YACHT: Yet Another CacHe Timing Attack
Cesar Pereida Garcı́a
Laboratory of Pervasive Computing
Tampere University of Technology
Tampere, Finland
Email:
[email protected]
Abstract—Cache attacks are a subset of microarchitecture
attacks, which are currently gaining traction due to the serious
impact they represent to current microprocessor architecture.
Moreover, cache attacks against cryptography libraries such
as OpenSSL, LibreSSL and BoringSSL have proved to be
feasible and relevant due to the increasing trend of cloud
computing, multi-user computing and shared resources over
the last decade. The goal of this work is to present the
current ongoing research on cache attacks, more specifically
in cryptography library implementations using state-of-the-art
cache attack techniques.
1. Introduction
Cryptographic primitive proposals are expected to be
accompanied by an extensive description of the security
assurance and its proofs demonstrating resistance to known
cryptanalytic techniques. Such proofs are defined within
a security model which contains assumptions about the
abilities of a given attacker. In order for a primitive proposal
to be accepted, it must make its way from the formal
written specification to a concrete software or hardware
implementation. This task is inevitably the burden of an
engineer.
More often than not, security issues occur when leaping
from paper to practice. A natural concern is how well the
physical implementation of the primitive preserves the as-
sumptions of the security model. On the one hand, efficiency
is required for practical implementations of cryptography to
be usable, and achieving that efficiency may compromise the
security of such implementations. On the other hand, pro-
viding the maximum security without considering efficiency
may result in slow, unusable cryptography implementations.
Therefore, achieving both requirements is a non-trivial task
for engineers, since a wrong implementation lead to leakage
of information.
Cryptography engineering is a building block of security,
privacy and anonymity in software and hardware. It needs
to provide these attributes while being efficient at the same
time, therefore achieving these properties is difficult and
opens the possibility to defects. Additionally, the intricacies
of cryptographic algorithms and protocols enable flaws and
pitfalls, therefore the development of cryptography is a
difficult and a complex job for engineers and mathemati-
cians. Engineers are advised not to implement their own
cryptography but instead, to rely on existing solutions that
are trustworthy and have been continually tested over long
periods of time, one such solution is the OpenSSL library.
OpenSSL1 is an open source project that started in
December 1998 as a fork of SSLeay by Eric Andrew
Young and Tim Hudson. Its original goal was to develop
encryption tools for the growing Internet, but nowadays it
does much more than that. OpenSSL can be divided in
three general modules: a cryptographic library, an SSL/TLS
library and toolkit, and command line tools. The command
line tools are linked against the other two modules and
provide an interface to create and execute cryptographic
objects and SSL/TLS operations. The SSL/TLS library and
toolkit contains network protocols and extensions and it
uses the cryptographic library to provide security. Finally,
and relevant to this work, the cryptographic library contains
the implementation of several standardized cryptographic
primitives including encryption, decryption, hash functions,
digital signatures and key exchange.
OpenSSL is maintained by small group of core develop-
ers which are mostly volunteers. Unfortunately, this situation
impacts the development decisions and the quality of the
code base, since security assurance and code correctness
can be hard to achieve in a project of such magnitude. Fur-
thermore, the developers favor portability over optimization,
this allowed a rapid adoption during the early days of the
library and it has helped to become the de facto standard
for Internet security, in addition to a prime security attack
target [1].
As mentioned before, due to its widespread usage and
impact on the security of Internet, OpenSSL is a popular
target for several types of attacks including cache attacks.
Assessment of cache attacks on cryptography and their
mitigations are non-trivial tasks and therefore this can be a
long and time consuming process for the developing team.
Moreover, new attacks paired with inevitable software bugs,
defects and flaws make the work of securing the Internet an
arduous task.
The goal of the current research is twofold: to find and
exploit cryptography flaws using cache attack techniques
1. https://www.openssl.org/
on multiple cryptography libraries such as OpenSSL; and
to increase the security of the users through patches and
mitigations for the flaws discovered.
2. Microarchitecture attacks
A microarchitecture is the hardware implementation of
an instruction set architecture (ISA) for a processor. Several
microarchitecture features exist to improve the average per-
formance of the processor: (1) a data cache is a low capacity
and high speed memory located on the CPU—it temporarily
fetches and stores data values retrieved from slower main
memory so that subsequent requests can be served quicker;
(2) an instruction cache is mostly analogous to a data cache,
but temporarily fetches and stores instruction values to be
executed; (3) a branch predictor is a digital circuit on the
CPU that guesses the outcome of logic branches, fetches
the resulting instructions, and speculatively executes them
to avoid pipeline stall.
