Jump to ContentJump to Main Navigation
Show Summary Details
More options …

Proceedings on Privacy Enhancing Technologies

4 Issues per year

Open Access
See all formats and pricing
More options …

Know Thy Neighbor: Crypto Library Detection in Cloud

Gorka Irazoqui / Mehmet Sinan IncI / Thomas Eisenbarth / Berk Sunar
Published Online: 2015-04-18 | DOI: https://doi.org/10.1515/popets-2015-0003


Software updates and security patches have become a standard method to fix known and recently discovered security vulnerabilities in deployed software. In server applications, outdated cryptographic libraries allow adversaries to exploit weaknesses and launch attacks with significant security results. The proposed technique exploits leakages at the hardware level to first, determine if a specific cryptographic library is running inside (or not) a co-located virtual machine (VM) and second to discover the IP of the co-located target. To this end, we use a Flush+Reload cache side-channel technique to measure the time it takes to call (load) a cryptographic library function. Shorter loading times are indicative of the library already residing in memory and shared by the VM manager through deduplication. We demonstrate the viability of the proposed technique by detecting and distinguishing various cryptographic libraries, including MatrixSSL, PolarSSL, GnuTLS, OpenSSL and CyaSSL along with the IP of the VM running these libraries. In addition, we show how to differentiate between various versions of libraries to better select an attack target as well as the applicable exploit. Our experiments show a complete attack setup scenario with single-trial success rates of up to 90% under light load and up to 50% under heavy load for libraries running in KVM.

Keywords : Cryptographic Libraries; Cross-VM attacks; Virtualization; Deduplication


  • [1] Amazon AWS: 3.8 billion revenue in 2013. https:// readwrite.com/2013/01/14/amazon-web-services-can-itwin- the-enterprise.Google Scholar

  • [2] Analyzing shared memory opportunities in different workloads. http://os.itec.kit.edu/downloads/sa_2011_ groeninger-thorsten_shared-memory-opportunities.pdf.Google Scholar

  • [3] The dropbox blog. https://blog.dropbox.com/2013/07/ dbx/.Google Scholar

  • [4] Heartbleed bug. http://heartbleed.com/.Google Scholar

  • [5] Kernel samepage merging. http:// kernelnewbies.org/Linux_2_6_32#headd3f32e41df508090810388a57efce73f52660ccb/.Google Scholar

  • [6] OpenSSL vulnerabilities. https://www.openssl.org/news/ vulnerabilities.html.Google Scholar

  • [7] CyaSSL: Embedded SSL library wolfSSL. http://www. wolfssl.com/yaSSL/Home.html, May 2014.Google Scholar

  • [8] GnuTLS client examples. http://www.gnutls.org/manual/ html_node/Client-examples.html, April 2014.Google Scholar

  • [9] GnuTLS server examples. http://www.gnutls.org/manual/ html_node/Server-examples.html, April 2014.Google Scholar

  • [10] Kernel based virtual machine. http://www.linux-kvm.org/ page/Main_Page, April 2014.Google Scholar

  • [11] MatrixSSL: Open source embedded SSL. http://www. matrixssl.org/, May 2014.Google Scholar

  • [12] AcıIçmez, O. Yet another microarchitectural attack:: Exploiting i-cache. In Proceedings of the 2007 ACM Workshop on Computer Security Architecture (New York, NY, USA, 2007), CSAW ’07, ACM, pp. 11-18.Google Scholar

  • [13] AcıIçmez, O., Gueron, S., and Seifert, J.-P. New branch prediction vulnerabilities in OpenSSL and necessary software countermeasures. Cryptology ePrint Archive, Report 2007/039, 2007. http://eprint.iacr.org/2006/351.pdf.Google Scholar

  • [14] AcıIçmez, O., Koç, C. K., and Seifert, J.-P. On the power of simple branch prediction analysis. IACR Cryptology ePrint Archive 2006 (2006), 351.Google Scholar

  • [15] AcıIçmez, O., Koç, C. K., and Seifert, J.-P. Predicting secret keys via branch prediction. In CT-RSA (2007), M. Abe, Ed., vol. 4377 of Lecture Notes in Computer Science, Springer, pp. 225-242.Google Scholar

  • [16] Arcangeli, A., Eidus, I., and Wright, C. Increasing memory density by using KSM. In Proceedings of the linux symposium (2009), pp. 19-28.Google Scholar

