2

I have been reading about cache side channel attacks and the "Flush+Reload" method came up a decent amount. Before putting forth my question, this is what I understand about the Flush+reload technique.

I understand that if two users (Alice, Bob) run the same program, the typical OS will create a copy of the page tables so that the program is not loaded twice. These are read-only though so all is "fine". If attacker, Bob, can determine which cache lines of the shared memory are in the L3 cache over a period of time, he can possibly determine what cache lines Alice's process accesses overtime. This can be done with the Flush Reload by clearing out the cache and timing how long it takes to read the cache. Very fast = Alice is accessing this piece of memory. Slow = Alice is not accessing this piece of memory. Bob continues to do this overtime to develop a 'baseline' of sorts. Hopefully the majority of my understanding is correct.

I have read how this can be used for programs that have user input. Bob performs the attack on himself with many inputs and calculates the time based on refreshing the cache. He then performs the attack on Alice and basically compares the results to distinguish inputs (high level but this isn't my question).

The majority of my understanding is from here.

My question is, how is this attack any different from a brute force attack or even a timing attack in the context of user input?

Anders
  • 64,406
  • 24
  • 178
  • 215
pm1391
  • 1,427
  • 2
  • 7
  • 19
  • Can you explain what you mean by a brute force attack or a “timing attack in the context of user input”? – Steve Feb 20 '18 at 19:42
  • Sure, so given a user name and password, a timing attack could be used to determine how long the program takes to generate a reply saying "authenticated" or "nope". Ex: giving the correct username, incorrect password might return quicker than incorrect username and password. Or a similar password might take longer to check – pm1391 Feb 21 '18 at 03:26
  • Generally, the difference is that a brute force attack will only succeed when _every_ bit matches. With side-channel attacks like these, you can check individual parts of the target at a time. It's much easier to break user input if you only have to guess a single character at a time than if you have to guess it all at once. – forest Feb 21 '18 at 07:47

1 Answers1

-2

Side Channel attacks usually do not leave any traces of intrusion. The attacked program will run without detecting any side effects. With brute force attacks the attacked program is invoked by the attacker many number of times. The attacked program can take counter measures as to check for the frequency of requests. e.g. brute force would be to try every possible key for decryption of a cipher text. side channel attack would be to detect/sniff the key by measuring the electric/electromagnetic/cache access characteristics. For RSA encryption if square and multiply method is used it is possible to find out the key by checking the current usage of the device as each step in square and multiply require different power.

hiRu
  • 1