Derecho a la Alimentación adecuada y de calidad

One way to mitigate the attack depends on the method of accessing the multiplier. Some implementations, such as in LibGnuPG, always access all multipliers in the table each time but uses a bitwise ”AND” to only get the value of the correct multiplier. OpenSSL stores the multipliers vertically rather than horizontally. As in each line in memory consists of a single part of each multiplier. So the irst line in memory contains the irst 4 bits of each multiplier then the next line in memory contains the next 4 bits from each multiplier and so on. To get a single multiplier all memory lines must be accessed and thus making it harder for an attacker to ind which multiplier is used.

Another way to mitigate the attack is to use a constant time implementation that does not have any secret dependant branching or memory references. Techniques for this have been explored and implemented [BLS12]. However, these implementations seem to be tricky to get right as is shown by attacks on the ”constant time” OpenSSL implementation on ARM processors [Coc+14].

IaaS providers can protect their customers against these kinds of attacks by dis- abling hugepages for their virtualization solution. This however leads to a degra- dation in the quality of service due to more TLB misses. Another way is avoiding co-residency of Virtual Machines on the same processor package. This however goes against the motivation for cloud computing which is resource sharing.

Finally, another technique that can be used to limit the applicability of cache timing based attacks is page coloring. The technique works by grouping frames into diferent colours and ensuring that frames from diferent colors cannot have lines mapped to the same cache set. VMs from diferent customers can then have their pages mapped to frames of diferent colors thus limiting the applicability of cache timing based attacks [Shi+11; WL08].

CHAPTER

8

Conclusion

Our contribution is an implementation of a cache timing attack on the LibTomMath modular exponentiation implementation. The attack uses the prime+probe technique to use cache timing as a side channel in order to extract the secret exponent.

The attack targets the LLC, thus is possible cross-VM, which makes it applicable in situations where an attacker is able to run their code on another VM on the same processor package as the target. This scenario is not unlikely due to the rising popularity of using IaaS providers by smaller companies which run VMs belonging to diferent customers on the same machine.

The attack requires a few things to work. Hugepages support must be turned on by the service provider. This requirement is easily satisied because IaaS providers usually have it turned on to prevent performance degradation due to TLB contention. The attack also requires the processor to have inclusive caches however almost all Intel CPU caches are inclusive.

The attack also requires the knowledge of the cache slice selection algorithm in advance in order to craft the eviction set. Those are not released by Intel however there are techniques available in order to reverse engineer those hash functions for any processor [IES15b].

Since the requirements of the attack are prevalent in most IaaS installations, it is up to library developers to protect themselves against this kind of attack. Changing the way the multiplier table is accessed so that cache timing attacks are not able to get secret based information appears to be the best strategy.

Bibliography

[Aas14] Josh Aas. “Let’s Encrypt: Delivering SSL/TLS Everywhere”. In: Let’s

Encrypt 18 (2014).

[AMD] AMD AMD. “Architecture Programmer’s Manual: Volume 2: System Pro- gramming”. In: AMD Pub 24593 ().

[BB05] David Brumley and Dan Boneh. “Remote timing attacks are practical”. In: Computer Networks 48.5 (2005), pages 701–716.

[BI14] Zineb Ait Bahajji and Gary Illyes. HTTPS as a ranking signal. https: //webmasters.googleblog.com/2014/08/https-as-ranking-signal. html. [Online; accessed 1-June-2017]. 2014.

[BLS12] Daniel J Bernstein, Tanja Lange, and Peter Schwabe. “The security im- pact of a new cryptographic library”. In: International Conference on

Cryptology and Information Security in Latin America. Springer. 2012,

pages 159–176.

[BT11] Billy Bob Brumley and Nicola Tuveri. “Remote timing attacks are still practical”. In: European Symposium on Research in Computer Security. Springer. 2011, pages 355–371.

[But10] E Butler. “FireSheep: cookie snatching made simple”. In: ToorCon Con-

ference. San Diego, CA. 2010, page 8.

[Coc+14] David Cock et al. “The last mile: An empirical study of timing chan- nels on sel4”. In: Proceedings of the 2014 ACM SIGSAC Conference on

Computer and Communications Security. ACM. 2014, pages 570–581.

[Coo] Intel Coorporation. Intel 64 and IA-32 Architectures Software Developer’s

Manual Volume 3.

[Coo09] Intel Coorporation. Intel 64 and IA-32 architectures optimization refer-

ence manual. 2009.

[Cor14] BM Corporation. An overview of the SSL or TLS handshake. https: //www.ibm.com/support/knowledgecenter/SSFKSJ_7.1.0/com.ibm. mq.doc/sy10660_.htm. [Online; accessed 1-June-2017]. 2014.