  • [17] Bernstein, D. J. Cache-timing attacks on AES, 2004. URL: http://cr.yp.to/papers.html#cachetiming.Google Scholar

  • [18] Bleichenbacher, D. Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS1. Springer-Verlag, pp. 1-12.Google Scholar

  • [19] Bonneau, J. Robust final-round cache-trace attacks against AES.Google Scholar

  • [20] Bonneau, J., and Mironov, I. Cache-collision timing attacks against AES. In Cryptographic Hardware and Embedded Systems-CHES 2006 (2006), vol. 4249 of Springer LNCS, Springer, pp. 201-215.Google Scholar

  • [21] Brumley, B. B., and Tuveri, N. Remote timing attacks are still practical. In Computer Security-ESORICS 2011. Springer, 2011, pp. 355-371.Google Scholar

  • [22] Brumley, D., and Boneh, D. Remote timing attacks are practical. Computer Networks 48, 5 (2005), 701-716.Google Scholar

  • [23] CBC news. Heartbleed bug: 900 SINs stolen from Revenue Canada. http://www.cbc.ca/news/business/heartbleed-bugrcmp- asked-revenue-canada-to-delay-news-of-sin-thefts-1.2609192l, April 2014.Google Scholar

  • [24] Crane, S., Homescu, A., Brunthaler, S., Larsen, P., and Franz, M. Thwarting cache side-channel attacks through dynamic software diversity.Google Scholar

  • [25] Dan Goodin. Hackers break SSL encryption used by millions of sites. http://www.theregister.co.uk/2011/09/19/ beast_exploits_paypal_ssl/, 2011.Google Scholar

  • [26] Duong, T., and Rizzo, J. Here come the XOR ninjas.Google Scholar

  • [27] Fardan, N. J. A., and Paterson, K. G. Lucky Thirteen: Breaking the TLS and DTLS record protocols. In Security and Privacy (SP), 2013 IEEE Symposium on (May 2013), pp. 526-540.Google Scholar

  • [28] Gullasch, D., Bangerter, E., and Krenn, S. Cache games - bringing access-based cache attacks on AES to practice. IEEE Symposium on Security and Privacy 0 (2011), 490-505.Google Scholar

  • [29] Hu, W.-M. Lattice scheduling and covert channels. In Proceedings of the 1992 IEEE Symposium on Security and Privacy (Washington, DC, USA, 1992), SP ’92, IEEE Computer Society, pp. 52-.Google Scholar

  • [30] Irazoqui, G., Eisenbarth, T., and Sunar, B. Jackpot stealing information from large caches via huge pages. Cryptology ePrint Archive, Report 2014/970, 2014. http: //eprint.iacr.org/.Google Scholar

  • [31] Irazoqui, G., IncI, M. S., Eisenbarth, T., and Sunar, B. Wait a Minute! A fast, Cross-VM Attack on AES. In Research in Attacks, Intrusions and Defenses, A. Stavrou, H. Bos, and G. Portokalidis, Eds., vol. 8688 of Lecture Notes in Computer Science. Springer International Publishing, 2014, pp. 299-319.Google Scholar

  • [32] Jones, M. T. Anatomy of Linux kernel shared memory. http://www.ibm.com/developerworks/linux/library/l-kernelshared- memory/l-kernel-shared-memory-pdf.pdf/, April 2010.Google Scholar

  • [33] Kelsey, J., Schneier, B., Wagner, D., and Hall, C. Side Channel Cryptanalysis of Product Ciphers. J. Comput. Secur. 8, 2,3 (Aug. 2000), 141-158.Google Scholar

  • [34] Klíma, V., Pokorny, O., and Rosa, T. Attacking RSAbased sessions in SSL/TLS. In in Proc. of Cryptographic Hardware and Embedded Systems (CHES), 2003 (2003), Springer, pp. 426-440.Google Scholar

  • [35] Nikos Mavrogiannopoulos and Simon Josefsson. GnuTLS: The GnuTLS transport layer security library. May 2014.Google Scholar

  • [36] Osvik, D. A., Shamir, A., and Tromer, E. Cache attacks and countermeasures: The case of AES. In Proceedings of the 2006 The Cryptographers’ Track at the RSA Conference on Topics in Cryptology (Berlin, Heidelberg, 2006), CT-RSA’06, Springer-Verlag, pp. 1-20.Google Scholar

  • [37] Page, D. Theoretical use of cache memory as a cryptanalytic side-channel, 2002.Google Scholar

