Hier finden Sie wissenschaftliche Publikationen aus den Fraunhofer-Instituten.

Automated detection of instruction cache leaks in modular exponentiation software

: Zankl, A.; Heyszl, J.; Sigl, G.


Lemke-Rust, Kerstin:
Smart card research and advanced applications. 15th International Conference, CARDIS 2016 : Cannes, France, November 7-9, 2016; Revised selected papers
Cham: Springer International Publishing, 2017 (Lecture Notes in Computer Science 10146)
ISBN: 978-3-319-54669-8 (Online)
ISBN: 978-3-319-54668-1 (Print)
International Conference on Smart Card Research and Advanced Applications (CARDIS) <15, 2016, Cannes>
Conference Paper
Fraunhofer AISEC ()

The shared instruction cache of modern processors is an established side-channel that allows adversaries to observe the execution flow of other applications. This has been shown to be a threat to cryptographic software whose execution flow depends on the processed secrets. Testing implementations for these dependencies, or leaks, is essential to develop protected cryptographic software. In this work, we present an automated testing methodology that allows to detect execution flow leaks in implementations of modular exponentiation, a key operation in schemes like RSA, ElGamal, and Diffie-Hellman. We propose a simple and effective leakage test that captures problematic properties of vulnerable exponentiation algorithms. The execution flow of an implementation is directly monitored during exponentiation using a dynamic binary instrumentation framework. This allows to efficiently detect leaking code with instruction-level granularity in a noiseless and controlled environment. As a practical demonstration, we test multiple RSA implementations of modern cryptographic libraries with the proposed methodology. It reliably detects leaking code in vulnerable implementations and also identifies leaks in a protected implementation that are non-trivial to spot in a code review. We present a fix for these leaks and strongly recommend to also patch the other implementations. Because instruction cache attacks have been shown to be a threat in practice, it seems advisable to integrate an automated leakage test in the software release process of cryptographic libraries.