Skip to main content
SpringerLink
Log in

Layered Binary Templating

  • Conference paper
  • First Online:
Applied Cryptography and Network Security (ACNS 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13905))

Included in the following conference series:

Abstract

We present a new generic cache template attack technique, LBTA, layered binary templating attacks. LBTA uses multiple coarser-grained side channels to speed up cache-line granularity templating, ranging from 64 B to 2 MB in practice and in theory beyond. We discover first-come-first-serve data placement and data deduplication during compilation and linking as novel security issues that introduce side-channel-friendly binary layouts. We exploit this in inter-keystroke timing attacks and, depending on the target, even full keylogging attacks (Demo: The user first announces via Signal messenger to send money to a friend, then switches to Chrome to visit a banking website and enters the credentials there. All keystrokes are correctly leaked. https://streamable.com/dgnuwk), e.g., on Chrome, Signal, Threema, Discord, and the passky password manager, indicating that all Chromium-based apps are affected.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    The Chrome binary had 100 MB in 2017 and 180 MB in 2022, an increase of 80%.

  2. 2.

    https://github.com/IAIK/LayeredBinaryTemplating.

  3. 3.

    https://elixir.bootlin.com/linux/v5.4/source/mm/filemap.c#L2437.

  4. 4.

    https://source.chromium.org/chromium/chromium/src/+/main:ui/events/keycodes/dom/dom_code_data.inc.

References

  1. Antti Korpi: xkbcat (2021). https://github.com/anko/xkbcat

  2. Bacs, A., Musaev, S., Razavi, K., Giuffrida, C., Bos, H.: DUPEFS: leaking data over the network with filesystem deduplication side channels. In: FAST (2022)

    Google Scholar 

  3. Baert, M.: wayland-keylogger (2022). https://github.com/Aishou/wayland-keylogger

  4. Bernstein, D.J.: Cache-Timing Attacks on AES (2005). http://cr.yp.to/antiforgery/cachetiming-20050414.pdf

  5. Borrello, P., D’Elia, D.C., Querzoni, L., Giuffrida, C.: Constantine: automatic side-channel resistance using efficient control and data flow linearization. In: CCS (2021)

    Google Scholar 

  6. Brasser, F., Müller, U., Dmitrienko, A., Kostiainen, K., Capkun, S., Sadeghi, A.R.: Software grand exposure: SGX cache attacks are practical. In: WOOT (2017)

    Google Scholar 

  7. Brennan, T., Rosner, N., Bultan, T.: JIT Leaks: inducing timing side channels through just-in-time compilation. In: S &P (2020)

    Google Scholar 

  8. Brotzman, R., Liu, S., Zhang, D., Tan, G., Kandemir, M.: CaSym: cache aware symbolic execution for side channel detection and mitigation. In: S &P (2019)

    Google Scholar 

  9. Brumley, B., Hakala, R.: Cache-Timing template attacks. In: AsiaCrypt (2009)

    Google Scholar 

  10. Carre, S., Dyseryn, V., Facon, A., Guilley, S., Perianin, T.: End-to-end automated cache-timing attack driven by machine learning. J. Cryptol. (2019)

    Google Scholar 

  11. Cauligi, S., et al.: FaCT: a flexible, constant-time programming language. In: SecDev (2017)

    Google Scholar 

  12. CEF: Chrome Embedded Framework (2022). https://github.com/chromiumembedded/cef

  13. Chari, S., Rao, J.R., Rohatgi, P.: Template attacks. In: CHES (2002)

    Google Scholar 

  14. Chromium: Speeding up Chrome’s release cycle (2022). https://blog.chromium.org/2021/03/speeding-up-release-cycle.html

  15. Chung, S.C., Lee, J.W., Chang, H.C., Lee, C.Y.: A high-performance elliptic curve cryptographic processor over GF(p) with SPA resistance. In: International Symposium on Circuits and Systems (ISCAS) (2012)

    Google Scholar 

  16. Coppens, B., Verbauwhede, I., De Bosschere, K., De Sutter, B.: Practical mitigations for timing-based side-channel attacks on modern x86 processors. In: S &P (2009)

    Google Scholar 

  17. Costi, A., Johannesmeyer, B., Bosman, E., Giuffrida, C., Bos, H.: On the effectiveness of same-domain memory deduplication. In: European Workshop on Systems Security, pp. 29–35 (2022)

