Cache Attacks Enable Bulk Key Recovery on the Cloud

  • Mehmet Sinan İnciEmail author
  • Berk Gulmezoglu
  • Gorka Irazoqui
  • Thomas Eisenbarth
  • Berk Sunar
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9813)


Cloud services keep gaining popularity despite the security concerns. While non-sensitive data is easily trusted to cloud, security critical data and applications are not. The main concern with the cloud is the shared resources like the CPU, memory and even the network adapter that provide subtle side-channels to malicious parties. We argue that these side-channels indeed leak fine grained, sensitive information and enable key recovery attacks on the cloud. Even further, as a quick scan in one of the Amazon EC2 regions shows, high percentage – 55 % – of users run outdated, leakage prone libraries leaving them vulnerable to mass surveillance.

The most commonly exploited leakage in the shared resource systems stem from the cache and the memory. High resolution and the stability of these channels allow the attacker to extract fine grained information. In this work, we employ the Prime and Probe attack to retrieve an RSA secret key from a co-located instance. To speed up the attack, we reverse engineer the cache slice selection algorithm for the Intel Xeon E5-2670 v2 that is used in our cloud instances. Finally we employ noise reduction to deduce the RSA private key from the monitored traces. By processing the noisy data we obtain the complete 2048-bit RSA key used during the decryption.


Amazon EC2 Co-location detection RSA key recovery Virtualization Prime and Probe attack 



This work is supported by the National Science Foundation, under grants CNS-1318919 and CNS-1314770.


