# ExplFrame: Exploiting Page Frame Cache for Fault Analysis of Block   Ciphers

**Authors:** Anirban Chakraborty, Sarani Bhattacharya, Sayandeep Saha and, Debdeep Mukhopadhyay

arXiv: 1905.12974 · 2020-02-13

## TL;DR

This paper introduces ExplFrame, a novel attack exploiting the Linux Page Frame Cache to manipulate victim process memory, enabling fault injection and key recovery in block ciphers like AES via Rowhammer.

## Contribution

It demonstrates a new software-based cache exploitation technique for fault analysis in cryptographic implementations, with practical end-to-end attack and key recovery methods.

## Key findings

- Successfully forced victim pages to vulnerable locations in DRAM.
- Achieved full key recovery of AES using Rowhammer-induced faults.
- Demonstrated practical feasibility of exploiting PFC for cryptanalysis.

## Abstract

Page Frame Cache (PFC) is a purely software cache, present in modern Linux based operating systems (OS), which stores the page frames that are recently being released by the processes running on a particular CPU. In this paper, we show that the page frame cache can be maliciously exploited by an adversary to steer the pages of a victim process to some pre-decided attacker-chosen locations in the memory. We practically demonstrate an end-to-end attack, ExplFrame, where an attacker having only user-level privilege is able to force a victim process's memory pages to vulnerable locations in DRAM and deterministically conduct Rowhammer to induce faults. We further show that these faults can be exploited for extracting the secret key of table-based block cipher implementations. As a case study, we perform a full-key recovery on OpenSSL AES by Rowhammer-induced single bit faults in the T-tables. We propose an improvised fault analysis technique which can exploit any Rowhammer-induced bit-flips in the AES T-tables.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1905.12974/full.md

## Figures

4 figures with captions in the complete paper: https://tomesphere.com/paper/1905.12974/full.md

## References

15 references — full list in the complete paper: https://tomesphere.com/paper/1905.12974/full.md

---
Source: https://tomesphere.com/paper/1905.12974