Aim, Wait, Shoot: How the CacheSniper Technique Improves Unprivileged Cache Attacks

Samira Briongos, Ida Bruhns, Pedro Malagón, Thomas Eisenbarth, Jose M. Moya

Abstract

Microarchitectural side channel attacks have been very prominent in security research over the last few years. Caches proved to be an outstanding side channel, as they provide high resolution and generic cross-core leakage. All major cryptographic libraries provide countermeasures to hinder key extraction via cross-core cache attacks by now. In this paper, we analyze implementations protected by prefetch-based countermeasures aimed at preventing well-known cache attacks, and highlight the circumstances causing them to remain vulnerable. Further, we craft a novel attack technique that precisely synchronizes the attacking and the victim processes, enabling the attacking process to evict the target data from the cache at the desired instants. One key improvement of our approach is that it provides unprivileged attackers with a method to remove specific data from the cache with a single memory access and in absence of shared memory by leveraging the transient capabilities of TSX and relying on the L3 replacement policy. We show the feasibility of our approach by extracting an RSA key from the latest wolfSSL library and an AES key from the T-Table and S-Box implementations included in OpenSSL with CacheSniper. Both libraries implement prefetch-based methods as a protection against cache attacks.

Original languageEnglish
Title of host publication2021 IEEE European Symposium on Security and Privacy (EuroS P)
PublisherIEEE
Publication date09.2021
Pages683-700
DOIs
Publication statusPublished - 09.2021
Event2021 IEEE European Symposium on Security and Privacy (EuroS&P) -
Duration: 06.09.202110.09.2021

Fingerprint

Dive into the research topics of 'Aim, Wait, Shoot: How the CacheSniper Technique Improves Unprivileged Cache Attacks'. Together they form a unique fingerprint.

Cite this