Unfortunately, these microarchitecture features introduce
side-channels due to hidden states observed through pro-
gram execution characteristics (e.g. timing): (1) data cache-
timing attacks [2]; (2) instructing cache-timing attacks [3];
(3) branch predictor attacks [4]. This subset of side-channel
attacks are known as microarchitecture attacks and are a
serious threat to security critical software.
Microarchitectures were not developed with security as
a priority, and several attacks on different components are
a proof of it. When developing countermeasures, software
updates are relatively easy to distribute but retiring or up-
grading hardware in a massive scale is not viable due to
time and costs.
2.1. Cache Attacks
Accessing data and instructions from main memory is
not an instant operation since it takes time to locate and to
load the data, thus it delays the execution of the processors.
Caches are small and fast memory banks used by processors
to improve the execution performance. The performance is
improved by exploiting spacial and temporal locality of the
memory access. In other words, data that is accessed several
times during the same program, is cached (i.e. temporal
locality). And data close to the accessed data will be cached
too (i.e. spatial locality). Modern CPUs contain multiple
cache levels, both private and shared among cores.
Cache attacks are a subset of microarchitecture attacks,
targeting specifically the cache. Cache attacks against cryp-
tographic implementations exploit two different but impor-
tant features, the timing variation introduced by the cache
hierarchy and the non-constant time execution of crypto-
graphic algorithms. Thus, a motivated attacker can correlate
the cache timing data, the execution time of the algorithm,
its internal state during execution and the output of the
algorithm to ultimately recover confidential information.
Several techniques to attack the cache hierarchy have
been proposed and used successfully to mount cache attack,
these techniques include E VICT +R ELOAD [5], P RIME +
P ROBE [6], F LUSH +R ELOAD [7], and F LUSH +F LUSH [8].
The previous techniques are still relevant and have advan-
tages and disadvantages depending on the attack scenario.
More importantly, the F LUSH +R ELOAD technique is the
most relevant technique for this work due to its granularity
in a single cache line. Figure 1 shows a trace obtained using
the F LUSH +R ELOAD technique targeting OpenSSL.
The F LUSH +R ELOAD techniques works by evicting a
target memory location using the clflush instruction.
After the data has been evicted from the cache, the data
is reloaded into the cache and timed. The time determines
if the data was reloaded into the cache by another pro-
cess running in parallel. Recent research uses the F LUSH +
R ELOAD technique in clever ways targeting the kernel [9],
web server function calls [10], user input [11], [12], covert
channels [13] in addition to cryptographic algorithms [2],
[14].
Research in cache attacks has developed the tools to
perform more specialized and powerful microarchitecture
attacks as recently demonstrated by the Meltdown [15] and
the Spectre [16] attacks.
3. Related Work
In his seminal work, Colin Percival [6] discusses that
shared access to memory caches between threads can be
used as a covert channel and also permits to monitor the ex-
ecution of other threads. Moreover, the author demonstrated
that the Sliding Window Exponentiation implementation of
modular exponentiation in OpenSSL version 0.9.7c is vul-
nerable to cache-timing attacks, applied to recover RSA pri-
vate keys, by identifying access to pre-computed multipliers
stored in memory. Following the issue, the OpenSSL team
introduced a code change to mitigate the attack. OpenSSL
added a “constant-time” implementation of modular expo-
nentiation, this implementation combines a fixed-window
exponentiation algorithm with a scatter-gather method [17],
allowing to mask table access to the multipliers. The scatter-
gather method ensures that the same cache lines are always
accessed, irrespective of the multiplier used.
Acıiçmez et al. [18] demonstrate Simple Branch Pre-
diction Analysis (SBPA) a new class of analysis under
cache-timing attacks. Previous research effort focused on
the modular exponentiation operation due to the relevance
across several cryptosystems, however, the authors show
is not the only operation leaking secret information. They
show information leakage in OpenSSL 0.9.8a during the
modular inversion operation due to the use of the Binary
Extended Euclidean Algorithm (BEEA). The BEEA is used
during decryption in RSA-CRT and during the blinding
process, and this requires computations on secret values. The
authors prove it is theoretically possible to recover the input
values to the BEEA algorithm and therefore recover secret
information. Finally, they continue and modify OpenSSL
with proper countermeasures to prevent this attack.
More recently, Yarom et al. [19] showed that the scatter-
gather method implemented in OpenSSL is not “constant-
time” as it was believed. In their work, the authors demon-

Latency
0 50000 100000 150000
Figure 1. Raw trace captured using the F LUSH +R ELOAD technique during the executions of a cryptographic primitive and tracking two different operations.
