Cache Side-Channel Attacks Through Electromagnetic Emanations of DRAM Accesses

Julien Maillard; Julien Maillard; Thomas Hiscock; Maxime Lecomte; Christophe Clavier

doi:10.5220/0012813200003767

Cache Side-Channel Attacks Through Electromagnetic Emanations of DRAM Accesses

Julien Maillard, Julien Maillard, Thomas Hiscock, Maxime Lecomte, Christophe Clavier

2024

Abstract

Remote side-channel attacks on processors exploit hardware and micro-architectural effects observable from software measurements. So far, the analysis of micro-architectural leakages over physical side-channels (power consumption, electromagnetic field) received little treatment. In this paper, we argue that those attacks are a serious threat, especially against systems such as smartphones and Internet-of-Things (IoT) devices which are physically exposed to the end-user. Namely, we show that the observation of Dynamic Random Access Memory (DRAM) accesses with an electromagnetic (EM) probe constitutes a reliable alternative to time measurements in cache side-channel attacks. We describe the EVICT+EM attack, that allows recovering a full AES key on a T-Tables implementation with similar number of encryptions than state-of-the-art EVICT+RELOAD attacks on the studied ARM platforms. This new attack paradigm removes the need for shared memory and exploits EM radiations instead of high precision timers. Then, we introduce PRIME+EM, which goal is to reverse-engineer cache usage patterns of applications. This attack allows to recover the layout of lookup tables within the cache. Finally, we present COLLISION+EM, a collision-based attack on a Systemon-chip (SoC) that does not require malicious code execution, and show its practical efficiency in recovering key material on an ARM TrustZone application. Those results show that physical observation of the microarchitecture can lead to improved attacks.

Download

Paper Citation

in Harvard Style

Maillard J., Hiscock T., Lecomte M. and Clavier C. (2024). Cache Side-Channel Attacks Through Electromagnetic Emanations of DRAM Accesses. In Proceedings of the 21st International Conference on Security and Cryptography - Volume 1: SECRYPT; ISBN 978-989-758-709-2, SciTePress, pages 262-273. DOI: 10.5220/0012813200003767

in Bibtex Style

@conference{secrypt24,
author={Julien Maillard and Thomas Hiscock and Maxime Lecomte and Christophe Clavier},
title={Cache Side-Channel Attacks Through Electromagnetic Emanations of DRAM Accesses},
booktitle={Proceedings of the 21st International Conference on Security and Cryptography - Volume 1: SECRYPT},
year={2024},
pages={262-273},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0012813200003767},
isbn={978-989-758-709-2},
}

in EndNote Style

TY - CONF

JO - Proceedings of the 21st International Conference on Security and Cryptography - Volume 1: SECRYPT
TI - Cache Side-Channel Attacks Through Electromagnetic Emanations of DRAM Accesses
SN - 978-989-758-709-2
AU - Maillard J.
AU - Hiscock T.
AU - Lecomte M.
AU - Clavier C.
PY - 2024
SP - 262
EP - 273
DO - 10.5220/0012813200003767
PB - SciTePress