Abstract
This paper announces a new software side-channel attack — enabled by the branch prediction capability common to all modern high-performance CPUs. The penalty paid (extra clock cycles) for a mispredicted branch can be used for cryptanalysis of cryptographic primitives that employ a data-dependent program flow. Analogous to the recently described cache-based side-channel attacks our attacks also allow an unprivileged process to attack other processes running in parallel on the same processor, despite sophisticated partitioning methods such as memory protection, sandboxing or even virtualization. In this paper, we will discuss several such attacks for the example of RSA, and experimentally show their applicability to real systems, such as OpenSSL and Linux. Moreover, we will also demonstrate the strength of the branch prediction side-channel attack by rendering the obvious countermeasure in this context (Montgomery Multiplication with dummy-reduction) as useless. Although the deeper consequences of the latter result make the task of writing an efficient and secure modular exponentiation (or scalar multiplication on an elliptic curve) a challenging task, we will eventually suggest some countermeasures to mitigate branch prediction side-channel attacks.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Acıiçmez, O., Schindler, W., Koç, Ç.K.: Cache Based Remote Timing Attack on the AES. In: Abe, M. (ed.) CT-RSA 2007. LNCS, vol. 4377. Springer, Heidelberg (2006)
Bernstein, D.J.: Cache-timing attacks on AES. Technical Report, 37 pages (April 2005), Available at: http://cr.yp.to/antiforgery/cachetiming-20050414.pdf
Brumley, D., Boneh, D.: Remote Timing Attacks are Practical. In: Proceedings of the 12th Usenix Security Symposium, pp. 1–14 (2003)
Chen, Y., England, P., Peinado, M., Willman, B.: High Assurance Computing on Open Hardware Architectures. Technical Report, MSR-TR-2003-20, 17 pages, Microsoft Corporation (March 2003), Available at: ftp://ftp.research.microsoft.com/pub/tr/tr-2003-20.ps
Chevallier-Mames, B., Ciet, M., Joye, M.: Low-cost solutions for preventing simple side-channel analysis: side-channel atomicity. IEEE Transactions on Computers 53(6), 760–768 (2004)
Coron, J.-S., Naccache, D., Kocher, P.: Statistics and Secret Leakage. ACM Transactions on Embedded Computing Systems 3(3), 492–508 (2004)
Dhem, J.F., Koeune, F., Leroux, P.A., Mestre, P., Quisquater, J.-J., Willems, J.L.: A Practical Implementation of the Timing Attack. In: Schneier, B., Quisquater, J.-J. (eds.) CARDIS 1998. LNCS, vol. 1820. Springer, Heidelberg (2000)
England, P., Lampson, B., Manferdelli, J., Peinado, M., Willman, B.: A Trusted Open Platform. IEEE Computer 36(7), 55–62 (2003)
Gochman, S., Ronen, R., Anati, I., Berkovits, A., Kurts, T., Naveh, A., Saeed, A., Sperber, Z., Valentine, R.: The Intel Pentium M Processor: Microarchitecture and performance. Intel Technology Journal 7(2) (May 2003)
Grawrock, D.: The Intel Safer Computing Initiative: Building Blocks for Trusted Computing. Intel Press, Hillsboro (2006)
Hevia, A., Kiwi, M.: Strength of Two Data Encryption Standard Implementations under Timing Attacks. ACM Transactions on Information and System Security 2(4), 416–437 (1999)
Hu, W.M.: Lattice scheduling and covert channels. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 52–61. IEEE Press, Los Alamitos (1992)
Joye, M., Yen, S.-M.: The Montgomery powering ladder. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 291–302. Springer, Heidelberg (2003)
Kocher, P.C.: Timing Attacks on Implementations of Diffie–Hellman, RSA, DSS, and Other Systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)
Menezes, A.J., van Oorschot, P., Vanstone, S.: Handbook of Applied Cryptography. CRC Press, New York (1997)
Milenkovic, M., Milenkovic, A., Kulick, J.: Microbenchmarks for Determining Branch Predictor Organization. Software Practice & Experience 34(5), 465–487 (2004)
Openssl: the open-source toolkit for ssl/tls, Available online at: http://www.openssl.org/
Neve, M., Seifert, J.-P.: Advances on Access-driven Cache Attacks on AES. In: Biham, E., Youssef, A.M. (eds.) SAC 2006. LNCS, vol. 4356. Springer, Heidelberg (2007)
Osvik, D.A., Shamir, A., Tromer, E.: Other People’s Cache: Hyper Attacks on HyperThreaded Processors, Presentation available at: http://www.wisdom.weizmann.ac.il/~tromer/
Osvik, D.A., Shamir, A., Tromer, E.: Cache Attacks and Countermeasures: The Case of AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer, Heidelberg (2006)
Patterson, D., Hennessy, J.: Computer Architecture: A Quantitative Approach, 3rd edn. Morgan Kaufmann, San Francisco (2005)
Pearson, S.: Trusted Computing Platforms: TCPA Technology in Context. Prentice Hall PTR, Englewood Cliffs (2002)
Percival, C.: Cache missing for fun and profit. In: BSDCan 2005, Ottawa (2005), Available at: http://www.daemonology.net/hyperthreading-considered-harmful/
Pfleeger, C.P., Pfleeger, S.L.: Security in Computing, 3rd edn. Prentice Hall PTR, Englewood Cliffs (2002)
Schindler, W.: A Timing Attack against RSA with the Chinese Remainder Theorem. In: Paar, C., Koç, Ç.K. (eds.) CHES 2000. LNCS, vol. 1965, pp. 109–124. Springer, Heidelberg (2000)
Shanley, T.: The Unabridged Pentium 4: IA32 Processor Genealogy. Addison-Wesley Professional, Reading (2004)
Shen, J., Lipasti, M.: Modern Processor Design: Fundamentals of Superscalar Processors. McGraw-Hill, New York (2005)
Sibert, O., Porras, P.A., Lindell, R.: The Intel 80x86 Processor Architecture: Pitfalls for Secure Systems. In: IEEE Symposium on Security and Privacy, pp. 211–223 (1995)
Smith, S.W.: Trusted Computing Platforms: Design and Applications. Springer, Heidelberg (2004)
Trusted Computing Group, http://www.trustedcomputinggroup.org
Uhlig, R., Neiger, G., Rodgers, D., Santoni, A.L., Martins, F.C.M., Anderson, A.V., Bennett, S.M., Kagi, A., Leung, F.H., Smith, L.: Intel Virtualization Technology. IEEE Computer 38(5), 48–56 (2005)
Walter, C.D.: Montgomery Exponentiation Needs No Final Subtractions. IEE Electronics Letters 35(21), 1831–1832 (1999)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Acıiçmez, O., Koç, Ç.K., Seifert, JP. (2006). Predicting Secret Keys Via Branch Prediction. In: Abe, M. (eds) Topics in Cryptology – CT-RSA 2007. CT-RSA 2007. Lecture Notes in Computer Science, vol 4377. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11967668_15
Download citation
DOI: https://doi.org/10.1007/11967668_15
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-69327-7
Online ISBN: 978-3-540-69328-4
eBook Packages: Computer ScienceComputer Science (R0)