    Google Scholar 

  18. Crane, S., Homescu, A., Brunthaler, S., Larsen, P., Franz, M.: Thwarting cache side-channel attacks through dynamic software diversity. In: NDSS (2015)

    Google Scholar 

  19. Dall, F., et al.: Cachequote: efficiently recovering long-term secrets of SGX EPID via cache attacks. In: CHES (2018)

    Google Scholar 

  20. Diao, W., Liu, X., Li, Z., Zhang, K.: No pardon for the interruption: new inference attacks on android through interrupt timing analysis. In: S &P (2016)

    Google Scholar 

  21. Domas, C.: M/o/Vfuscator (2015). https://github.com/xoreaxeaxeax/movfuscator

  22. Doychev, G., Feld, D., Kopf, B., Mauborgne, L., Reineke, J.: CacheAudit: a tool for the static analysis of cache side channels. In: USENIX Security Symposium (2013)

    Google Scholar 

  23. Electron: Electron Apps (2022). https://www.electronjs.org/apps

  24. Electron JS: Electron Internals: Building Chromium as a Library (2022). https://www.electronjs.org/blog/electron-internals-building-chromium-as-a-library

  25. Fu, Y., Bauman, E., Quinonez, R., Lin, Z.: SGX-LAPD: thwarting controlled side channel attacks via enclave verifiable page faults. In: RAID (2017)

    Google Scholar 

  26. García, C.P., Brumley, B.B.: Constant-time callees with variable-time callers. In: USENIX Security Symposium (2017)

    Google Scholar 

  27. Götzfried, J., Eckert, M., Schinzel, S., Müller, T.: Cache attacks on intel SGX. In: EuroSec (2017)

    Google Scholar 

  28. Gras, B., Razavi, K., Bosman, E., Bos, H., Giuffrida, C.: ASLR on the line: practical cache attacks on the MMU. In: NDSS (2017)

    Google Scholar 

  29. Gruss, D., Bidner, D., Mangard, S.: Practical memory deduplication attacks in sandboxed JavaScript. In: ESORICS (2015)

    Google Scholar 

  30. Gruss, D., et al.: Page cache attacks. In: CCS (2019)

    Google Scholar 

  31. Gruss, D., Maurice, C., Fogh, A., Lipp, M., Mangard, S.: Prefetch side-channel attacks: bypassing SMAP and kernel ASLR. In: CCS (2016)

    Google Scholar 

  32. Gruss, D., Spreitzer, R., Mangard, S.: Cache template attacks: automating attacks on inclusive last-level caches. In: USENIX Security Symposium (2015)

    Google Scholar 

  33. halolinux: Page Cache Readahead (2022). https://www.halolinux.us/kernel-architecture/page-cache-readahead.html

  34. Harnik, D., Pinkas, B., Shulman-Peleg, A.: Side channels in cloud services, the case of deduplication in cloud storage. IEEE Secur. Privacy 8(6), 40–47 (2010)

    Article  Google Scholar 

  35. Hund, R., Willems, C., Holz, T.: Practical timing side channel attacks against kernel space ASLR. In: S &P (2013)

    Google Scholar 

  36. Moser, J.R.: Optimizing Linker Load Times (2006). https://lwn.net/Articles/192624/

  37. Corbet, J.: Fixing page-cache side channels, second attempt (2019). https://lwn.net/Articles/778437/

  38. Keelveedhi, S., Bellare, M., Ristenpart, T.: DupLESS: server-aided encryption for deduplicated storage. In: USENIX Security Symposium (2013)

    Google Scholar 

  39. Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_9

    Chapter  Google Scholar 

  40. Li, G., et al.: SCNet: A Neural Network for Automated Side-Channel Attack. arXiv:2008.00476 (2020)

  41. Lipp, M., Gruss, D., Spreitzer, R., Maurice, C., Mangard, S.: ARMageddon: cache attacks on mobile devices. In: USENIX Security Symposium (2016)

    Google Scholar 

  42. Maurice, C., et al.: Hello from the other side: SSH over robust cache covert channels in the cloud. In: NDSS (2017)

    Google Scholar 

  43. Medwed, M., Oswald, E.: Template attacks on ECDSA. In: Chung, K.-I., Sohn, K., Yung, M. (eds.) WISA 2008. LNCS, vol. 5379, pp. 14–27. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00306-6_2

