On Cache Timing Attacks Considering Multi-core Aspects in Virtualized Embedded Systems

  • Michael WeißEmail author
  • Benjamin Weggenmann
  • Moritz August
  • Georg Sigl
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9473)


Virtualization has become one of the most important security enhancing techniques for embedded systems during the last years, both for mobile devices and cyber-physical system (CPS). One of the major security threats in this context is posed by side channel attacks. In this work, Bernstein’s time-driven cache-based attack against AES is revisited in a virtualization scenario based on an actual CPS using the PikeOS microkernel virtualization framework. The attack is conducted in the context of the implemented virtualization scenario using different scheduler configurations. We provide experimental results which show that using dedicated cores for crypto routines will have a high impact on the vulnerability of such systems. We also compare the results to previous work in that field and our visualization directly shows the differences between cache architectures of the ARM Cortex-A8 and Cortex-A9. Further, a non-invasive countermeasure against timing attacks based on the scheduler of PikeOS is devised, which in fact increases the system’s security against cache timing attacks.


Cyber-physical system (CPS) Virtualization Trusted execution environment Microkernel AES Cache timing Embedded systems 


  1. 1.
    Acıiçmez, O., Koç, Ç.K.: Trace-driven cache attacks on AES (short paper). In: Ning, P., Qing, S., Li, N. (eds.) ICICS 2006. LNCS, vol. 4307, pp. 112–121. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  2. 2.
    Acıiçmez, O., Schindler, W., Koç, Ç.K.: Cache based remote timing attack on the AES. In: Abe, M. (ed.) CT-RSA 2007. LNCS, vol. 4377, pp. 271–286. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  3. 3.
    Aeronautical Radio, Inc.: Avionics application software standard interface, ARNIC Specification p. 653 (1997)Google Scholar
  4. 4.
    Aly, H., ElGayyar, M.: Attacking AES using bernstein’s attack on modern processors. In: Youssef, A., Nitaj, A., Hassanien, A.E. (eds.) AFRICACRYPT 2013. LNCS, vol. 7918, pp. 127–139. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  5. 5.
    Bernstein, D.J.: Cache-timing attacks on AES. Technical report (2005)Google Scholar
  6. 6.
    Bonneau, J., Mironov, I.: Cache-collision timing attacks against AES. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 201–215. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  7. 7.
    Gallais, J.-F., Kizhvatov, I., Tunstall, M.: Improved trace-driven cache-collision attacks against embedded AES implementations. In: Chung, Y., Yung, M. (eds.) WISA 2010. LNCS, vol. 6513, pp. 243–257. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  8. 8.
    Gueron, S.: Intel\({\textregistered }\) advanced encryption standard (aes) instructions set. Technical report (2008)Google Scholar
  9. 9.
    Gullasch, D., Bangerter, E., Krenn, S.: Cache games - bringing access-based cache attacks on AES to practice. In: IEEE Symposium on Security and Privacy - S&P 2011. IEEE Computer Society (2011)Google Scholar
  10. 10.
    Kaiser, R., Wagner, S.: Evolution of the pikeos microkernel. In: First International Workshop on Microkernels for Embedded Systems, p. 50 (2007)Google Scholar
  11. 11.
    Käsper, E., Schwabe, P.: Faster and timing-attack resistant AES-GCM. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 1–17. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  12. 12.
    Kim, T., Peinado, M., Mainar-Ruiz, G.: Stealthmem: system-level protection against cache-based side channel attacks in the cloud. In: Presented as Part of the 21st USENIX Security Symposium (USENIX Security 2012), pp. 189–204, Bellevue, WA, USENIX (2012)Google Scholar
  13. 13.
    Könighofer, R.: A fast and cache-timing resistant implementation of the AES. In: Malkin, T. (ed.) CT-RSA 2008. LNCS, vol. 4964, pp. 187–202. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  14. 14.
    Matsui, M., Nakajima, J.: On the power of bitslice implementation on intel core2 processor. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 121–134. Springer, Heidelberg (2007) CrossRefGoogle Scholar
  15. 15.
    Neve, M., Seifert, J.-P., Wang, Z.: A refined look at bernstein’s aes side-channel analysis. In: ASIACCS, p. 369 (2006)Google Scholar
  16. 16.
    Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: the case of AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  17. 17.
    Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS 2009, New York, NY, USA, pp. 199–212. ACM (2009)Google Scholar
  18. 18.
    Spreitzer, R., Gérard, B.: Towards more practical time-driven cache attacks. In: Naccache, D., Sauveron, D. (eds.) WISTP 2014. LNCS, vol. 8501, pp. 24–39. Springer, Heidelberg (2014) Google Scholar
  19. 19.
    Spreitzer, R., Plos, T.: On the applicability of time-driven cache attacks on mobile devices. In: Lopez, J., Huang, X., Sandhu, R. (eds.) NSS 2013. LNCS, vol. 7873, pp. 656–662. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  20. 20.
    Stefan, D., Buiras, P., Yang, E.Z., Levy, A., Terei, D., Russo, A., Mazières, D.: Eliminating cache-based timing attacks with instruction-based scheduling. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 718–735. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  21. 21.
    Varadarajan, V., Ristenpart, T., Swift, M.: Scheduler-based defenses against cross-vm side-channels. In: 23rd USENIX Security Symposium (USENIX Security 2014), San Diego, CA, pp. 687–702. USENIX Association, August 2014Google Scholar
  22. 22.
    Veyrat-Charvillon, N., Gérard, B., Renauld, M., Standaert, F.-X.: An optimal key enumeration algorithm and its application to side-channel attacks. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 390–406. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  23. 23.
    Veyrat-Charvillon, N., Gérard, B., Standaert, F.-X.: Security evaluations beyond computing power. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 126–141. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  24. 24.
    Weiß, M., Heinz, B., Stumpf, F.: A cache timing attack on AES in virtualization environments. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 314–328. Springer, Heidelberg (2012) CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Michael Weiß
    • 1
    Email author
  • Benjamin Weggenmann
    • 1
  • Moritz August
    • 2
  • Georg Sigl
    • 2
  1. 1.Fraunhofer Institut AISECGarchingGermany
  2. 2.Technische Universität MünchenMunichGermany

Personalised recommendations