ABSynthe: Automatic Blackbox Side-channel Synthesis

Ben Gras (VU Amsterdam Systems Security Research Group)

04 June 2019 | 16:00 - 18:00
HS i7, Inffeldgasse 25D

Abstract

We present ABSynthe, a system that takes victim software and instruction sequences on any given microarchitecture as input and automatically synthesizes new side channels. At its core, ABSynthe relies on genetic algorithms to find the best instructions that cause information to leak and then on a recurrent neural network to craft practical side-channel attacks. Unlike prior attacks, ABSynthe follows a blackbox approach based on contention-based side channel analysis. The key insight is that by limiting ourselves to (typically on-core) contention-based side channels, as opposed to stateful resources like caches, tlb’s, btb’s, that are complex to reverse engineer, we can treat the target CPU microarchitecture, its components, and their interactions with software as black boxes. This allows us to automatically detect arbitrary side channels on contended shared resources with no microarchitectural knowledge or reverse engineering.

Our results show ABSynthe can automatically synthesize attacks for many previously-unexplored CPU components, without even pinpointing the specific component or its behavior. In fact, somewhat counter-intuitively, we find ABSynthe can synthesize better attacks by exploiting contention on multiple components at the same time. Concretely, we show ABSynthe can synthesize cross-thread attacks in different settings and for a variety of microarchitectures from Intel, AMD, and ARM, in both native and virtualized environments. We show high-reliability key recovery attacks on cryptographic software: from just a single trace capture, ABSynthe performs full 256-bit EdDSA key recovery in 97% of our test cases with minor brute force effort and uses no knowledge of the cryptographic algorithm.

Short Bio

Ben has been working on a PhD in the VU Amsterdam systems security research group since 2015. He has worked on software reliability, defensive research projects, and offensive research projects, especially micro-architectural side channel attacks. Most recently, his side channel projects have included AnC and TLBleed.