    Chapter  Google Scholar 

  44. Moghimi, A., Irazoqui, G., Eisenbarth, T.: CacheZoom: how SGX amplifies the power of cache attacks. In: CHES (2017)

    Google Scholar 

  45. nxmnpg.lemoda: Manual Pages - LD.LLD (2022). https://nxmnpg.lemoda.net/1/ld.lld

  46. Oren, Y., Kemerlis, V.P., Sethumadhavan, S., Keromytis, A.D.: The spy in the sandbox: practical cache attacks in JavaScript and their implications. In: CCS (2015)

    Google Scholar 

  47. Page, D.: A note on side-channels resulting from dynamic compilation. Cryptology ePrint archive, Report 2006/349 (2006)

    Google Scholar 

  48. Rane, A., Lin, C., Tiwari, M.: Raccoon: closing digital side-channels through obfuscated execution. In: USENIX Security Symposium (2015)

    Google Scholar 

  49. Rechberger, C., Oswald, E.: Practical template attacks. In: WISA (2004)

    Google Scholar 

  50. Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: CCS (2009)

    Google Scholar 

  51. Ueyama, R.: lld: A Fast, Simple and Portable Linker (2017). https://llvm.org/devmtg/2017-10/slides/Ueyama-lld.pdf

  52. Russinovich, M.E., Solomon, D.A., Ionescu, A.: Windows Internals. Pearson Education, London (2012)

    Google Scholar 

  53. Saileshwar, G., Fletcher, C.W., Qureshi, M.: Streamline: a fast, flushless cache covert-channel attack by enabling asynchronous collusion. In: ASPLOS (2021)

    Google Scholar 

  54. Schwarz, M., Lackner, F., Gruss, D.: JavaScript template attacks: automatically inferring host information for targeted exploits. In: NDSS (2019)

    Google Scholar 

  55. Schwarz, M., Lipp, M., Canella, C.: misc0110/PTEditor: a small library to modify all page-table levels of all processes from user space for x86_64 and ARMv8 (2018). https://github.com/misc0110/PTEditor

  56. Schwarz, M., et al.: KeyDrown: eliminating software-based keystroke timing side-channel attacks. In: NDSS (2018)

    Google Scholar 

  57. Schwarzl, M., Canella, C., Gruss, D., Schwarz, M.: Specfuscator: evaluating branch removal as a spectre mitigation. In: FC (2021)

    Google Scholar 

  58. Schwarzl, M., Kraft, E., Lipp, M., Gruss, D.: Remote page deduplication attacks. In: NDSS (2022)

    Google Scholar 

  59. Shih, M.W., Lee, S., Kim, T., Peinado, M.: T-SGX: eradicating controlled-channel attacks against enclave programs. In: NDSS (2017)

    Google Scholar 

  60. Simon, L., Chisnall, D., Anderson, R.: What you get is what you C: controlling side effects in mainstream C compilers. In: EuroS &P (2018)

    Google Scholar 

  61. Song, D.X., Wagner, D., Tian, X.: Timing analysis of keystrokes and timing attacks on SSH. In: USENIX Security Symposium (2001)

    Google Scholar 

  62. statcounter Global Stats: Browser Market Share Worldwide (2022). https://gs.statcounter.com/

  63. Suzaki, K., Iijima, K., Yagi, T., Artho, C.: Memory deduplication as a threat to the guest OS. In: EuroSys (2011)

    Google Scholar 

  64. Van Bulck, J., Weichbrodt, N., Kapitza, R., Piessens, F., Strackx, R.: Telling your secrets without page faults: stealthy page table-based attacks on enclaved execution. In: USENIX Security Symposium (2017)

    Google Scholar 

  65. Van Cleemput, J., De Sutter, B., De Bosschere, K.: Adaptive compiler strategies for mitigating timing side channel attacks. TDSC 17(1), 35–49 (2017)

    Google Scholar 

  66. Van Schaik, S., Giuffrida, C., Bos, H., Razavi, K.: Malicious management unit: why stopping cache attacks in software is harder than you think. In: USENIX Security Symposium (2018)

