RASSLE: Return Address Stack based Side-channel LEakage
dc.contributor.author
Chakraborty, Anirban
dc.contributor.author
Bhattacharya, Sarani
dc.contributor.author
Alam, Manaar
dc.contributor.author
Patranabis, Sikhar
dc.contributor.author
Mukhopadhyay, Debdeep
dc.date.accessioned
2021-02-11T10:16:55Z
dc.date.available
2021-01-07T06:43:10Z
dc.date.available
2021-01-07T08:28:05Z
dc.date.available
2021-01-07T08:36:52Z
dc.date.available
2021-02-11T10:16:55Z
dc.date.issued
2021
dc.identifier.uri
http://hdl.handle.net/20.500.11850/460069
dc.identifier.doi
10.3929/ethz-b-000460069
dc.description.abstract
Micro-architectural attacks on computing systems often unearth from simple artefacts in the underlying architecture. In this paper, we focus on the Return Address Stack (RAS), a seemingly tiny hardware stack present in modern processors to reduce the branch miss penalty by storing the return addresses of each function call. The RAS is useful to handle specifically the branch predictions for the RET instructions which are not accurately predicted by the typical branch prediction units. In particular, we envisage a spy process who crafts an overflow condition in the RAS by filling it with arbitrary return addresses and wrestles with a concurrent process to establish a timing side-channel between them. We call this attack principle, RASSLE,1(Return Address Stack based Side-channel Leakage), which an adversary can launch on modern processors by first reverse engineering the RAS using a generic methodology exploiting the established timing channel. Subsequently, we show three concrete attack scenarios: i) How a spy can establish a covert channel with another co-residing process? ii) How RASSLE can be utilized to determine the secret key of the P−384curves in OpenSSL (v1.1.1 library). iii) How an ECDSA secret key on P−256curve of OpenSSL can be revealed using Lattice Attack on partially leaked nonces with the aid of RASSLE. In this attack, we show that the OpenSSL implementation of scalar multiplication on this curve has varying number of add-and-sub function calls, which depends on the secret scalar bits. We demonstrate through several experiments that the number of add-and-sub function calls can be used to template the secret bit, which can be picked up by the spy using the principles of RASSLE. Finally, we demonstrate a full end-to-end attack on OpenSSL’s Elliptic Curve Digital Signature Algorithm (ECDSA) using curve parameters of curve P−256. In this part of our experiments with RASSLE we abuse the deadline scheduler policy to attain perfect synchronization between the spy and victim, without any aids of induced synchronization from the victim code. This synchronization and timing leakage through RASSLE is sufficient to retrieve the Most Significant bits of the ephemeral nonces used while signature generation, from which we subsequently retrieve the secret signing key of the sender applying the Hidden Number Problem.
en_US
dc.format
application/pdf
en_US
dc.language.iso
en
en_US
dc.publisher
ETH Zurich, Institute of Information Security
en_US
dc.rights.uri
http://rightsstatements.org/page/InC-NC/1.0/
dc.subject
Return Address Stack
en_US
dc.subject
Microarchitectural Attack
en_US
dc.subject
Template Matching
en_US
dc.subject
OpenSSL ECC scalar multiplication
en_US
dc.subject
ECDSA P-256
en_US
dc.subject
Lattice Reduction
en_US
dc.title
RASSLE: Return Address Stack based Side-channel LEakage
en_US
dc.type
Working Paper
dc.rights.license
In Copyright - Non-Commercial Use Permitted
ethz.size
29 p.
en_US
ethz.code.ddc
DDC - DDC::0 - Computer science, information & general works::004 - Data processing, computer science
en_US
ethz.publication.place
Zurich
en_US
ethz.publication.status
published
en_US
ethz.leitzahl
ETH Zürich::00002 - ETH Zürich::00012 - Lehre und Forschung::00007 - Departemente::02150 - Dep. Informatik / Dep. of Computer Science::02660 - Institut für Informationssicherheit / Institute of Information Security::09653 - Paterson, Kenneth / Paterson, Kenneth
en_US
ethz.leitzahl.certified
ETH Zürich::00002 - ETH Zürich::00012 - Lehre und Forschung::00007 - Departemente::02150 - Dep. Informatik / Dep. of Computer Science::02660 - Institut für Informationssicherheit / Institute of Information Security::09653 - Paterson, Kenneth / Paterson, Kenneth
en_US
ethz.relation.isPreviousVersionOf
10.3929/ethz-b-000522749
ethz.date.deposited
2021-01-07T06:43:17Z
ethz.source
FORM
ethz.eth
yes
en_US
ethz.availability
Open access
en_US
ethz.rosetta.installDate
2021-02-11T10:17:11Z
ethz.rosetta.lastUpdated
2022-03-29T05:11:00Z
ethz.rosetta.versionExported
true
ethz.COinS
ctx_ver=Z39.88-2004&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.atitle=RASSLE:%20Return%20Address%20Stack%20based%20Side-channel%20LEakage&rft.date=2021&rft.au=Chakraborty,%20Anirban&Bhattacharya,%20Sarani&Alam,%20Manaar&Patranabis,%20Sikhar&Mukhopadhyay,%20Debdeep&rft.genre=preprint&rft.btitle=RASSLE:%20Return%20Address%20Stack%20based%20Side-channel%20LEakage
Files in this item
Publication type
-
Working Paper [5833]