CryptoDB
Stealing Cryptographic Keys with Weird Gates
| Authors: | |
|---|---|
| Download: | |
| Presentation: | Slides |
| Abstract: | Over the last two decades, researchers have repeatedly demonstrated that microarchitectural attacks, and in particular cache attack, pose a significant risk to the security of cryptographic implementations. One of the main defenses against such attacks is to follow the constant-time programming paradigm, which ensures that the memory addresses a program accesses do not depend on secret data. While effective, constant-time programming can incur a significant performance penalty. Consequently, when constant-time programming is deemed to be too hard, developer may choose to use heuristic defenses that aim to limit the attacker's ability to observe the memory access patterns of the victim. For example, web browser reduced the resolution of the timer they provide, based on the observation that a high resolution timer is required to distinguish cache hits from cache misses. Moreover, as cache attacks have a limited temporal resolution, implementations whose access patterns are indistinguishable except at a high sampling rate are considered more secure. In this talk we show that such restrictions are insufficient to protect against cache attacks. We start by representing the cache status of a memory address as a Boolean value. This allows us to express cache attacks as computing a logical function of the cache state. We then design ``weird gates'' that compute logical functions of cache state and store the result in the cache. We demonstrate that through composing these gates, we can perform arbitrary computations on cache state. Finally, we leverage our gates to perform two attacks against cryptographic implementations. Our first attack shows that an implementation of ElGamal remains vulnerable even when the clock resolution is reduced by six orders of magnitude. Our second attack shows that we can increase the frequency of cache probing to a level that allows key recovery from an S-box-based AES implementation. This talk is based on the USENIX Security'23 publication ``The Gates of Time: Improving Cache Attacks with Transient Execution'' and the CCS'24 distinguished paper ``Spec-o-Scope: Cache Probing at Cache Speed''. |
| Video: | https://youtu.be/1LeTjfEswVI |
BibTeX
@misc{rwc-2025-35875,
title={Stealing Cryptographic Keys with Weird Gates},
note={Video at \url{https://youtu.be/1LeTjfEswVI}},
howpublished={Talk given at RWC 2025},
author={Eyal Ronen and Chitchanok Chuengsatiansup and Yuval Yarom},
year=2025
}