  • [38] PolarSSL. PolarSSL: Straightforward,secure communication. www.polarssl.org.Google Scholar

  • [39] Ristenpart, T., Tromer, E., Shacham, H., and Savage, S. Hey, you, get off of my cloud: Exploring information leakage in third-party compute clouds. In Proceedings of the 16th ACM Conference on Computer and Communications Security (New York, NY, USA, 2009), CCS ’09, ACM, pp. 199-212.Google Scholar

  • [40] Suzaki, K., Iijima, K., Yagi, T., and Artho, C. Memory deduplication as a threat to the guest OS. In Proceedings of the Fourth European Workshop on System Security (2011), ACM, p. 1.Google Scholar

  • [41] Suzaki, K., Iijima, K., Yagi, T., and Artho, C. Software side channel attack on memory deduplication. SOSP POSTER (2011).Google Scholar

  • [42] Suzaki, K., Iijima, K., Yagi, T., and Artho, C. Effects of memory randomization, sanitization and page cache on memory deduplication.Google Scholar

  • [43] The Guardian. More than 300k systems ’still vulnerable’ to Heartbleed attacks. http://www.theguardian.com/ technology/2014/jun/23/heartbleed-attacks-vulnerableopenssl, July 2014.Google Scholar

  • [44] The OpenSSL Project. OpenSSL: The open source toolkit for SSL/TLS. www.openssl.org, April 2003.Google Scholar

  • [45] Tsunoo, Y., Saito, T., Suzaki, T., and Shigeri, M. Cryptanalysis of DES implemented on computers with cache. In Proc. of CHES 2003, Springer LNCS (2003), Springer-Verlag, pp. 62-76.Google Scholar

  • [46] Vattikonda, B. C., Das, S., and Shacham, H. Eliminating fine grained timers in xen.Google Scholar

  • [47] Vaudenay, S. Security flaws induced by CBC padding - applications to SSL, IPSEC, WTLS. In Proceedings of In Advances in Cryptology - EUROCRYPT’02 (2002), Springer- Verlag, pp. 534-546.Google Scholar

  • [48] Waldspurger, C. A. Memory resource management in VMware ESX server. ACM SIGOPS Operating Systems Review 36, SI (2002), 181-194.Google Scholar

  • [49] Wang, Z., and Lee, R. B. New cache designs for thwarting software cache-based side channel attacks. In Proceedings of the 34th Annual International Symposium on Computer Architecture (New York, NY, USA, 2007), ISCA ’07, ACM, pp. 494-505.Google Scholar

  • [50] Yarom, Y., and Benger, N. Recovering OpenSSL ECDSA nonces using the flush+reload cache side-channel attack. Cryptology ePrint Archive, Report 2014/140, 2014. https: //eprint.iacr.org/2014/140.pdf.Google Scholar

  • [51] Yarom, Y., and Falkner, K. E. Flush+reload: a high resolution, low noise, L3 cache side-channel attack. IACR Cryptology ePrint Archive 2013 (2013), 448.Google Scholar

  • [52] Zhang, Y., Juels, A., Oprea, A., and Reiter, M. K. Homealone: Co-residency detection in the cloud via sidechannel analysis. In Proceedings of the 2011 IEEE Symposium on Security and Privacy (Washington, DC, USA, 2011), SP ’11, IEEE Computer Society, pp. 313-328.Google Scholar

  • [53] Zhang, Y., Juels, A., Reiter, M. K., and Ristenpart, T. Cross-VM side channels and their use to extract private keys. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (New York, NY, USA, 2012), CCS ’12, ACM, pp. 305-316.Google Scholar

  • [54] Zhang, Y., Juels, A., Reiter, M. K., and Ristenpart, T. Cross-tenant side-channel attacks in paas clouds. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (New York, NY, USA, 2014), CCS ’14, ACM, pp. 990-1003. Google Scholar

About the article

Received: 2014-11-22

Revised: 2015-02-06

Accepted: 2015-02-05

Published Online: 2015-04-18

Published in Print: 2015-04-01

Citation Information: Proceedings on Privacy Enhancing Technologies, Volume 2015, Issue 1, Pages 25–40, ISSN (Online) 2299-0984, DOI: https://doi.org/10.1515/popets-2015-0003.

Export Citation

© 2015. This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 3.0 License. BY-NC-ND 3.0

Comments (0)

Please log in or register to comment.
Log in