  1. 1.
  2. 2.
  3. 3.
  4. 4.
    Transparent Page Sharing: Additional management capabilities and new default settings.
  5. 5.
    Acıiçmez, O.: Yet another microarchitectural attack: exploiting I-cache. In: Proceedings of the 2007 ACM Workshop on Computer Security ArchitectureGoogle Scholar
  6. 6.
    Acıiçmez, O., Koç, Ç.K., Seifert, J.-P.: Predicting secret keys via branch prediction. In: Abe, M. (ed.) CT-RSA 2007. LNCS, vol. 4377, pp. 225–242. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  7. 7.
    Bates, A., Mood, B., Pletcher, J., Pruse, H., Valafar, M., Butler, K.: Detecting co-residency with active traffic analysis techniques. In: Proceedings of the 2012 ACM Workshop on Cloud Computing Security WorkshopGoogle Scholar
  8. 8.
    Benger, N., van de Pol, J., Smart, N.P., Yarom, Y.: “Ooh Aah.. Just a Little Bit” : a small amount of side channel can go a long way. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 75–92. Springer, Heidelberg (2014)Google Scholar
  9. 9.
    Bernstein, D.J.: Cache-timing attacks on AES (2004).
  10. 10.
    Bernstein, D.J., Chang, Y.-A., Cheng, C.-M., Chou, L.-P., Heninger, N., Lange, T., van Someren, N.: Factoring RSA keys from certified smart cards: coppersmith in the wild. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part II. LNCS, vol. 8270, pp. 341–360. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  11. 11.
    Bhattacharya, S., Mukhopadhyay, D.: Who watches the watchmen?: utilizing performance monitors for compromising keys of RSA on Intel platforms. In: Güneysu, T., Handschuh, H. (eds.) CHES 2015. LNCS, vol. 9293, pp. 248–266. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  12. 12.
    Brumley, D., Boneh, D.: Remote timing attacks are practical. In: Proceedings of the 12th USENIX Security Symposium, pp. 1–14 (2003)Google Scholar
  13. 13.
    Campagna, M.J., Sethi, A.: Key recovery method for CRT implementation of RSA. Cryptology ePrint Archive, Report 2004/147.
  14. 14.
    Liu, F., Yarom, Y., Ge, Q., Heiser, G., Lee, R.B.: Last level cache side channel attacks are practical, September 2015Google Scholar
  15. 15.
    Gandolfi, K., Mourtel, C., Olivier, F.: Electromagnetic analysis: concrete results. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 251–261. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  16. 16.
    Genkin, D., Pachmanov, L., Pipman, I., Tromer, E.: Stealing keys from PCs using a radio: cheap electromagnetic attacks on windowed exponentiation. In: Güneysu, T., Handschuh, H. (eds.) CHES 2015. LNCS, vol. 9293, pp. 207–228. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  17. 17.
    Genkin, D., Shamir, A., Tromer, E.: RSA key extraction via low-bandwidth acoustic cryptanalysis. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 444–461. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  18. 18.
    Gruss, D., Spreitzer, R., Mangard, S.: Cache.: template attacks: automating attacks on inclusive last-level caches. In: 24th USENIX Security Symposium, pp. 897–912. USENIX Association (2015)Google Scholar
  19. 19.
    Gullasch, D., Bangerter, E., Krenn, S.: Cache games - bringing access-based cache attacks on AES to practice. In: SP 2011, pp. 490–505Google Scholar
  20. 20.
    Hamburg, M.: Bit level error correction algorithm for RSA keys. Personal Communication. Cryptography Research Inc. (2013)Google Scholar
  21. 21.
    Heninger, N., Durumeric, Z., Wustrow, E., Halderman, J.A.: Mining your Ps and Qs: detection of widespread weak keys in network devices. In: Presented as Part of the 21st USENIX Security Symposium (USENIX Security 2012), Bellevue, WA. USENIX, pp. 205–220 (2012)Google Scholar
  22. 22.
    Hu, W.-M.: Lattice scheduling and covert channels. In: Proceedings of the 1992 IEEE Symposium on Security and PrivacyGoogle Scholar
  23. 23.
    Hund, R., Willems, C.,Holz, T.: Practical timing side channel attacks against kernel space ASLR. In: Proceedings of the 2013 IEEE Symposium on Security and Privacy, pp. 191–205Google Scholar
  24. 24.
    İncİ, M.S., Gülmezoglu, B., Eisenbarth, T., Sunar, B.: Co-location detection on the cloud. In: COSADE (2016)Google Scholar
  25. 25.
    İncİ, M.S., Gülmezoglu, B., Irazoqui, G., Eisenbarth, T., Sunar, B.: Cache attacks enable bulk key recovery on the cloud (extended version) (2016). Google Scholar
  26. 26.
    Irazoqui, G., Eisenbarth, T., Sunar, B.: S$A: a shared cache attack that works across cores and defies VM sandboxing and its application to AES. In: 36th IEEE Symposium on Security and Privacy, S&P (2015)Google Scholar
