16 bytes ata time by treating them as 4 4 matrices. We will denotethese matrices by capital letters, and its column vectors bybold, underlined lowercase letters: x0 x4 x8 xC x1 x5 x9 xD X x2 x6 xA xE (x0 x1 x2 x3 )x3 x7 xB xFThe single bytes xi are treated as elements of GF (28 ). Wedenote addition in this field by and multiplication by .Note that the addition equals bitwise XOR. The irreduciblepolynomial for multiplication is given by x8 x4 x3 x 1,see [17] for details. We use these operations in the usualoverloaded sense to operate on matrices and vectors.Except for XORing the current state with a round key,the single rounds of AES makes use of three operations:ShiftRows cyclically shifts the rows of a matrix X, SubBytesperforms a byte-wise substitution of each entry in a matrixaccording to a fixed and invertible substitution rule, andMixColumns multiplies a matrix by a fixed matrix M .In the first step of each round of AES, the ShiftRowsoperation performs the following permutation on the rowsof a matrix X: x0 x4 x8 xC x5 x9 xD x1 ShiftRows(X) X̃ xA xE x2 x6 xF x3 x7 xBWe will denote the columns of X̃ by (x̃0 x̃1 x̃2 x̃3 ).In the next step, all bytes of X̃ are substituted as definedby an S-box given in [17]. We denote this substitution bys(·). That is, we have SubBytes(X̃) s(X̃) with s(x0 ) s(x4 ) s(x8 ) s(xC ) s(x5 ) s(x9 ) s(xD ) s(x1 ) s(X̃) s(xA ) s(xE ) s(x2 ) s(x6 ) ,s(xF ) s(x3 ) s(x7 ) s(xB )or s(X̃) (s(x̃0 ) s(x̃1 ) s(x̃2 ) s(x̃3 )) for short.Finally, the state matrices are multiplied bymatrix M in the MixColumns operation: 2 3 1 1 2 3MixColumns(s(X̃)) M s(X̃) 1 1 23 1 1a constant 11 s(X̃)3 2As for X, we abbreviate the columns of M by bold letters.Here and in the remainder of this document, byte valueshave to be read as hexadecimal numbers.Having said this, and denoting the round key of the ithround by Ki , we can write AES as the following recurrence,where X0 is the plaintext, and Xr 1 is the ciphertext: Xi Kii 0, M s(X̃i ) Ki0 i r,Xi 1 (1) s(X̃i ) Kii r .For the 128-bit implementation of AES we have r 10.We will not detail the key schedule here, but only wantto note that Ki 1 can be obtained from Ki by applying anonlinear transformation using the same S-box as the cipheritself, cyclically shifting the byte vectors, and XORingwith (2i , 0, 0, 0) (where 2 has to be read as an element inGF (28 )). The key schedule is illustrated in Figure 2.C. How to Implement AESIn the following we briefly describe the basic ideas howto efficiently implement AES. These tricks are corner stonesfor our attack presented in the subsequent sections.AES is heavily based on computations in GF (28 ),whereas the arithmetic logic unit (ALU) of most CPUsonly provides arithmetic on integers. The fast referenceimplementation of [30] reformulates AES to only need basic

operations on 32-bit machine words. The implementationof OpenSSL [18] further exploits redundancies and halvesthe space needed for lookup tables, saving two kilobyte ofmemory. In the following we present these techniques onhand of one inner round of AES, using X and Y for thestate matrices before and after the round, and K to denotethe round key. That is, we have the following relation:Y M s(X̃) K.(2)Consequently, we have m0 s(x0 ) m1 s(x5 ) y0m2 s(xA ) m3 s(xF ) k0 ,(3)and similarly for y1 , y2 , y3 , where k0 denotes the firstcolumn of K when interpreting K as a matrix of 4 4 bytes,indexed analogously to X and Y . To avoid the expensivemultiplications in GF (28 ) tables T0 , . . . , T3 containing allpotential results are precomputed. That is, we haveTi [x] mi s(x)0 i 3.This allows one to rewrite (3) to the following form whichonly uses table lookups, and binary XORs:y0 T0 [x0 ] T1 [x5 ] T2 [xA ] T3 [xF ] k0 .Each Ti has 28 entries of size 4 bytes each, and thus thetables require 4kB of memory. However, they are highlyredundant. For instance, we have thatT1 [x] (3 2 1 1)T s(x) (2 1 1 3)T s(x) 3 T0 [x] 3,where denotes a bytewise rotation towards the leastsignificant byte. Thus, it is possible to compute all Ti byrotating T0 . Yet, having to perform these rotations wouldcause a performance penalty. The idea thus is to use onetable T the entries of which are doubled entries of T0 . Thatis, if T0 has entries of the form (abcd), those of T are ofthe form (abcdabcd). We then have, e.g.,T1 [x] 32 bit word at offset 3 in T [x].While saving 2kB of memory and thus reducing the L1footprint of the implementation substantially, this approachalso allows to avoid the rotations by accessing T at thecorrect offsets.While the above techniques work for most of AES, thereare basically two ways to implement the last round whichdiffers from the other rounds, cf. (1). First, an additionallookup table can be used for s(X̃) instead of M s(X̃).Alternatively, one can reuse the existing lookup table(s) byaccessing them at positions that have been multiplied by a1-entry of M . While the first technique can be exploited toidentify where an encryption ends (and thus also to identifythe first or last round of an encryption) by checking formemory accesses into this new table, this is not possiblein the latter situation, as the observed memory accesses areindistinguishable from the previous rounds. Thus, the attacksof, e.g., [5], [6] cannot be executed any more. In particularthis is the case for the compressed tables implementation ofOpenSSL 0.9.8.D. Test EnvironmentAll our implementations and measurements have beenobtained on a Intel Pentium M 1.5GHz (codename “Banias”)processor, in combination with an Intel ICH4-M (codename“Odem”) chipset using 512MB of DDR-333 SDRAM. Onthis system, we were running Arch Linux with kernel version2.6.33.4. As a victim process we used the OpenSSL 0.9.8nimplementation of AES, using standard configurations.III. B REAKING AES GIVEN I DEAL M EASUREMENTSIn this section, we show how the full secret AES key canbe recovered under the assumption of ideal cache measurements. That is, we assume that a spy process can observe allcache accesses performed by a victim process in the correctorder. Making this (over-restrictive) assumption considerablyeases the presentation of our key recovery techniques. Wewill show how it can be dropped in §IV.A. Using Accesses from Two Consecutive RoundsAs discussed in §II-A, having recorded the memoryaccesses into the lookup tables allows one to infer l c min(0, b d) bits of the secret index, where the lookuptable has 2c entries of 2d bytes each, and where a cache-linecan hold 2b bytes. We therefore introduce the notation x to denote the l most significant bits of x, and also extendthis notation to vectors. In our case, we have c 8 andd 3. If, for instance, we assume b 6 we have l 5 andconsequently 110010002110012 000100112 000102 100100112 100102 .001010102001012For ease of presentation, and because of its high practicalrelevance on current CPUs, we will fix b 6 for theremainder of this paper. However, the attack conceptuallyalso works for other values of b, with a higher efficiency forb 6, and a lower efficiency if b 6, as less informationabout the secret index leaks through the cache accesses inthis case.With this notation, and (2), it is now easy to see that thefollowing equations are satisfied:k i y i (M s(x̃i )) 0 i 3.(4)Each of these equations specifies a set Ki {0, 1}4lof partial key-column candidates. Namely, we define Ki toconsist of all elements k i {0, 1}4l for which the measuredx̃ i can be completed to a full four byte vector x̃i satisfying

