Paper 2023/1864

Cache Side-Channel Attacks Through Electromagnetic Emanations of DRAM Accesses

Julien Maillard, CEA LETI, XLIM
Thomas Hiscock, CEA LETI
Maxime Lecomte, CEA LETI
Christophe Clavier, XLIM

Remote side-channel attacks on processors exploit hardware and micro-architectural effects observable from software measurements. So far, the analysis of micro-architectural leakages over physical side-channels (power consumption, electromagnetic field) received little treatment. In this paper, we argue that those attacks are a serious threat, especially against systems such as smartphones and Internet-of-Things (IoT) devices which are physically exposed to the end-user. Namely, we show that the observation of Dynamic Random Access Memory (DRAM) accesses with an electromagnetic (EM) probe constitutes a reliable alternative to time measurements in cache side-channel attacks. We describe the EVICT+EM attack, that allows recovering a full AES key on a T-Tables implementation with similar number of encryptions than state-of-the-art EVICT+RELOAD attacks on the studied ARM platforms. This new attack paradigm removes the need for shared memory and exploits EM radiations instead of high precision timers. Then, we introduce PRIME+EM, which goal is to reverse-engineer cache usage patterns. This attack allows to recover the layout of lookup tables within the cache. Finally, we present COLLISION+EM, a collision-based attack on a System-on-chip (SoC) that does not require malicious code execution, and show its practical efficiency in recovering key material on an ARM TrustZone application. Those results show that physical observation of the micro-architecture can lead to improved attacks.

Available format(s)
Attacks and cryptanalysis
Publication info
Side-Channel attackmicroarchitectural attackTrustZoneSystem-on-Chip
Contact author(s)
julien maillard @ cea fr
2024-01-16: revised
2023-12-05: received
See all versions
Short URL
Creative Commons Attribution-ShareAlike


      author = {Julien Maillard and Thomas Hiscock and Maxime Lecomte and Christophe Clavier},
      title = {Cache Side-Channel Attacks Through Electromagnetic Emanations of DRAM Accesses},
      howpublished = {Cryptology ePrint Archive, Paper 2023/1864},
      year = {2023},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.