Cryptology ePrint Archive: Report 2012/034

Automatic Quantification of Cache Side-Channels

Boris Köpf and Laurent Mauborgne and Martin Ochoa

Abstract: The latency gap between caches and main memory has been successfully exploited for recovering sensitive input to programs, such as cryptographic keys from implementation of AES and RSA. So far, there are no practical general-purpose countermeasures against this threat. In this paper we propose a novel method for automatically deriving upper bounds on the amount of information about the input that an adversary can extract from a program by observing the CPU's cache behavior. At the heart of our approach is a novel technique for efficient counting of concretizations of abstract cache states that enables us to connect state-of-the-art techniques for static cache analysis and quantitative information-flow. We implement our counting procedure on top of the AbsInt TimingExplorer, one of the most advanced engines for static cache analysis. We use our tool to perform a case study where we derive upper bounds on the cache leakage of a 128-bit AES executable on an ARM processor with a realistic cache configuration. We also analyze this implementation with a commonly suggested (but until now heuristic) countermeasure applied, obtaining a formal account of the corresponding increase in security.

Category / Keywords: implementation / Cache Attacks, Quantitative Information-flow Analysis, AES

Date: received 22 Jan 2012, last revised 16 Feb 2012

Contact author: boris koepf at imdea org

Available format(s): PDF | BibTeX Citation

Version: 20120216:111643 (All versions of this report)

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]