l12345678 {0, 1}4l 2428212216220224228232E[ Ki ]2428212214.661.211.884.27.9774.241pl E[ Ki ]/ {0, 1}4l 1110.3955 . . .3.6063 . . . · 10 31.5021 . . . · 10 65.9604 . . . · 10 82.3283 . . . · 10 10Table 1. Depending on the number l of leaked bits, only a fraction pl ofthe keys in {0, 1}4l can be parts of the secret key’s ith column, if x i andy i are known.(4). These sets can be computed by enumerating all 232 4lpossible values of x̃i .The cardinality of Ki turns out not to be constant for allx̃ i . However, we will need to argue about the probabilitythat some x̃ i is a partial key-column candidate. We thereforecompute the expected cardinality of the Ki by assuming thatthe x̃ i are equally distributed in {0, 1}4l . Even though theencryption process is deterministic, this assumption seemsto be natural, as otherwise the different states within anencryption would very likely be strongly biased, resultingin a severe security threat to AES.Table 1 displays the expected sizes of Ki for all possiblevalues of l. The last column of the table gives the probabilitypl that a random k i {0, 1}4l is a partial key-columncandidate for a random x̃ i . One can see that for 1 l 3every x̃ i can be completed to a x̃i satisfying (4). Thus, inthis case, this approach does not yield any information aboutthe secret key K. The contrary extreme happens if we havel 8, i.e., if we can monitor the exact entries of the lookuptable accessed by the victim process. In this case, we canrecover the key only from the states X, Y of two consecutiverounds. The interesting case is where 3 l 8 where wecan learn a limited amount of information about the secretkey. We will be concerned with this case in the following.B. Using Accesses from Continuous StreamsThe observations of the previous section typically cannotbe directly exploited by an attacker, as for implementationsof AES using compressed tables it is hard to preciselydetermine where one round stops and where the next onestarts. Rather, an attacker is able to monitor a continuousstream of memory accesses performed by the victim process.Consequently, we will show how the key can be reconstructed from observations of M encryptions.We remark that the order of memory accesses within eachround is implementation dependent, but the single rounds arealways performed serially, and each round always requires16 table lookups. Thus, as (4) puts into relation states ofconsecutive rounds, it is always possible to complete all fourequations (i.e., for i 0, . . . , 3) within the first 31 memoryaccesses after the first access in a round.Assume now that an attacker is able to observe 160M 31 N 31 memory accesses. This means that quantitatively the accesses of M full encryptions are observed,but we do not require that the first observed access also isthe first access of an encryption. The 31 remaining accessesbelong to the (M 1)st encryption. On a high level, tocircumvent the problem of not being able to identify roundends/beginnings, we now perform the following steps: We treat each of the first N observed memory accessesas if it was the beginning of an AES round.For each of these potential beginnings, we computethe sets of potential key-column candidates. For eachelement of {0, 1}4l we thereby count how often it liesin these sets.From these frequencies we derive the probability thata given element of {0, 1}4l is a correct part of theunknown key.More precisely, for any of the potential N beginningsof an AES round, we compute the sets Ki of partial keycolumn candidates for i 0, . . . , 3, and count how ofteneach possible k i {0, 1}4l also satisfies k i Ki . Wedenote this frequency by fi (k i ). By the former remark, andbecause of the 31 last monitored memory accesses, we haveenough observations to complete (4) for any of these Noffsets.A simple observation yields that k i is an element ofKi at least z

Percival [4] pioneered the work on access-driven attacks and described an attack on RSA. Access-driven attacks on AES were pioneered by Osvik et al. [6], [7]. They describe various attack techniques and implementations in what they call the synchronous model. The synchronous model makes rather strong assumptions on the capabilities on an attacker,