  27. 27.
    Irazoqui, G., Eisenbarth, T., Sunar, B.: Systematic reverse engineering of cache slice selection in Intel processors. In: Euromicro DSD (2015)Google Scholar
  28. 28.
    Irazoqui, G., Eisenbarth, T., Sunar, B.: Cross processor cache attacks. In: Proceedings of the 11th ACM Symposium on Information, Computer and Communications Security, ASIA CCS 2016. ACM (2016)Google Scholar
  29. 29.
    Irazoqui, G., İncİ, M.S., Eisenbarth, T., Sunar, B.: Know thy neighbor: crypto library detection in cloud. Proc. Priv. Enhancing Technol. 1(1), 25–40 (2015)Google Scholar
  30. 30.
    Irazoqui, G., İncİ, M.S., Eisenbarth, T., Sunar, B.: Wait a minute! a fast, cross-VM attack on AES. In: RAID, pp. 299–319 (2014)Google Scholar
  31. 31.
    Irazoqui, G., İncİ, M.S., Eisenbarth, T., Sunar, B.: Lucky 13 strikes back. In: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, ASIA CCS 2015, pp. 85–96 (2015)Google Scholar
  32. 32.
    Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)Google Scholar
  33. 33.
    Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
  34. 34.
    Libgcrypt: The Libgcrypt reference manual.
  35. 35.
    Lipp, M., Gruss, D., Spreitzer, R., Mangard, S. ARMageddon : last-level cache attacks on mobile devices. CoRR abs/1511.04897 (2015)Google Scholar
  36. 36.
    Maurice, C., Scouarnec, N.L., Neumann, C., Heen, O., Francillon, A.: Reverse engineering intel last-level cache complex addressing using performance counters. In: RAID 2015 (2015)Google Scholar
  37. 37.
    Oren, Y., Kemerlis, V.P., Sethumadhavan, S., Keromytis, A.D.: The spy in the sandbox : practical cache attacks in javascript and their implications. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, New York, NY, USA, CCS 2015, pp. 1406–1418. ACM (2015)Google Scholar
  38. 38.
    Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks countermeasures.: the case of AES. In: Proceedings of the 2006 The Cryptographers’ Track at the RSA Conference on Topics in Cryptology, CT-RSA 2006Google Scholar
  39. 39.
    Page, D.: Theoretical use of cache memory as a cryptanalytic side-channel (2002)Google Scholar
  40. 40.
    Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey you, get off of my cloud: exploring information leakage in third-party compute clouds. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS 2009, pp. 199–212Google Scholar
  41. 41.
    Suzaki, K., Iijima, K., Toshiki, Y., Artho, C.: Implementation of a memory disclosure attack on memory deduplication of virtual machines. IEICE Trans. Fundam. Electron., Commun. Comput. Sci. 96, 215–224 (2013)CrossRefGoogle Scholar
  42. 42.
    Varadarajan, V., Zhang, Y., Ristenpart, T., Swift, M.: A placement vulnerability study in multi-tenant public clouds. In: 24th USENIX Security Symposium (USENIX Security 2015), Washington, D.C., August 2015, pp. 913–928. USENIX AssociationGoogle Scholar
  43. 43.
    Wu, Z., Xu, Z., Wang, H.: Whispers in the hyper-space: high-speed covert channel attacks in the cloud. In: USENIX Security Symposium, pp. 159–173 (2012)Google Scholar
  44. 44.
    Xu, Z., Wang, H., Wu, Z.: A measurement study on co-residence threat inside the cloud. In: 24th USENIX Security Symposium (USENIX Security 2015), Washington, D.C., August 2015, pp. 929–944. USENIX AssociationGoogle Scholar
  45. 45.
    Yarom, Y., Falkner, K.: FLUSH+RELOAD: a high resolution, low noise, L3 cache side-channel attack. In: 23rd USENIX Security Symposium (USENIX Security 2014), pp. 719–732Google Scholar
  46. 46.
    Yarom, Y., Ge, Q., Liu, F., Lee, R.B., Heiser, G.: Mapping the Intel last-level cache. Cryptology ePrint Archive, Report 2015/905 (2015).
  47. 47.
    Zhang, Y., Juels, A., Oprea, A., Reiter, M.K.: HomeAlone : co-residency detection in the cloud via side-channel analysis. In: Proceedings of the 2011 IEEE Symposium on Security and PrivacyGoogle Scholar
  48. 48.
    Zhang, Y., Juels, A., Reiter, M. K., Ristenpart, T.: Cross-tenant side-channel attacks in paas clouds. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications SecurityGoogle Scholar
  49. 49.
    Zhang, Y., Juels, A., Reiter, M.K., Ristenpart, T.: Cross-VM side channels and their use to extract private keys. In: Proceedings of the 2012 ACM Conference on Computer and Communications SecurityGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  • Mehmet Sinan İnci
    • 1
    Email author
  • Berk Gulmezoglu
    • 1
  • Gorka Irazoqui
    • 1
  • Thomas Eisenbarth
    • 1
  • Berk Sunar
    • 1
  1. 1.Worcester Polytechnic Institute WorcesterUSA

Personalised recommendations