Latency is scaled and normalized. For visualization, focus on the amplitude peaks, i.e. low latency.
strate that even if the same cache lines are always accessed,
the offset accessed within the cache line depends on the
multiplier used, which is decided based on the private key.
To that end, the authors exploit cache-bank conflicts. A
cache is often divided in cache banks. These banks allow
concurrent access to the cache, but cache banks can handle
only one request at a time. If multiple requests are made to
the same cache bank, a cache-bank conflict occurs and the
conflicting requests are delayed, creating a timing variation.
The timing variations allowed to perform an attack against
OpenSSL 1.0.2f, leading to 4096-bit RSA key recovery after
observing 16, 000 decryptions.
RSA has been the target of several attacks throughout
the years due to its relevance and widespread usage on the
Internet. Attacks to RSA are not limited to cache attacks,
also timing attacks, power analysis attacks, small exponent
attacks, prime factorization attacks and partial information
attacks have been successfully exploited. Likewise, attackers
have targeted every aspect of the cryptosystem: encryption,
decryption, key generation, signing and verification but it
stands the test of time. The cryptosystem has evolved and
attacks are harder to perform but as demonstrated by Nemec
et al. [20], the cryptosystem is extremely popular despite
the development of Elliptic Curve Cryptography and more
recently Post-Quantum Cryptography.
4. Current Research
The newest OpenSSL versions 1.1.0 and 1.1.1 introduce
the biggest changes to the code base with a “security first”
mindset. Nevertheless, these two versions have been around
for a relatively short amount of time, thus it is possible they
contain security flaws and side-channel leakages.
This work focuses on finding and exploiting new and
existing information leakages using cache attacks. The cur-
rent development of cache attack techniques, mathematical
techniques and computational resources help to discover
leakage and exploit them.
Leakage detection and trace acquisition are only the
first steps towards a full attack. Typically, a trace reveals
only a sequence of operations (e.g. square, multiply, double,
add, right shift, left shift) performed during the execution
of an algorithm. This sequence of operations needs to be
converted into information, more precisely, into bits. No
S probe
L probe
200000 250000 300000 350000 400000
Time
general way of translating operations into bits exist since
all depends on the algorithm in use and often such a way
does not exist at all. This is a decisive step in an attack, if
the attacker cannot translate operations into bits or the bit
leakage is too small then the attack will not be possible.
Once the bit leakage is measured and proved sufficient,
the attacker has to decide how to use those bits. Different
cryptographic primitives have different ways of maximizing
bit leakage but mathematical objects are a common approach
at this stage of an attack. Depending on the bits leaked, the
attack may require massive computational resources, making
the attack unfeasible in practice, at least for the time being.
The current research emphasizes in the OpenSSL imple-
mentation of the RSA cryptosystem with respect to cache
attacks. As mentioned earlier, RSA is widely deployed and
used and therefore a successful attack against the cryptosys-
tem will have a big impact on the security of the Internet.
5. Conclusion
As observed previously, cryptography libraries have a
questionable track record when it comes to microarchitec-
ture attacks. Flaws in mitigations, challenging countermea-
sures that do not stand the test of time and underestimation
of attacks are common issues when dealing with microar-
chitecture attacks.
In the case of OpenSSL, rapid changes to the code base
paired with regular changes and releases, complicate the
task of tracking possible leakages. Moreover, due to the
requirement to support several architectures is possible to
find multiple implementations of an algorithm with different
levels of security with respect to information leakage.
In addition, security flags were introduced into the code
base to identify and protect against newly discovered attacks
in specific cases and scenarios. Nevertheless, these scenarios
are now the norm instead of the exception, therefore the
task of tracking all the cases where these flags are needed
is paramount, and is very likely that many more cases will
go unnoticed [21], [22].
References
[1] C. Meyer and J. Schwenk, “SoK: Lessons learned from SSL/TLS
attacks,” in Information Security Applications - 14th International
Workshop, WISA 2013, Jeju Island, Korea, August 19-21, 2013,
Revised Selected Papers, ser. Lecture Notes in Computer Science,
Y. Kim, H. Lee, and A. Perrig, Eds., vol. 8267. Springer,
2013, pp. 189–209. [Online]. Available: https://doi.org/10.1007/
978-3-319-05149-9 12
[2] B. B. Brumley and R. M. Hakala, “Cache-timing template
attacks,” in Advances in Cryptology - ASIACRYPT 2009, 15th
International Conference on the Theory and Application of
Cryptology and Information Security, Tokyo, Japan, December
6-10, 2009. Proceedings, ser. Lecture Notes in Computer Science,
M. Matsui, Ed., vol. 5912. Springer, 2009, pp. 667–684. [Online].
Available: https://doi.org/10.1007/978-3-642-10366-7 39
[3] O. Acıiçmez, B. B. Brumley, and P. Grabher, “New results
on instruction cache attacks,” in Cryptographic Hardware and
Embedded Systems, CHES 2010, 12th International Workshop,
Santa Barbara, CA, USA, August 17-20, 2010. Proceedings, ser.
