Content

Problems related to side channels

- Time driven side-channels
- Cache based Access driven side-channels
- Cache based Trace-driven side-channels
- Countermeasures
- Famous side channels in AES
- Spectre

The live lecture will consist of two parts. In the first part you will be divided in groups and you will discuss about one problem and few questions (from previous exams) related to side channels. At the end of the first part someone can present a solution and we will discuss about alternatives. In the second part we will answer questions regarding side channels and more advanced topics, like Spectre.

Please, watch the videos and try to solve the previous-exam exercise before the live lecture.

Previous exam problem and questions

Let a system use a shared data cache (no instruction cache) of 256 bytes, 4 lines, 64 bytes perline. The cache is directly mapped. The array M consists of 32 entries of 4 bytes. The first sixteen entries of the array are mapped to the first cache line, the second sixteen entries are mapped to the second cache line. The variables A, B, and C are secret numbers and are mapped to the third line. Finally, assume that 0 <= B < 32 and 0 <= C < 32. The victim program is the following:

A = M[(C+B)/4]

A += M[32-(C+B)/4)]

Can an access driven attack(i.e. by detecting which cache line has been evicted) extract information about the variables of this program? If yes, explain the attack and describe how you can fix the program or prevent the attack; if not, motivate why this program is secure.

Questions

A side-channel attack consists of injecting faults into a system (i.e. using electromagnetic waves).
Flushing caches is sufficient to prevent attacks that measure execution time of the victim.
Constant-time execution prevents leakage via side channels by making the control flow and memory accesses being not-dependent on secret variables.
In an access driven attack, the attacker determines the cache lines accessed by the victim.
Both data-caches and instruction-caches can lead to side channels if the program does not use countermeasures.
Side channels can be used to violate the confidentiality of the implementation of a cryptographyc algorithm even if the algorithm is cryptographically secure.

Exercise

Exercise: Side channels [Branch side-channel]

Reading

https://en.wikipedia.org/wiki/Spectre_(security_vulnerability) (Links to an external site.)

https://en.wikipedia.org/wiki/Row_hammer (Links to an external site.)

New version of the book
19.1 Side channels
19.2.1 histoy of emission attacks
19.4.1 Timing analysis
19.4.4 Rowhammer, CLKscrew and Plundervolt
19.4.5 Meltdown, Spectre and other enclave side channels
19: Further Reading