CryptoDB
New Branch Prediction Vulnerabilities in OpenSSL and Necessary Software Countermeasures
Authors: |
- Onur Aciicmez
- Shay Gueron
- Jean-Pierre Seifert
|
Download: |
- URL: http://eprint.iacr.org/2007/039
- Search ePrint
- Search Google
|
Abstract: |
Software based side-channel attacks allow an unprivileged spy
process to extract secret information from a victim
(cryptosystem) process by exploiting some indirect leakage of
``side-channel'' information. It has been realized that some
components of modern computer microarchitectures leak certain
side-channel information and can create unforeseen security
risks. An example of such MicroArchitectural Side-Channel
Analysis is the Cache Attack --- a group of attacks that exploit
information leaks from cache latencies.
Public awareness of Cache Attack vulnerabilities lead software
writers of OpenSSL (version 0.9.8a and subsequent versions) to
incorporate countermeasures for preventing these attacks.
In this paper, we present a new and yet unforeseen side channel
attack that is enabled by the recently published Simple Branch
Prediction Analysis (SBPA) which is another type of
MicroArchitectural Analysis. We
show that modular inversion --- a critical primitive in public
key cryptography --- is a natural target of SBPA attacks because
it typically uses the Binary Extended Euclidean algorithm whose
nature is an input-centric sequence of conditional branches. Our
results show that SBPA can be used to extract secret parameters
during the execution of the Binary Extended Euclidean algorithm.
This poses a new potential risk to crypto-applications such as
OpenSSL, which already employs Cache Attack countermeasures.
Thus, it is necessary to develop new software mitigation
techniques for BPA and incorporate them with cache analysis
countermeasures in security applications.
To mitigate this new risk in full generality, we apply a
security-aware algorithm design methodology and propose some
changes to the CRT-RSA algorithm flow. These changes either avoid
some of the steps that require modular inversion, or remove the
critical information leak from this procedure.
In addition, we also show by example that, independently of the
required changes in the algorithms, careful software analysis is
also required in order to assure that the software implementation
does not inadvertently introduce branches that may expose the
application to SBPA attacks.
These offer several simple ways for modifying OpenSSL in order to
mitigate Branch Prediction Attacks. |
BibTeX
@misc{eprint-2007-13321,
title={New Branch Prediction Vulnerabilities in OpenSSL and Necessary Software Countermeasures},
booktitle={IACR Eprint archive},
keywords={implementation / Side channel attacks, branch prediction attacks, cache eviction attacks, Binary Extended Euclidean, Algorithm, modular inversion, software mitigation methods, OpenSSL, RSA, CRT.},
url={http://eprint.iacr.org/2007/039},
note={ jeanpierreseifert@yahoo.com 13551 received 6 Feb 2007},
author={Onur Aciicmez and Shay Gueron and Jean-Pierre Seifert},
year=2007
}