CACHE SNIPER : Accurate timing control of cache evictions

TL;DR

This paper introduces CACHE SNIPER, a novel cache eviction attack that precisely evicts cache data without special privileges, bypassing existing countermeasures and extracting cryptographic keys from protected implementations.

Contribution

The paper presents a new timing-based cache eviction attack leveraging TSX and L3 replacement policies, capable of bypassing common cryptographic countermeasures.

Findings

Successfully extracted RSA keys from wolfSSL library

Extracted AES keys from OpenSSL's S-Box implementation

Demonstrated attack efficiency without shared memory or privileges

Abstract

Microarchitectural side channel attacks have been very prominent in security research over the last few years. Caches have been an outstanding covert channel, as they provide high resolution and generic cross-core leakage even with simple user-mode code execution privileges. To prevent these generic cross-core attacks, all major cryptographic libraries now provide countermeasures to hinder key extraction via cross-core cache attacks, for instance avoiding secret dependent access patterns and prefetching data. In this paper, we show that implementations protected by 'good-enough' countermeasures aimed at preventing simple cache attacks are still vulnerable. We present a novel attack that uses a special timing technique to determine when an encryption has started and then evict the data precisely at the desired instant. This new attack does not require special privileges nor explicit synchronization between the attacker and the victim. One key improvement of our attack is a method to evict data from the cache with a single memory access and in absence of shared memory by leveraging the transient capabilities of TSX and relying on the recently reverse-engineered L3 replacement policy. We demonstrate the efficiency by performing an asynchronous last level cache attack to extract an RSA key from the latest wolfSSL library, which has been especially adapted to avoid leaky access patterns, and by extracting an AES key from the S-Box implementation included in OpenSSL bypassing the per round prefetch intended as a protection against cache attacks.