Lecture Notes in Computer Science, S. Mangard and F. Standaert,
Eds., vol. 6225. Springer, 2010, pp. 110–124. [Online]. Available:
https://doi.org/10.1007/978-3-642-15031-9 8
[4] O. Acıiçmez, Ç. K. Koç, and J. Seifert, “Predicting secret keys via
branch prediction,” in Topics in Cryptology - CT-RSA 2007, The
Cryptographers’ Track at the RSA Conference 2007, San Francisco,
CA, USA, February 5-9, 2007, Proceedings, ser. Lecture Notes in
Computer Science, M. Abe, Ed., vol. 4377. Springer, 2007, pp.
225–242. [Online]. Available: https://doi.org/10.1007/11967668 15
[5] D. A. Osvik, A. Shamir, and E. Tromer, “Cache attacks and
countermeasures: The case of AES,” in Topics in Cryptology -
CT-RSA 2006, The Cryptographers’ Track at the RSA Conference
2006, San Jose, CA, USA, February 13-17, 2006, Proceedings,
ser. Lecture Notes in Computer Science, D. Pointcheval, Ed.,
vol. 3860. Springer, 2006, pp. 1–20. [Online]. Available: https:
//doi.org/10.1007/11605805 1
[6] C. Percival, “Cache missing for fun and profit,” in BSDCan 2005,
Ottawa, Canada, May 13-14, 2005, Proceedings, 2005. [Online].
Available: http://www.daemonology.net/papers/cachemissing.pdf
[7] Y. Yarom and K. Falkner, “FLUSH+RELOAD: A high
resolution, low noise, L3 cache side-channel attack,” in
Proceedings of the 23rd USENIX Security Symposium,
San Diego, CA, USA, August 20-22, 2014., 2014, pp.
719–732. [Online]. Available: https://www.usenix.org/conference/
usenixsecurity14/technical-sessions/presentation/yarom
[8] D. Gruss, C. Maurice, K. Wagner, and S. Mangard, “Flush+flush:
A fast and stealthy cache attack,” in Detection of Intrusions
and Malware, and Vulnerability Assessment - 13th International
Conference, DIMVA 2016, San Sebastián, Spain, July 7-8,
2016, Proceedings, ser. Lecture Notes in Computer Science,
J. Caballero, U. Zurutuza, and R. J. Rodrı́guez, Eds., vol.
9721. Springer, 2016, pp. 279–299. [Online]. Available: https:
//doi.org/10.1007/978-3-319-40667-1 14
[9] R. Hund, C. Willems, and T. Holz, “Practical timing side channel
attacks against kernel space ASLR,” in 20th Annual Network and
Distributed System Security Symposium, NDSS 2013, San Diego,
California, USA, February 24-27, 2013, 2013.
[10] Y. Zhang, A. Juels, M. K. Reiter, and T. Ristenpart, “Cross-tenant
side-channel attacks in paas clouds,” in Proceedings of the 2014 ACM
SIGSAC Conference on Computer and Communications Security,
Scottsdale, AZ, USA, November 3-7, 2014, G. Ahn, M. Yung,
and N. Li, Eds. ACM, 2014, pp. 990–1003. [Online]. Available:
http://doi.acm.org/10.1145/2660267.2660356
[11] D. Gruss, R. Spreitzer, and S. Mangard, “Cache template attacks:
Automating attacks on inclusive last-level caches,” in 24th USENIX
Security Symposium, USENIX Security 15, Washington, D.C., USA,
August 12-14, 2015., 2015, pp. 897–912.
[12] M. Lipp, D. Gruss, R. Spreitzer, C. Maurice, and S. Mangard,
“Armageddon: Cache attacks on mobile devices,” in 25th USENIX
Security Symposium, USENIX Security 16, Austin, TX, USA, August
10-12, 2016., 2016, pp. 549–564.