[Gar10] K Gary. “An overview of Cryptography”. In: an article available at http:

[GG] IA Glover and PM Grant. “Prentice Hall, 2010”. In: Digital Communica-

tions ().

[GST14] Daniel Genkin, Adi Shamir, and Eran Tromer. “RSA key extraction via low-bandwidth acoustic cryptanalysis”. In: International Cryptology Con-

ference. Springer. 2014, pages 444–461.

[HW79] Godfrey Harold Hardy and Edward Maitland Wright. An introduction to

the theory of numbers. Oxford University Press, 1979.

[IES15a] Gorka Irazoqui, Thomas Eisenbarth, and Berk Sunar. “S$A: A Shared Cache Attack That Works across Cores and Deies VM Sandboxing–and Its Application to AES”. In: Security and Privacy (SP), 2015 IEEE Sym-

posium on. IEEE. 2015, pages 591–604.

[IES15b] Gorka Irazoqui, Thomas Eisenbarth, and Berk Sunar. “Systematic re- verse engineering of cache slice selection in Intel processors”. In: Digi-

tal System Design (DSD), 2015 Euromicro Conference on. IEEE. 2015,

pages 629–636.

[Inc+16] Mehmet Sinan Inci et al. “Cache attacks enable bulk key recovery on the cloud”. In: International Conference on Cryptographic Hardware and

Embedded Systems. Springer. 2016, pages 368–388.

[Inc17] wolfSSL Inc. WolfSSL - Embedded SSL Library for Applications, Devices,

IoT, and the Cloud. https://www.wolfssl.com/wolfSSL/Home.html.

[Online; accessed 1-June-2017]. 2017.

[Jee13] Zubair Jeelani. “An insight of SSL security attacks”. In: International

Journal of Research in Engineering and Applied Sciences 68 (2013).

[KJJ99] Paul Kocher, Joshua Jafe, and Benjamin Jun. “Diferential power analy- sis”. In: Advances in cryptology—CRYPTO’99. Springer. 1999, pages 789– 789.

[Kle+10] Thorsten Kleinjung et al. “Factorization of a 768-bit RSA modulus”. In:

Annual Cryptology Conference. Springer. 2010, pages 333–350.

[Koc+11] Paul Kocher et al. “Introduction to diferential power analysis”. In: Jour-

nal of Cryptographic Engineering 1.1 (2011), pages 5–27.

[Lan01] Eric Landquist. “The quadratic sieve factoring algorithm”. In: Math 448.2 (2001), page 6.

[Lib15] LibTom. LibTomMath. http://www.libtom.net/LibTomMath/. [Online; accessed 1-June-2017]. 2015.

[Liu+15] F. Liu et al. “Last-level cache side-channel attacks are practical”. In: Se-

curity and Privacy (SP), 2015 IEEE Symposium (2015), pages 605–622.

[Men+96] Menezes et al. Handbook of Applied Cryptography. CRC Press, 1996. [Mit16] Sparsh Mittal. “A survey of recent prefetching techniques for processor

Bibliography 43

[QS01] Jean-Jacques Quisquater and David Samyde. “Electromagnetic analysis (ema): Measures and counter-measures for smart cards”. In: Smart Card

Programming and Security (2001), pages 200–210.

[RSA78] Ronald L Rivest, Adi Shamir, and Leonard Adleman. “A method for obtaining digital signatures and public-key cryptosystems”. In: Commu-

nications of the ACM 21.2 (1978), pages 120–126.

[Shi+11] Jicheng Shi et al. “Limiting cache-based side-channel in multi-tenant cloud using dynamic page coloring”. In: Dependable Systems and Net-

works Workshops (DSN-W), 2011 IEEE/IFIP 41st International Confer- ence on. IEEE. 2011, pages 194–199.

[TOS10] Eran Tromer, Dag Arne Osvik, and Adi Shamir. “Eicient cache attacks on AES, and countermeasures.” In: Journal of Cryptology 23.1 (2010), pages 37–71.

[WL08] Zhenghong Wang and Ruby B Lee. “A novel cache architecture with en- hanced performance and security”. In: Microarchitecture, 2008. MICRO-

41. 2008 41st IEEE/ACM International Symposium on. IEEE. 2008,

pages 83–93.

[WXW12] Zhenyu Wu, Zhang Xu, and Haining Wang. “Whispers in the Hyper- space: High-speed Covert Channel Attacks in the Cloud.” In: USENIX

Security symposium. 2012, pages 159–173.

[YGH16] Yuval Yarom, Daniel Genkin, and Nadia Heninger. “CacheBleed: A tim- ing attack on OpenSSL constant time RSA”. In: International Confer-

ence on Cryptographic Hardware and Embedded Systems. Springer. 2016,