Skip to main content
SpringerLink
Log in
Book cover

IMA International Conference on Cryptography and Coding

Cryptography and Coding 2007: Cryptography and Coding pp 185–203Cite as

New Branch Prediction Vulnerabilities in OpenSSL and Necessary Software Countermeasures

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 4887))

Abstract

Software based side-channel attacks allow an unprivileged spy process to extract secret information from a victim (cryptosystem) process by exploiting some indirect leakage of “side-channel” information. It has been realized that some components of modern computer microarchitectures leak certain side-channel information and can create unforeseen security risks. An example of such MicroArchitectural Side-Channel Analysis is the Cache Attack — a group of attacks that exploit information leaks from cache latencies [4,7,13,15,18]. Public awareness of Cache Attack vulnerabilities lead software writers of OpenSSL (version 0.9.8a and subsequent versions) to incorporate countermeasures for preventing these attacks. In this paper, we present a new and yet unforeseen side channel attack that is enabled by the recently published Simple Branch Prediction Analysis (SBPA) which is another type of MicroArchitectural Analysis, cf. [2,3]. We show that modular inversion — a critical primitive in public key cryptography — is a natural target of SBPA attacks because it typically uses the Binary Extended Euclidean algorithm whose nature is an input-centric sequence of conditional branches. Our results show that SBPA can be used to extract secret parameters during the execution of the Binary Extended Euclidean algorithm. This poses a new potential risk to crypto-applications such as OpenSSL, which already employs Cache Attack countermeasures. Thus, it is necessary to develop new software mitigation techniques for BPA and incorporate them with cache analysis countermeasures in security applications. To mitigate this new risk in full generality, we apply a security-aware algorithm design methodology and propose some changes to the CRT-RSA algorithm flow. These changes either avoid some of the steps that require modular inversion, or remove the critical information leak from this procedure. In addition, we also show by example that, independently of the required changes in the algorithms, careful software analysis is also required in order to assure that the software implementation does not inadvertently introduce branches that may expose the application to SBPA attacks. These offer several simple ways for modifying OpenSSL in order to mitigate Branch Prediction Attacks.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Acıiçmez, O., Koç, Ç.K., Seifert, J.-P.: Predicting Secret Keys via Branch Prediction. In: Abe, M. (ed.) CT-RSA 2007. LNCS, vol. 4377, pp. 225–242. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  2. Acıiçmez, O., Koç, Ç.K., Seifert, J.-P.: On The Power of Simple Branch Prediction Analysis. In: ASIACCS 2007. ACM Symposium on Information, Computer and Communications Security (to appear, 2007)

    Google Scholar 

  3. Acıiçmez, O., Koç, Ç.K., Seifert, J.-P.: On The Power of Simple Branch Prediction Analysis. Cryptology ePrint Archive, Report 2006/351 (October 2006)

    Google Scholar 

  4. Acıiçmez, O., Schindler, W., Koç, Ç.K.: Cache Based Remote Timing Attack on the AES. In: Abe, M. (ed.) CT-RSA 2007. LNCS, vol. 4377, pp. 271–286. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  5. Acıiçmez, O., Schindler, W., Koç, Ç.K.: Improving Brumley and Boneh Timing Attack on Unprotected SSL Implementations. In: Meadows, C., Syverson, P. (eds.) Proceedings of the 12th ACM Conference on Computer and Communications Security, pp. 139–146. ACM Press, New York (2005)

    Chapter  Google Scholar 

  6. Acıiçmez, O., Seifert, J.-P., Koç, Ç.K.: Predicting Secret Keys via Branch Prediction. Cryptology ePrint Archive, Report 2006/288 (August 2006)

    Google Scholar 

  7. Bernstein, D.J.: Cache-timing attacks on AES. Technical Report, 37 pages (April 2005), Available at: http://cr.yp.to/antiforgery/cachetiming-20050414.pdf

  8. Bleichenbacher, D.: Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 1–12. Springer, Heidelberg (1998)

    Google Scholar 

  9. Brumley, D., Boneh, D.: Remote Timing Attacks are Practical. In: Proceedings of the 12th Usenix Security Symposium, pp. 1–14 (2003)

    Google Scholar 

  10. Hu, W.M.: Lattice scheduling and covert channels. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 52–61. IEEE Press, Los Alamitos (1992)

    Chapter  Google Scholar 

  11. Gueron, S.: Enhanced Montgomery Multiplication. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 46–56. Springer, Heidelberg (2003)

    Google Scholar 

  12. Menezes, A.J., van Oorschot, P., Vanstone, S.: Handbook of Applied Cryptography. CRC Press, New York (1997)

    MATH  Google Scholar 

  13. Neve, M., Seifert, J.-P.: Advances on Access-driven Cache Attacks on AES. In: SAC 2006. Selected Areas of Cryptography (2006)

    Google Scholar 

  14. Neve, M.: Cache-based Vulnerabilities and SPAM Analysis. Ph.D. Thesis, Applied Science, UCL (July 2006)

    Google Scholar 

  15. Osvik, D.A., Shamir, A., Tromer, E.: Cache Attacks and Countermeasures: The Case of AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  16. OpenSSL: the open-source toolkit for ssl / tls

    Google Scholar 

  17. OpenSSL (Changelog) Changes between 0.9.8f and 0.9.9, http://www.openssl.org/news/changelog.html

  18. Percival, C.: Cache missing for fun and profit. In: BSDCan 2005, Ottawa (2005), Available at: http://www.daemonology.net/hyperthreading-considered-harmful/

  19. Schindler, W., Walter, C.D.: More Detail for a Combined Timing and Power Attack against Implementations of RSA. In: Paterson, K.G. (ed.) Cryptography and Coding. LNCS, vol. 2898, pp. 245–263. Springer, Heidelberg (2003)

    Google Scholar 

  20. Walter, C.D.: Montgomery exponentiation needs no final subtractions. Electronics Letters 35, 1831–1832 (2001)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Samsung Information Systems America, San Jose, 95134, USA

    Onur Acıiçmez & Jean-Pierre Seifert

  2. Department of Mathematics, University of Haifa, Haifa, 31905, Israel

    Shay Gueron

  3. Intel Corporation, IDC, Israel

    Shay Gueron

  4. Institute for Computer Science, University of Innsbruck, 6020 Innsbruck, Austria

    Jean-Pierre Seifert

Authors
  1. Onur Acıiçmez
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Shay Gueron
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jean-Pierre Seifert
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Steven D. Galbraith

Rights and permissions

Reprints and permissions

Copyright information

© 2007 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Acıiçmez, O., Gueron, S., Seifert, JP. (2007). New Branch Prediction Vulnerabilities in OpenSSL and Necessary Software Countermeasures. In: Galbraith, S.D. (eds) Cryptography and Coding. Cryptography and Coding 2007. Lecture Notes in Computer Science, vol 4887. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-77272-9_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-77272-9_12

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-77271-2

  • Online ISBN: 978-3-540-77272-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation