Re: Timing attack on general purpose processor

From: David Wagner (daw_at_taverner.cs.berkeley.edu)
Date: 06/02/05 

Date: Thu, 2 Jun 2005 19:29:51 +0000 (UTC)

>The main difference between warmup and prefetch technique is that we
>insert some prefetch in the crypto loop. [..]
>Prefetch try and most of the time succeed to hide
>memory latency. When you made several prefetchs instructions you hide the
>access to many cache lined by the latency of only one. In fact prefecth
>just tell the processor that he has to load several data into cache (on
>x86 you can tell if it must be put into L1 or L2 or L3). In fact prefetch
>is going to improve the performance of the AES and the timing attack is
>going to be harder.

If I understand your suggestion, it is that you not only fetch the
memory address that you want to read from (i.e., the one you need for
your table lookup), but also one or two other memory addresses that you
don't care about (determined how??). But if I understand correctly, the
memory access pattern -- and the cache usage pattern -- is still
key-dependent. If you assume that an attacker on the same machine
can probe the cache (as in the hyperthreading attack), then it seems
that all this does is reduce the S/N ratio -- so all it means to the
attacker is that he has to average over a larger number of samples to
make the Signal stand out from the Noise. Is this correct?

It seems to me that more analysis is needed before we can conclude
whether this will help. I don't see why this prevents the attack
(as opposed to increasing its workfactor by some unknown constant).

Relevant Pages

  • Re: AMD64 assembly code optimization
    ... that's why I wouldn't have any prefetch in short loops. ... replacing the wide-spread memory references to access a small array ... My processor has 64K L1 data cache and that in takes 3 cycles to fetch ...
    (comp.lang.asm.x86)
  • Re: how does one disable processor cache on memory allocated with get_free_pages?
    ... > from memory and where it ends up on the way. ... via the linear kernel mapping and on a lot of CPUs, ... Disabling cache because of "data sensitivity" is a no-no. ... processor prefetch may well cause lines of cache for ...
    (Linux-Kernel)
  • Re: AES timing attack immunity -- status report
    ... Can prefetch up to 8 simultaneous independent streams from eight ... Fetches data into second/third-level cache ... Does not prefetch UC or WC memory types ... The prefetch instructions do not ...
    (sci.crypt)
  • Re: Reasons for the big paradigm switch
    ... even with a perfect cache). ... main memory, just make the cache your main memory, a la Seymour Cray. ... the prefetch of cache lines by explicit opcode hints seems to be the ... most effective use of cache hit free bandwidth. ...
    (comp.arch)
  • Re: Cached memory never gets released
    ... Stock linux 2.4.26 kernel. ... Due to flash bug 3M of memory gets lost due to font memory getting lost ... The output of "free" cache number steadily grows. ... longer to exhaust all of system memory with the cache. ...
    (Linux-Kernel)