[13] C. Maurice, C. Neumann, O. Heen, and A. Francillon, “C5: cross-
cores cache covert channel,” in Detection of Intrusions and Malware,
and Vulnerability Assessment - 12th International Conference,
DIMVA 2015, Milan, Italy, July 9-10, 2015, Proceedings, ser.
Lecture Notes in Computer Science, M. Almgren, V. Gulisano, and
F. Maggi, Eds., vol. 9148. Springer, 2015, pp. 46–64. [Online].
Available: https://doi.org/10.1007/978-3-319-20550-2 3
[14] N. Benger, J. van de Pol, N. P. Smart, and Y. Yarom, ““ooh aah...
just a little bit” : A small amount of side channel can go a long way,”
in Cryptographic Hardware and Embedded Systems - CHES 2014 -
16th International Workshop, Busan, South Korea, September 23-26,
2014. Proceedings, ser. Lecture Notes in Computer Science, L. Batina
and M. Robshaw, Eds., vol. 8731. Springer, 2014, pp. 75–92.
[Online]. Available: https://doi.org/10.1007/978-3-662-44709-3 5
[15] M. Lipp, M. Schwarz, D. Gruss, T. Prescher, W. Haas, S. Mangard,
P. Kocher, D. Genkin, Y. Yarom, and M. Hamburg, “Meltdown,”
CoRR, vol. abs/1801.01207, 2018. [Online]. Available: http:
//arxiv.org/abs/1801.01207
[16] P. Kocher, D. Genkin, D. Gruss, W. Haas, M. Hamburg, M. Lipp,
S. Mangard, T. Prescher, M. Schwarz, and Y. Yarom, “Spectre attacks:
Exploiting speculative execution,” CoRR, vol. abs/1801.01203, 2018.
[Online]. Available: http://arxiv.org/abs/1801.01203
[17] E. Brickell, G. Graunke, M. Neve, and J. Seifert, “Software
mitigations to hedge AES against cache-based software side channel
vulnerabilities,” IACR Cryptology ePrint Archive, vol. 2006, p. 52,
2006. [Online]. Available: http://eprint.iacr.org/2006/052
[18] O. Aciiçmez, S. Gueron, and J. Seifert, “New branch
prediction vulnerabilities in OpenSSL and necessary software
countermeasures,” in Cryptography and Coding, 11th IMA
International Conference, Cirencester, UK, December 18-20,
2007, Proceedings, 2007, pp. 185–203. [Online]. Available:
http://dx.doi.org/10.1007/978-3-540-77272-9 12
[19] Y. Yarom, D. Genkin, and N. Heninger, “CacheBleed: A timing attack
on openssl constant time RSA,” in Cryptographic Hardware and
Embedded Systems - CHES 2016 - 18th International Conference,
Santa Barbara, CA, USA, August 17-19, 2016, Proceedings, ser.
Lecture Notes in Computer Science, B. Gierlichs and A. Y.
Poschmann, Eds., vol. 9813. Springer, 2016, pp. 346–367. [Online].
Available: https://doi.org/10.1007/978-3-662-53140-2 17
[20] M. Nemec, M. Sýs, P. Svenda, D. Klinec, and V. Matyas, “The
return of coppersmith’s attack: Practical factorization of widely used
RSA moduli,” in Proceedings of the 2017 ACM SIGSAC Conference
on Computer and Communications Security, CCS 2017, Dallas, TX,
USA, October 30 - —November 03, 2017, B. M. Thuraisingham,
D. Evans, T. Malkin, and D. Xu, Eds. ACM, 2017, pp. 1631–1648.
[Online]. Available: http://doi.acm.org/10.1145/3133956.3133969
[21] C. Pereida Garcı́a, B. B. Brumley, and Y. Yarom, ““Make
sure DSA signing exponentiations really are constant-time”,” in
Proceedings of the 2016 ACM SIGSAC Conference on Computer
and Communications Security, Vienna, Austria, October 24-28, 2016,
E. R. Weippl, S. Katzenbeisser, C. Kruegel, A. C. Myers, and
S. Halevi, Eds. ACM, 2016, pp. 1639–1650. [Online]. Available:
http://doi.acm.org/10.1145/2976749.2978420
[22] C. Pereida Garcı́a and B. B. Brumley, “Constant-time callees
with variable-time callers,” in 26th USENIX Security Symposium,
USENIX Security 2017, Vancouver, BC, Canada, August 16-18,
2017., E. Kirda and T. Ristenpart, Eds. USENIX Association, 2017,
pp. 83–98. [Online]. Available: https://www.usenix.org/conference/
usenixsecurity17/technical-sessions/presentation/garcia