Skip to main content
SpringerLink
Log in

Cache-Access Pattern Attack on Disaligned AES T-Tables

  • Conference paper
Constructive Side-Channel Analysis and Secure Design (COSADE 2013)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7864))

Abstract

Cache attacks are a special form of implementation attacks and focus on the exploitation of weaknesses in the implementation of a specific algorithm. We demonstrate an access-driven cache attack, which is based on the analysis of memory-access patterns due to the T-table accesses of the Advanced Encryption Standard (AES). Based on the work of Tromer et al. [20] we gather the cache-memory access patterns of AES T-table implementations and perform a pattern-matching attack in order to recover the used secret key. These T-tables usually do not start at memory addresses which are mapped to the beginning of a specific cache line. Thus, focusing on disaligned AES T-tables allows us to recover the whole secret key by considering only the first round of the AES. We apply the presented cache attack on a Google Nexus S smartphone, which employs a Cortex-A8 processor and runs a fully-functioning operating system. The attack is purely implemented in software and the only requirement is a rooted mobile device. To the best of our knowledge, we are the first to launch an access-driven attack on an ARM Cortex-A processor. Based on our observations of the gathered access patterns we also present an enhancement, which in some cases allows us to recover the secret key without a subsequent brute-force key search.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 49.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Acıiçmez, O., Koç, Ç.K.: Trace-Driven Cache Attacks on AES. IACR Cryptology ePrint Archive, 2006:138 (2006)

    Google Scholar 

  2. ARM Ltd. ARM Architecture Reference Manual, ARMv7-A and ARMv7-R ed., ARM DDI 0406 A (April 2007)

    Google Scholar 

  3. ARM Ltd. ARM Technical Reference Manual, Cortex-A8, Revision: r3p2, ARM DDI 0344K (May 2010)

    Google Scholar 

  4. ARM Ltd. Cortex-A Series Programmer’s Guide, Version: 2.0 (August 2011)

    Google Scholar 

  5. ARM Ltd. Cortex-A Series (2012), http://www.arm.com/products/processors/cortex-a/index.php

  6. Bernstein, D.J.: Cache-timing attacks on AES (April 2005), http://cr.yp.to/antiforgery/cachetiming-20050414.pdf

  7. Bertoni, G., Zaccaria, V., Breveglieri, L., Monchiero, M., Palermo, G.: AES Power Attack Based on Induced Cache Miss and Countermeasure. In: Information Technology: Coding and Computing, ITCC 2005, vol. 1, pp. 586–591. IEEE Computer Society (2005)

    Google Scholar 

  8. Bogdanov, A., Eisenbarth, T., Paar, C., Wienecke, M.: Differential Cache-Collision Timing Attacks on AES with Applications to Embedded CPUs. In: Pieprzyk, J. (ed.) CT-RSA 2010. LNCS, vol. 5985, pp. 235–251. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  9. Bonneau, J., Mironov, I.: Cache-Collision Timing Attacks Against AES. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 201–215. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  10. Gallais, J.-F., Kizhvatov, I.: Error-Tolerance in Trace-Driven Cache Collision Attacks. In: International Workshop on Constructive Side-Channel Analysis and Secure Design, COSADE 2011, pp. 222–232 (2011)

    Google Scholar 

  11. Gullasch, D., Bangerter, E., Krenn, S.: Cache Games - Bringing Access-Based Cache Attacks on AES to Practice. In: IEEE Symposium on Security and Privacy, SP 2011, pp. 490–505. IEEE Computer Society (2011)

    Google Scholar 

  12. Kelsey, J., Schneier, B., Wagner, D., Hall, C.: Side Channel Cryptanalysis of Product Ciphers. Journal of Computer Security 8(2-3), 141–158 (2000)

    Google Scholar 

  13. Kocher, P.C.: Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)

    Google Scholar 

  14. Lauradoux, C.: Collision attacks on processors with cache and countermeasures. In: Western European Workshop on Research in Cryptology, WEWoRC 2005, pp. 76–85 (2005)

    Google Scholar 

  15. National Institute of Standards and Technology (NIST). FIPS-197: Advanced Encryption Standard (November 2001), http://www.itl.nist.gov/fipspubs/

  16. Neve, M., Seifert, J.-P.: Advances on Access-Driven Cache Attacks on AES. In: Biham, E., Youssef, A.M. (eds.) SAC 2006. LNCS, vol. 4356, pp. 147–162. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  17. OpenSSL Software Foundation. OpenSSL Project (2012), http://www.openssl.org/

  18. Page, D.: Theoretical Use of Cache Memory as a Cryptanalytic Side-Channel. Technical Report CSTR-02-003, University of Bristol, Department of Computer Science (June 2002), http://www.cs.bris.ac.uk/Publications/Papers/1000625.pdf

  19. Rebeiro, C., Poddar, R., Datta, A., Mukhopadhyay, D.: An Enhanced Differential Cache Attack on CLEFIA for Large Cache Lines. In: Bernstein, D.J., Chatterjee, S. (eds.) INDOCRYPT 2011. LNCS, vol. 7107, pp. 58–75. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  20. Tromer, E., Osvik, D.A., Shamir, A.: Efficient Cache Attacks on AES, and Countermeasures. Journal of Cryptology 23(1), 37–71 (2010)

    Article  MathSciNet  MATH  Google Scholar 

  21. Tsunoo, Y., Saito, T., Suzaki, T., Shigeri, M., Miyauchi, H.: Cryptanalysis of DES Implemented on Computers with Cache. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 62–76. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  22. Tsunoo, Y., Tsujihara, E., Minematsu, K., Miyauchi, H.: Cryptanalysis of Block Ciphers Implemented on Computers with Cache. In: International Symposium on Information Theory and Its Applications, ISITA (October 2002)

    Google Scholar 

  23. Weiß, M., Heinz, B., Stumpf, F.: A Cache Timing Attack on AES in Virtualization Environments. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 314–328. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  24. Zhao, X., Wang, T.: Improved Cache Trace Attack on AES and CLEFIA by Considering Cache Miss and S-box Misalignment. IACR Cryptology ePrint Archive 2010, 56 (2010)

    Google Scholar 

  25. Zhao, X., Wang, T., Mi, D., Zheng, Y., Lun, Z.: Robust First Two Rounds Access Driven Cache Timing Attack on AES. In: International Conference on Computer Science and Software Engineering, CSSE 2008, pp. 785–788. IEEE Computer Society (2008)

    Google Scholar 

  26. Zhao, X., Wang, T., Zheng, Y.: Cache Timing Attacks on Camellia Block Cipher. IACR Cryptology ePrint Archive 2009, 354 (2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology, Inffeldgasse 16a, 8010, Graz, Austria

    Raphael Spreitzer & Thomas Plos

Authors
  1. Raphael Spreitzer
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Thomas Plos
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. ANSSI, 75007, Paris, France

    Emmanuel Prouff

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Spreitzer, R., Plos, T. (2013). Cache-Access Pattern Attack on Disaligned AES T-Tables. In: Prouff, E. (eds) Constructive Side-Channel Analysis and Secure Design. COSADE 2013. Lecture Notes in Computer Science, vol 7864. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-40026-1_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-40026-1_13

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-40025-4

  • Online ISBN: 978-3-642-40026-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation