DeepAI AI Chat
Log In Sign Up

CacheQL: Quantifying and Localizing Cache Side-Channel Vulnerabilities in Production Software

by   Yuanyuan Yuan, et al.

Cache side-channel attacks extract secrets by examining how victim software accesses cache. To date, practical attacks on cryptosystems and media libraries are demonstrated under different scenarios, inferring secret keys and reconstructing private media data such as images. This work first presents eight criteria for designing a full-fledged detector for cache side-channel vulnerabilities. Then, we propose CacheQL, a novel detector that meets all of these criteria. CacheQL precisely quantifies information leaks of binary code, by characterizing the distinguishability of logged side channel traces. Moreover, CacheQL models leakage as a cooperative game, allowing information leakage to be precisely distributed to program points vulnerable to cache side channels. CacheQL is meticulously optimized to analyze whole side channel traces logged from production software (where each trace can have millions of records), and it alleviates randomness introduced by cryptographic blinding, ORAM, or real-world noises. Our evaluation quantifies side-channel leaks of production cryptographic and media software. We further localize vulnerabilities reported by previous detectors and also identify a few hundred new leakage sites in recent OpenSSL (ver. 3.0.0), MbedTLS (ver. 3.0.0), Libgcrypt (ver. 1.9.4). Many of our localized program points are within the pre-processing modules of cryptosystems, which are not analyzed by existing works due to scalability. We also localize vulnerabilities in Libjpeg (ver. 2.1.2) that leak privacy about input images.


Cache Refinement Type for Side-Channel Detection of Cryptographic Software

Cache side-channel attacks exhibit severe threats to software security a...

Automated Side Channel Analysis of Media Software with Manifold Learning

The prosperous development of cloud computing and machine learning as a ...

Layered Binary Templating: Efficient Detection of Compiler- and Linker-introduced Leakage

Cache template attacks demonstrated automated leakage of user input in s...

Certified Side Channels

We demonstrate that the format in which private keys are persisted impac...

MicroWalk: A Framework for Finding Side Channels in Binaries

Microarchitectural side channels expose unprotected software to informat...

Identifying Cache-Based Side Channels through Secret-Augmented Abstract Interpretation

Cache-based side channels enable a dedicated attacker to reveal program ...

MAMBO-V: Dynamic Side-Channel Leakage Analysis on RISC-V

RISC-V is an emerging technology, with applications ranging from embedde...