Cache Storage Channels: Alias-Driven Attacks and Verified Countermeasures
2016 (English)In: Proceedings - 2016 IEEE Symposium on Security and Privacy, SP 2016, Institute of Electrical and Electronics Engineers (IEEE), 2016, 38-55 p.Conference paper (Refereed)
Caches pose a significant challenge to formal proofs of security for code executing on application processors, as the cache access pattern of security-critical services may leak secret information. This paper reveals a novel attack vector, exposing a low-noise cache storage channel that can be exploited by adapting well-known timing channel analysis techniques. The vector can also be used to attack various types of security-critical software such as hypervisors and application security monitors. The attack vector uses virtual aliases with mismatched memory attributes and self-modifying code to misconfigure the memory system, allowing an attacker to place incoherent copies of the same physical address into the caches and observe which addresses are stored in different levels of cache. We design and implement three different attacks using the new vector on trusted services and report on the discovery of an 128-bit key from an AES encryption service running in TrustZone on Raspberry Pi 2. Moreover, we subvert the integrity properties of an ARMv7 hypervisor that was formally verified against a cache-less model. We evaluate well-known countermeasures against the new attack vector and propose a verification methodology that allows to formally prove the effectiveness of defence mechanisms on the binary code of the trusted software.
Place, publisher, year, edition, pages
Institute of Electrical and Electronics Engineers (IEEE), 2016. 38-55 p.
cache storage channels, hypervisor, side channels, verification, Application programs, Codes (symbols), Cryptography, Physical addresses, Side channel attack, Vectors, Virtual addresses, Application processors, Application security, Defence mechanisms, Design and implements, Side-channel, Storage channels, Verification methodology, Cache memory
Electrical Engineering, Electronic Engineering, Information Engineering
IdentifiersURN: urn:nbn:se:kth:diva-194955DOI: 10.1109/SP.2016.11ISI: 000387292800003ScopusID: 2-s2.0-84987617492ISBN: 9781509008247OAI: oai:DiVA.org:kth-194955DiVA: diva2:1049063
2016 IEEE Symposium on Security and Privacy, SP 2016, 23 May 2016 through 25 May 2016
QC 201611232016-11-232016-11-012016-12-14Bibliographically approved