Wait a Minute! A fast, Cross-VM Attack on AES

  • Gorka Irazoqui
  • Mehmet Sinan Inci
  • Thomas Eisenbarth
  • Berk Sunar
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8688)


In cloud computing, efficiencies are reaped by resource sharing such as co-location of computation and deduplication of data. This work exploits resource sharing in virtualization software to build a powerful cache-based attack on AES. We demonstrate the vulnerability by mounting Cross-VM Flush+Reload cache attacks in VMware VMs to recover the keys of an AES implementation of OpenSSL 1.0.1 running inside the victim VM. Furthermore, the attack works in a realistic setting where different VMs are located on separate cores. The modified flush+reload attack we present, takes only in the order of seconds to minutes to succeed in a cross-VM setting. Therefore long term co-location, as required by other fine grain attacks in the literature, are not needed. The results of this study show that there is a great security risk to OpenSSL AES implementation running on VMware cloud services when the deduplication is not disabled.


Cross-VM memory deduplication flush+reload cache attacks 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
  2. 2.
    Kernel Based Virtual Machine (April 2014),
  3. 3.
  4. 4.
    Acıiçmez, O.: Yet Another MicroArchitectural Attack: Exploiting I-Cache. In: Proceedings of the 2007 ACM Workshop on Computer Security Architecture, CSAW 2007, pp. 11–18. ACM, New York (2007)Google Scholar
  5. 5.
    Acıiçmez, O., Koç, Ç.K.: Trace-driven cache attacks on AES (short paper). In: Ning, P., Qing, S., Li, N. (eds.) ICICS 2006. LNCS, vol. 4307, pp. 112–121. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  6. 6.
    Aly, H., ElGayyar, M.: Attacking AES Using Bernstein’s Attack on Modern Processors. In: Youssef, A., Nitaj, A., Hassanien, A.E. (eds.) AFRICACRYPT 2013. LNCS, vol. 7918, pp. 127–139. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  7. 7.
    Arcangeli, A., Eidus, I., Wright, C.: Increasing memory density by using KSM. In: Proceedings of the Linux Symposium, pp. 19–28 (2009)Google Scholar
  8. 8.
    Bernstein, D.J.: Cache-timing attacks on AES (2004),
  9. 9.
    Bonneau, J., Mironov, I.: Cache-Collision Timing Attacks against AES. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 201–215. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  10. 10.
    Brumley, D., Boneh, D.: Remote Timing Attacks are Practical. In: Proceedings of the 12th USENIX Security Symposium, pp. 1–14 (2003)Google Scholar
  11. 11.
    Daemen, J., Rijmen, V.: The Design of Rijndael. Springer (2002)Google Scholar
  12. 12.
    Eidus, I., Dickins, H.: How to use the Kernel Samepage Merging feature (November 2009),
  13. 13.
    Gullasch, D., Bangerter, E., Krenn, S.: Cache Games – Bringing Access-Based Cache Attacks on AES to Practice. In: IEEE Symposium on Security and Privacy, pp. 490–505 (2011)Google Scholar
  14. 14.
    Hu, W.-M.: Lattice scheduling and covert channels. In: Proceedings of the 1992 IEEE Symposium on Security and Privacy, SP 1992, p. 52. IEEE Computer Society, Washington, DC (1992)CrossRefGoogle Scholar
  15. 15.
    Irazoqui, G., Inci, M.S., Eisenbarth, T., Sunar, B.: Fine grain Cross-VM Attacks on Xen and VMware are possible,
  16. 16.
    Kelsey, J., Schneier, B., Wagner, D., Hall, C.: Side Channel Cryptanalysis of Product Ciphers. J. Comput. Secur. 8(2,3), 141–158 (2000)Google Scholar
  17. 17.
    Neve, M.: Cache-based Vulnerabilities and SPAM analysis. Doctor thesis, UCL (2006)Google Scholar
  18. 18.
    National Institute of Standards and Technology. Advanced Encryption Standard. NIST FIPS PUB 197 (2001)Google Scholar
  19. 19.
    Osvik, D.A., Shamir, A., Tromer, E.: Cache Attacks and Countermeasures: The Case of AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  20. 20.
    Page, D.: Theoretical Use of Cache Memory as a Cryptanalytic Side-Channel (2002)Google Scholar
  21. 21.
    Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, You, Get off of My Cloud: Exploring Information Leakage in Third-party Compute Clouds. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS 2009, pp. 199–212. ACM, New York (2009)Google Scholar
  22. 22.
    Suzaki, K., Iijima, K., Toshiki, Y., Artho, C.: Implementation of a Memory Disclosure Attack on Memory Deduplication of Virtual Machines. Communications and Computer Sciences 96(1), 215–224 (2013)Google Scholar
  23. 23.
    Suzaki, K., Iijima, K., Yagi, T., Artho, C.: Memory deduplication as a threat to the guest OS. In: Proceedings of the Fourth European Workshop on System Security, p. 1. ACM (2011)Google Scholar
  24. 24.
    Suzaki, K., Iijima, K., Yagi, T., Artho, C.: Software side channel attack on memory deduplication. SOSP POSTER (2011)Google Scholar
  25. 25.
    Suzaki, K., Iijima, K., Yagi, T., Artho, C.: Effects of Memory Randomization, Sanitization and Page Cache on Memory DeduplicationGoogle Scholar
  26. 26.
    The OpenSSL Project. OpenSSL: The open source toolkit for SSL/TLS (April 2003),
  27. 27.
    Tsunoo, Y., Saito, T., Suzaki, T., Shigeri, M., Miyauchi, H.: Cryptanalysis of DES implemented on computers with cache. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 62–76. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  28. 28.
    VMware. Understanding Memory Resource Management in VMware vSphere 5.0,
  29. 29.
    Waldspurger, C.A.: Memory resource management in VMware ESX server. ACM SIGOPS Operating Systems Review 36(SI), 181–194 (2002)CrossRefGoogle Scholar
  30. 30.
    Wang, Z., Lee, R.B.: Covert and side channels due to processor architecture. In: 22nd Annual Computer Security Applications Conference, ACSAC 2006, pp. 473–482. IEEE (2006)Google Scholar
  31. 31.
    Weiß, M., Heinz, B., Stumpf, F.: A Cache Timing Attack on AES in Virtualization Environments. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 314–328. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  32. 32.
    Yarom, Y., Benger, N.: Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack. Cryptology ePrint Archive, Report 2014/140 (2014),
  33. 33.
    Yarom, Y., Falkner, K.E.: Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel Attack. IACR Cryptology ePrint Archive, 448 (2013)Google Scholar
  34. 34.
    Zhang, Y., Juels, A., Reiter, M.K., Ristenpart, T.: Cross-VM Side Channels and Their Use to Extract Private Keys. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 305–316. ACM, New York (2012)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Gorka Irazoqui
    • 1
  • Mehmet Sinan Inci
    • 1
  • Thomas Eisenbarth
    • 1
  • Berk Sunar
    • 1
  1. 1.Worcester Polytechnic InstituteWorcesterUSA

Personalised recommendations