Side-Channel Attack Steals Crypto Key from Co-Located Virtual Machines

Eugen Leitl eugen at
Tue Nov 6 05:01:35 PST 2012

November 5, 2012, 9:25AM

Side-Channel Attack Steals Crypto Key from Co-Located Virtual Machines

by Michael Mimoso

Side-channel attacks against cryptography keys have, until now, been limited
to physical machines. Researchers have long made accurate determinations
about crypto keys by studying anything from variations in power consumption
to measuring how long it takes for a computation to complete.

A team of researchers from the University of North Carolina, University of
Wisconsin, and RSA Security has ramped up the stakes, having proved in
controlled conditions that itbs possible to steal a crypto key from a virtual

The implications for sensitive transactions carried out on public cloud
infrastructures could be severe should an attacker land his malicious virtual
machine on the same physical host as the victim. Research has already been
conducted on how to map a cloud infrastructure and identify where a target
virtual machine is likely to be.

The UNC and RSA researchers did not demonstrate their attack on a live public
cloud, but said their research shows that isolation of certain processes
doesnbt necessarily provide the protection once thought.

bThis should serve as a warning that if youbve got a highly sensitive
workload, you donbt want to run it near a dangerous bedfellow in the cloud,b
said Ari Juels, chief scientist at RSA Security. bAlso, if youbre concerned
about nation states, donbt run that relevant workload in a public cloud.b

The team, made of Juels, Yinqian Zhang and Michael K. Reiter of UNC, and
Thomas Ristenpart of the University of Wisconsin, carried out their attack in
an Amazon EC2-like environment with the Xen VMM in place. In any such virtual
environment, the hypervisor is what provides isolation and management for
virtual machines. In theory, the VMs are not aware of each other, but they do
share hardware resources on the physical host. The researchers were able to
extract enough information by observing shared resources, in this case the L1
instruction cache, to reconstruct the cryptographic key in post-processing.

They used an access-driven side-channel attack where in a matter of
milliseconds over the course of a particular processing operation, the
attacker and victim alternate process execution. The attacker would then
observe changes in the cache to extract the data theybre looking for.

What makes this attack unique is that the researchers here were able to
overcome succinct challenges presented by any VMM, namely 1) coarse
scheduling granularity which prevents two virtual machines from running
simultaneously, 2) data bnoiseb introduced by the hypervisor on both the
hardware and software level that would make it difficult for an attacker to
filter and obtain what theybre after.

bWhen an attacker sees information in the cache, they may not be aware or
know whether the cache configuration reflects execution by the victim at
all,b said UNCbs Reiter. bIt might reflect dom0 or the hypervisor. If thatbs
the case, therebs no information about the victimbs key to extract.b

In this attack, the researchers were able to extract a private ElGamal
decryption key from the target VMbs libgcrypt library; the target was running
Gnu Privacy Guard. Over the course of a few hours of observations, they were
able to reconstruct a 457-bit exponent accompanying a 4096-bit modulus with
high accuracy, the teambs paper said. bSo high that the attacker was then
left to search fewer than 10,000 possible exponents to find the right one,b
the paper said.

The team was able to execute its attack by filling the cache set with data, a
technique called Priming, and then measure the time it takes to fill the
cache set, called Probing.

bThe attacker primes the cache, or fills it with his own data, the probes it
to see what parts of the cache have been evicted,b Reiter said. The attacker
then observes the behavior of what ran in the interim. bWhatever ran,
utilized data that mapped to that caches set,b Reiter said. bFrom that, an
attacker can build a profile of what the other side is doing.

bThe real trick is to get useful information. The attacker has to overcome
scheduling granularity the hypervisor imposes,b Reiter said. bXen has 30
milliseconds. You have to give up the core, come back 30 milliseconds later
and see the accumulated sum of activity and its effect on the core.b

The researchers were able to get much more granular scheduling and figured
out how to strip out the irrelevant noise in order to pull off the attack.
Again, this was in a controlled environment, Reiter and Juels said. For
example, the target virtual machine was repeatedly performing cryptographic
operations, a scenario that would be unlikely in most real-world public

bThe victim will not always be running a cryptographic operation; you could
be observing something unrelated and that operation becomes noise,b Juels
said. bProcessing takes place afterwards; the harvesting is done in real
time. To mount this attack successfully, it would be helpful to make frequent
observations of the victim.

bAt present, this is a fairly elaborate attack and we would expect it to be
mounted only by a sophisticated attack organization such as a nation-state,b
Juels said. bThis research shows this type of attack is feasible.b

Commenting on this Article will be automatically closed on February 5, 2013.

More information about the cypherpunks-legacy mailing list