International Association
for Cryptologic Research

The scale and frequency of password database compromises has led to widespread and persistent credential stuffing attacks, in which attackers attempt to use credentials leaked from one service to compromise accounts with other services. In response, browser vendors have integrated password leakage detection tools, which automatically check the user’s credentials against a list of compromised accounts upon each login, warning the user to change their password if a match is found. In particular, Google Chrome uses a centralized leakage detection service designed by Thomas et al. (USENIX Security ’19) that aims to both preserve the user’s privacy and hide the server’s list of compromised credentials. In this paper, we show that Chrome’s implementation of this protocol is vulnerable to several microarchitectural side- channel attacks that violate its security properties. Specifically, we demonstrate attacks against Chrome’s use of the memory-hard hash function scrypt, its hash-to-elliptic curve function, and its modular inversion algorithm. While prior work discussed the theoretical possibility of side-channel attacks on scrypt, we develop new techniques that enable this attack in practice, allowing an attacker to recover the user’s password with a single guess when using a dictionary attack. For modular inversion, we present a novel cryptanalysis of the Binary Extended Euclidian Algorithm (BEEA) that extracts its inputs given a single, noisy trace, thereby allowing a malicious server to learn information about a client’s password. This paper was presented at USENIX Security 2023, and the full version can be found at https://www.usenix.org/system/files/usenixsecurity23-kwong.pdf

In this work, we recover the private key material of the FrodoKEM key exchange mechanism as submitted to the NIST PQC standardization process. The new mechanism that allows for this is a Rowhammer-assisted poisoning of the FrodoKEM KeyGen process. That is, we induce the FrodoKEM software to output a higher-error PK, (A,B=AS+E), where the error E is modified by Rowhammer. Then, we perform a decryption failure attack, using a variety of publicly-accessible supercomputing resources running on the order of only 200,000 core-hours. We delicately attenuate the decryption failure rate to ensure that the adversary's attack succeeds practically, but so honest users cannot easily detect the manipulation. Achieving this public key "poisoning" requires an extreme engineering effort, as FrodoKEM's KeyGen runs on the order of 8 milliseconds. (Prior Rowhammer-assisted attacks against cryptography require as long as 8 hours of persistent access.) In order to handle this real-world timing condition, we require a wide variety of prior and brand new, low-level engineering techniques, including e.g. memory massaging algorithms -- i.e. "Feng Shui" -- and a precisely-targeted performance degradation attack on SHAKE.

Intel’s Software Guard Extensions (SGX) promises an isolated execution environment, protected from all software running on the machine. However, a significant limitation of SGX is its lack of protection against side-channel attacks. In particular, Intel states that side channel attacks our outside of SGX’s threat model, stating that “it is the developer's responsibility to address side-channel attack concerns”. In this talk we will discuss CacheOut, a new transient execution attack that is capable of extracting data across virtually all hardware-backed security domains. Unlike previous Microarchitectural Data Sampling Attacks (MDS), which were limited to leaking structured data form internal CPU buffers, CacheOut is able to leak data from the CPU’s L1-D cache, while giving the attacker control of what address to leak from the victim’s address space. After presenting CacheOut’s ability to leak random-looking data such as encryption keys from OpenSSL across process and virtual machine boundaries, we will discuss CacheOut’s applicability to breach SGX’s confidentiality by leaking arbitrary data from SGX enclaves. Besides being able to extract arbitrary enclaved data from fully-patched machines, we will show that CacheOut can be leveraged to compromise the EPID attestation keys of machines properly configured to pass Intel’s remote attestation protocol. With production attestation keys at hand, we are able to pass fake enclaves as genuine, issue fake attestation quotes, or even allow AMD machines to pass as genuine Intel hardware. Next, we analyze the impact of SGX breaches on several emerging SGX applications such as Signal’s communication app and Town Crier, an SGX-based blockchain application. We will show how SGX-based systems often fail in the presence of side channels, despite explicit attempts by developers to provide resilience in case of SGX breaches. Finally, we will discuss disclosure timelines, showing how SGX’s microcode-based patching model prohibits rapid patching, forcing developers to trust machines using compromised microcode. The talk will be given by Daniel Genkin and Stephan van Schaik, be amid at a cryptographic audience and include demonstrations. https://cacheoutattack.com/.