Analysis of Countermeasures Against Access Driven Cache Attacks on AES

Abstract: Abstract. Cache based attacks (CBA) exploit the different access times of main memory and cache memory to determine information about internal states of cryptographic algorithms. CBAs turn out to be very powerful attacks even in practice. In this paper we present a general and strong model to analyze the security against CBAs. We introduce the notions of information leakage and resistance to analyze the security of several implementations of AES. Furthermore, we analyze how to use random permutations to protec… Show more

“…It obfuscates attackers' observation on cache access activities. However fixed permutation can still leak information, as demonstrated in [5] for AES. Although the security offered by random permutation can be increased by frequently updating the permutation, the updating frequency remains an open question for pure software approaches due to the tradeoff between performance and security.…”

“…There are also other similar approaches, which use smaller numbers of lookup tables [16]. However, at the cost of substantial performance overhead, these approaches only increase the number of samples required for access-driven and time-driven attacks [5], [22].…”

“…Recently, there are newly developed software-based side channel attacks which exploit architectural features of modern commodity processors such as caches [1], [4], [5], [6], [15], [16], [19], [22] and branch predictors [2], [3]. These attacks do not require physical access to target computers or direct access to the memory space of victim processes and are conducted through legitimate software operations.…”

Hardware-software integrated approaches to defend against software cache-based side channel attacks

“…It obfuscates attackers' observation on cache access activities. However fixed permutation can still leak information, as demonstrated in [5] for AES. Although the security offered by random permutation can be increased by frequently updating the permutation, the updating frequency remains an open question for pure software approaches due to the tradeoff between performance and security.…”

“…There are also other similar approaches, which use smaller numbers of lookup tables [16]. However, at the cost of substantial performance overhead, these approaches only increase the number of samples required for access-driven and time-driven attacks [5], [22].…”

“…Recently, there are newly developed software-based side channel attacks which exploit architectural features of modern commodity processors such as caches [1], [4], [5], [6], [15], [16], [19], [22] and branch predictors [2], [3]. These attacks do not require physical access to target computers or direct access to the memory space of victim processes and are conducted through legitimate software operations.…”

Hardware-software integrated approaches to defend against software cache-based side channel attacks

“…We can also run it backwards to retrieve the key (the state update function and the key/IV setup are invertible). This shows that an attack is even possible for a synchronous cache adversary (not only for an asynchronous adversary, as suspected by Bernstein [2]) 4 .…”

“…Subsequent research verified the correctness of the findings [11,10,9,15], improved the attack technically [14,3,8] or algorithmically [5], and devised and analysed countermeasures [6,4,16].…”

A Cache Timing Analysis of HC-256

Design and implementation of a versatile cryptographic unit for RISC processors