Paper 2010/594

Cache Games - Bringing Access Based Cache Attacks on AES to Practice

Endre Bangerter, David Gullasch, and Stephan Krenn


Side channel attacks on cryptographic systems are attacks exploiting information gained from physical implementations rather than utilizing theoretical weaknesses of a scheme. In particular, during the last years, major achievements were made for the class of access-driven cache-attacks. The source of information leakage for such attacks are the locations of memory accesses performed by a victim process. In this paper we analyze the case of AES and present an attack which is capable of recovering the full secret key in almost realtime for AES-128, requiring only a very limited number of observed encryptions. Unlike most other attacks, ours neither needs to know the ciphertext, nor does it need to know any information about the plaintext (such as its distribution, etc.). Moreover, for the first time we also show how the plaintext can be recovered without having access to the ciphertext. Further, our spy process can be run under an unprivileged user account. It is the first working attack for implementations using compressed tables, where it is not possible to find out the beginning of AES rounds any more -- a corner stone for all efficient previous attacks. All results of our attack have been demonstrated by a fully working implementation, and do not solely rely on theoretical considerations or simulations. A contribution of probably independent interest is a denial of service attack on the scheduler of current Linux systems (CFS), which allows to monitor memory accesses with novelly high precision. Finally, we give some generalizations of our attack, and suggest some possible countermeasures which would render our attack impossible.

Available format(s)
Publication info
Published elsewhere. extended abstracts have appeared at "Security and Privacy 2011" and "COSADE 2011"
AESside channelaccess-based cache-attacks
Contact author(s)
stephan krenn @ bfh ch
2011-10-19: revised
2010-11-24: received
See all versions
Short URL
Creative Commons Attribution


      author = {Endre Bangerter and David Gullasch and Stephan Krenn},
      title = {Cache Games - Bringing Access Based Cache Attacks on AES to Practice},
      howpublished = {Cryptology ePrint Archive, Paper 2010/594},
      year = {2010},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.