International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

TeeJam: Sub-Cache-Line Leakages Strike Back

Authors:
Florian Sieck , University of Lübeck, Lübeck, Germany
Zhiyuan Zhang , The University of Melbourne, Melbourne, Australia
Sebastian Berndt , University of Lübeck, Lübeck, Germany
Chitchanok Chuengsatiansup , The University of Melbourne, Melbourne, Australia
Thomas Eisenbarth , University of Lübeck, Lübeck, Germany
Yuval Yarom , Ruhr-University Bochum, Bochum, Germany
Download:
DOI: 10.46586/tches.v2024.i1.457-500
URL: https://tches.iacr.org/index.php/TCHES/article/view/11259
Search ePrint
Search Google
Abstract: The microarchitectural behavior of modern CPUs is mostly hidden from developers and users of computer software. Due to a plethora of attacks exploiting microarchitectural behavior, developers of security-critical software must, e.g., ensure their code is constant-time, which is cumbersome and usually results in slower programs. In practice, small leakages which are deemed not exploitable still remain in the codebase. For example, sub-cache-line leakages have previously been investigated in the CacheBleed and MemJam attacks, which are deemed impractical on modern platforms.In this work, we revisit and carefully analyze the 4k-aliasing effect and discover that the measurable delay introduced by this microarchitectural effect is higher than found by previous work and described by Intel. By combining the rediscovered effect with a high temporal resolution possible when single-stepping an SGX enclave, we construct a very precise, yet widely applicable attack with sub-cache-line leakage resolution. o demonstrate the significance of our findings, we apply the new attack primitive to break a hardened AES T-Table implementation that features constant cache line access patterns. The attack is up to three orders of magnitude more efficient than previous sub-cache-line attacks on AES in SGX. Furthermore, we improve upon the recent work of Sieck et al. which showed partial exploitability of very faint leakages in a utility function loading base64-encoded RSA keys. With reliable sub-cache-line resolution, we build an end-to-end attack exploiting the faint leakage that can recover 4096-bit keys in minutes on a laptop. Finally, we extend the key recovery algorithm to also work for RSA keys following the standard that uses Carmichael’s totient function, while previous attacks were restricted to RSA keys using Euler’s totient function.
BibTeX
@article{tches-2023-33675,
  title={TeeJam: Sub-Cache-Line Leakages Strike Back},
  journal={IACR Transactions on Cryptographic Hardware and Embedded Systems},
  publisher={Ruhr-Universität Bochum},
  volume={024 No. 1},
  pages={457-500},
  url={https://tches.iacr.org/index.php/TCHES/article/view/11259},
  doi={10.46586/tches.v2024.i1.457-500},
  author={Florian Sieck and Zhiyuan Zhang and Sebastian Berndt and Chitchanok Chuengsatiansup and Thomas Eisenbarth and Yuval Yarom},
  year=2023
}