Zhen Hang Jiang
David Kaeli
ABSTRACT
To avoid information leakage during program execution, modern software implementations of cryptographic algorithms target constant timing complexity, i.e., the number of instructions executed does not vary with different inputs. However, many times the underlying microarchitecture behaves differently when processing varying data inputs, which covertly leaks confidential information through the timing channel. In this paper, we exploit a novel fine-grained microarchitectural timing channel, stalls that occur due to bank conflicts in a GPU's shared memory. Using this attack surface, we develop a differential timing attack that can compromise table-based cryptographic algorithms. We implement our timing attack on an Nvidia Kepler K40 GPU, and successfully recover the complete 128-bit AES encryption key using 10 million samples. We also evaluate the scalability of our attack method by attacking a 8192-thread implementation of the AES encryption algorithm, recovering some key bytes using 1 million samples.
- L. Domnitser, A. Jaleel, J. Loew, N. Abu-Ghazaleh, and D. Ponomarev. Non-monopolizable caches: Low-complexity mitigation of cache side channel attacks. ACM Transactions on Architecture and Code Optimization (TACO), 8(4):35, 2012. Google Scholar
Digital Library
- B. Gaster, L. Howes, D. R. Kaeli, P. Mistry, and D. Schaa. Heterogeneous Computing with OpenCL: Revised OpenCL 1. Newnes, 2012. Google ScholarDigital Library
- Z. H. Jiang, Y. Fei, and D. Kaeli. A complete key recovery timing attack on a gpu. In IEEE Int. Symp. on High Performance Computer Architecture (HPCA), March 2016.Google ScholarCross Ref
- J. Kong, O. Aciiçmez, J.-P. Seifert, and H. Zhou. Hardware-software integrated approaches to defend against software cache-based side channel attacks. In IEEE Int. Symp. on High Performance Computer Architecture, pages 393--404, 2009.Google ScholarCross Ref
- F. Liu, Q. Ge, Y. Yarom, F. Mckeen, C. Rozas, G. Heiser, and R. B. Lee. Catalyst: Defeating last-level cache side channel attacks in cloud computing. In IEEE Int. Symp. on High Performance Computer Architecture, pages 406--418. IEEE, 2016.Google ScholarCross Ref
- F. Liu, Y. Yarom, Q. Ge, G. Heiser, and R. B. Lee. Last-level cache side-channel attacks are practical. In IEEE Symp. on Security & Privacy, 2015. Google ScholarDigital Library
- Nvidia. Nvidia cuda toolkit v7.0 documentation, 2015.Google Scholar
- Y. Yarom and K. Falkner. FlushGoogle Scholar
- reload: a high resolution, low noise, l3 cache side-channel attack. In USENIX Security Symp., pages 719--732, 2014. Google ScholarDigital Library
- Y. Yarom, D. Genkin, and N. Heninger. Cachebleed: A timing attack on OpenSSL constant time RSA, Aug. 2016.Google Scholar
Index Terms
A Novel Side-Channel Timing Attack on GPUs
Recommendations
Side-channel Timing Attack of RSA on a GPU
To increase computation throughput, general purpose Graphics Processing Units (GPUs) have been leveraged to accelerate computationally intensive workloads. GPUs have been used as cryptographic engines, improving encryption/decryption throughput and ...
Exploiting Bank Conflict-based Side-channel Timing Leakage of GPUs
To prevent information leakage during program execution, modern software cryptographic implementations target constant-time function, where the number of instructions executed remains the same when program inputs change. However, the underlying ...
Side-channel analysis of MAC-Keccak hardware implementations
As Keccak has been selected as the new SHA-3 standard, Message Authentication Code (MAC) (MAC-Keccak) using a secret key will be widely used for integrity checking and authenticity assurance. Recent works have shown the feasibility of side-channel ...
Comments