    Google Scholar 

  67. Viswanathan, V.: Disclosure of Hardware Prefetcher Control on Some Intel Processors (2014). https://web.archive.org/web/20160304031330/https://software.intel.com/en-us/articles/disclosure-of-hw-prefetcher-control-on-some-intel-processors

  68. Wajahat, A., Imran, A., Latif, J., Nazir, A., Bilal, A.: A novel approach of unprivileged keylogger detection. In: iCoMET (2019)

    Google Scholar 

  69. Wang, D., et al.: Unveiling your keystrokes: a cache-based side-channel attack on graphics libraries. In: NDSS (2019)

    Google Scholar 

  70. Wang, S., Wang, P., Liu, X., Zhang, D., Wu, D.: CacheD: identifying cache-based timing channels in production software. In: USENIX (2017)

    Google Scholar 

  71. Webnicer Ltd: chrome-downloads (2022). https://github.com/webnicer/chrome-downloads/

  72. Weiser, S., Spreitzer, R., Bodner, L.: Single trace attack against RSA key generation in intel SGX SSL. In: AsiaCCS (2018)

    Google Scholar 

  73. Wichelmann, J., Moghimi, A., Eisenbarth, T., Sunar, B.: MicroWalk: a framework for finding side channels in binaries. In: ACSAC (2018)

    Google Scholar 

  74. Wichelmann, J., Sieck, F., Pätschke, A., Eisenbarth, T.: Microwalk-ci: practical side-channel analysis for javascript applications. arXiv preprint arXiv:2208.14942 (2022)

  75. Xu, Y., Cui, W., Peinado, M.: Controlled-channel attacks: deterministic side channels for untrusted operating systems. In: S &P (2015)

    Google Scholar 

  76. Xu, Y., Bailey, M., Jahanian, F., Joshi, K., Hiltunen, M., Schlichting, R.: An exploration of L2 cache covert channels in virtualized environments. In: CCSW (2011)

    Google Scholar 

  77. Yarom, Y., Falkner, K.: Flush+reload: a high resolution, low noise, L3 cache side-channel attack. In: USENIX Security Symposium (2014)

    Google Scholar 

  78. Yuan, Y., Pang, Q., Wang, S.: Automated Side Channel Analysis of Media Software with Manifold Learning. arXiv preprint arXiv:2112.04947 (2021)

  79. Zhang, K., Wang, X.: Peeping tom in the neighborhood: keystroke eavesdropping on multi-user systems. In: USENIX Security Symposium (2009)

    Google Scholar 

Download references

Acknowledgments

We want to thank our anonymous reviewers for valueable feedback on the draft. This work was supported by a generous gift from Red Hat Research. We want to thank Hanna Müller, Claudio Canella, Michael Schwarz and Moritz Lipp for valuable feedback. Any opinions or recommendations expressed are those of the authors and do not necessarily reflect the views of the funding parties.

Author information

Authors and Affiliations

  1. Graz University of Technology, Graz, Austria

    Martin Schwarzl, Erik Kraft & Daniel Gruss

Authors
  1. Martin Schwarzl
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Erik Kraft
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Daniel Gruss
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Martin Schwarzl .

Editor information

Editors and Affiliations

  1. NTT Social Informatics Laboratories, Tokyo, Japan

    Mehdi Tibouchi

  2. Indiana University at Bloomington, Bloomington, IN, USA

    XiaoFeng Wang

A Cache-Hit Ratios (Extended)

A Cache-Hit Ratios (Extended)

The cache hit ratio for all lowercase characters with Flush+Reload can be seen with Fig. 8 and all alphanumeric characters for the page cache attack Fig. 7.

Fig. 7.
figure 7

Cache-hit ratio using a page cache attack for alphanumeric characters in Chrome.

Full size image
Fig. 8.
figure 8

Cache-hit ratio using Flush+Reload for lowercase letters in Chrome.

Full size image

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Schwarzl, M., Kraft, E., Gruss, D. (2023). Layered Binary Templating. In: Tibouchi, M., Wang, X. (eds) Applied Cryptography and Network Security. ACNS 2023. Lecture Notes in Computer Science, vol 13905. Springer, Cham. https://doi.org/10.1007/978-3-031-33488-7_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-33488-7_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-33487-0

  • Online ISBN: 978-3-031-33488-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation