Know Thy Neighbor: Crypto Library Detection in Cloud

Open access


Software updates and security patches have become a standard method to fix known and recently discovered security vulnerabilities in deployed software. In server applications, outdated cryptographic libraries allow adversaries to exploit weaknesses and launch attacks with significant security results. The proposed technique exploits leakages at the hardware level to first, determine if a specific cryptographic library is running inside (or not) a co-located virtual machine (VM) and second to discover the IP of the co-located target. To this end, we use a Flush+Reload cache side-channel technique to measure the time it takes to call (load) a cryptographic library function. Shorter loading times are indicative of the library already residing in memory and shared by the VM manager through deduplication. We demonstrate the viability of the proposed technique by detecting and distinguishing various cryptographic libraries, including MatrixSSL, PolarSSL, GnuTLS, OpenSSL and CyaSSL along with the IP of the VM running these libraries. In addition, we show how to differentiate between various versions of libraries to better select an attack target as well as the applicable exploit. Our experiments show a complete attack setup scenario with single-trial success rates of up to 90% under light load and up to 50% under heavy load for libraries running in KVM.

[1] Amazon AWS: 3.8 billion revenue in 2013. https:// the-enterprise.

[2] Analyzing shared memory opportunities in different workloads. groeninger-thorsten_shared-memory-opportunities.pdf.

[3] The dropbox blog. dbx/.

[4] Heartbleed bug.

[5] Kernel samepage merging. http://

[6] OpenSSL vulnerabilities. vulnerabilities.html.

[7] CyaSSL: Embedded SSL library wolfSSL. http://www., May 2014.

[8] GnuTLS client examples. html_node/Client-examples.html, April 2014.

[9] GnuTLS server examples. html_node/Server-examples.html, April 2014.

[10] Kernel based virtual machine. page/Main_Page, April 2014.

[11] MatrixSSL: Open source embedded SSL. http://www., May 2014.

[12] AcıIçmez, O. Yet another microarchitectural attack:: Exploiting i-cache. In Proceedings of the 2007 ACM Workshop on Computer Security Architecture (New York, NY, USA, 2007), CSAW ’07, ACM, pp. 11-18.

[13] AcıIçmez, O., Gueron, S., and Seifert, J.-P. New branch prediction vulnerabilities in OpenSSL and necessary software countermeasures. Cryptology ePrint Archive, Report 2007/039, 2007.

[14] AcıIçmez, O., Koç, C. K., and Seifert, J.-P. On the power of simple branch prediction analysis. IACR Cryptology ePrint Archive 2006 (2006), 351.

[15] AcıIçmez, O., Koç, C. K., and Seifert, J.-P. Predicting secret keys via branch prediction. In CT-RSA (2007), M. Abe, Ed., vol. 4377 of Lecture Notes in Computer Science, Springer, pp. 225-242.

[16] Arcangeli, A., Eidus, I., and Wright, C. Increasing memory density by using KSM. In Proceedings of the linux symposium (2009), pp. 19-28.

[17] Bernstein, D. J. Cache-timing attacks on AES, 2004. URL:

[18] Bleichenbacher, D. Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS1. Springer-Verlag, pp. 1-12.

[19] Bonneau, J. Robust final-round cache-trace attacks against AES.

[20] Bonneau, J., and Mironov, I. Cache-collision timing attacks against AES. In Cryptographic Hardware and Embedded Systems-CHES 2006 (2006), vol. 4249 of Springer LNCS, Springer, pp. 201-215.

[21] Brumley, B. B., and Tuveri, N. Remote timing attacks are still practical. In Computer Security-ESORICS 2011. Springer, 2011, pp. 355-371.

[22] Brumley, D., and Boneh, D. Remote timing attacks are practical. Computer Networks 48, 5 (2005), 701-716.

[23] CBC news. Heartbleed bug: 900 SINs stolen from Revenue Canada. asked-revenue-canada-to-delay-news-of-sin-thefts-1.2609192l, April 2014.

[24] Crane, S., Homescu, A., Brunthaler, S., Larsen, P., and Franz, M. Thwarting cache side-channel attacks through dynamic software diversity.

[25] Dan Goodin. Hackers break SSL encryption used by millions of sites. beast_exploits_paypal_ssl/, 2011.

[26] Duong, T., and Rizzo, J. Here come the XOR ninjas.

[27] Fardan, N. J. A., and Paterson, K. G. Lucky Thirteen: Breaking the TLS and DTLS record protocols. In Security and Privacy (SP), 2013 IEEE Symposium on (May 2013), pp. 526-540.

[28] Gullasch, D., Bangerter, E., and Krenn, S. Cache games - bringing access-based cache attacks on AES to practice. IEEE Symposium on Security and Privacy 0 (2011), 490-505.

[29] Hu, W.-M. Lattice scheduling and covert channels. In Proceedings of the 1992 IEEE Symposium on Security and Privacy (Washington, DC, USA, 1992), SP ’92, IEEE Computer Society, pp. 52-.

[30] Irazoqui, G., Eisenbarth, T., and Sunar, B. Jackpot stealing information from large caches via huge pages. Cryptology ePrint Archive, Report 2014/970, 2014. http: //

[31] Irazoqui, G., IncI, M. S., Eisenbarth, T., and Sunar, B. Wait a Minute! A fast, Cross-VM Attack on AES. In Research in Attacks, Intrusions and Defenses, A. Stavrou, H. Bos, and G. Portokalidis, Eds., vol. 8688 of Lecture Notes in Computer Science. Springer International Publishing, 2014, pp. 299-319.

[32] Jones, M. T. Anatomy of Linux kernel shared memory. memory/l-kernel-shared-memory-pdf.pdf/, April 2010.

[33] Kelsey, J., Schneier, B., Wagner, D., and Hall, C. Side Channel Cryptanalysis of Product Ciphers. J. Comput. Secur. 8, 2,3 (Aug. 2000), 141-158.

[34] Klíma, V., Pokorny, O., and Rosa, T. Attacking RSAbased sessions in SSL/TLS. In in Proc. of Cryptographic Hardware and Embedded Systems (CHES), 2003 (2003), Springer, pp. 426-440.

[35] Nikos Mavrogiannopoulos and Simon Josefsson. GnuTLS: The GnuTLS transport layer security library. May 2014.

[36] Osvik, D. A., Shamir, A., and Tromer, E. Cache attacks and countermeasures: The case of AES. In Proceedings of the 2006 The Cryptographers’ Track at the RSA Conference on Topics in Cryptology (Berlin, Heidelberg, 2006), CT-RSA’06, Springer-Verlag, pp. 1-20.

[37] Page, D. Theoretical use of cache memory as a cryptanalytic side-channel, 2002.

[38] PolarSSL. PolarSSL: Straightforward,secure communication.

[39] Ristenpart, T., Tromer, E., Shacham, H., and Savage, S. Hey, you, get off of my cloud: Exploring information leakage in third-party compute clouds. In Proceedings of the 16th ACM Conference on Computer and Communications Security (New York, NY, USA, 2009), CCS ’09, ACM, pp. 199-212.

[40] Suzaki, K., Iijima, K., Yagi, T., and Artho, C. Memory deduplication as a threat to the guest OS. In Proceedings of the Fourth European Workshop on System Security (2011), ACM, p. 1.

[41] Suzaki, K., Iijima, K., Yagi, T., and Artho, C. Software side channel attack on memory deduplication. SOSP POSTER (2011).

[42] Suzaki, K., Iijima, K., Yagi, T., and Artho, C. Effects of memory randomization, sanitization and page cache on memory deduplication.

[43] The Guardian. More than 300k systems ’still vulnerable’ to Heartbleed attacks. technology/2014/jun/23/heartbleed-attacks-vulnerableopenssl, July 2014.

[44] The OpenSSL Project. OpenSSL: The open source toolkit for SSL/TLS., April 2003.

[45] Tsunoo, Y., Saito, T., Suzaki, T., and Shigeri, M. Cryptanalysis of DES implemented on computers with cache. In Proc. of CHES 2003, Springer LNCS (2003), Springer-Verlag, pp. 62-76.

[46] Vattikonda, B. C., Das, S., and Shacham, H. Eliminating fine grained timers in xen.

[47] Vaudenay, S. Security flaws induced by CBC padding - applications to SSL, IPSEC, WTLS. In Proceedings of In Advances in Cryptology - EUROCRYPT’02 (2002), Springer- Verlag, pp. 534-546.

[48] Waldspurger, C. A. Memory resource management in VMware ESX server. ACM SIGOPS Operating Systems Review 36, SI (2002), 181-194.

[49] Wang, Z., and Lee, R. B. New cache designs for thwarting software cache-based side channel attacks. In Proceedings of the 34th Annual International Symposium on Computer Architecture (New York, NY, USA, 2007), ISCA ’07, ACM, pp. 494-505.

[50] Yarom, Y., and Benger, N. Recovering OpenSSL ECDSA nonces using the flush+reload cache side-channel attack. Cryptology ePrint Archive, Report 2014/140, 2014. https: //

[51] Yarom, Y., and Falkner, K. E. Flush+reload: a high resolution, low noise, L3 cache side-channel attack. IACR Cryptology ePrint Archive 2013 (2013), 448.

[52] Zhang, Y., Juels, A., Oprea, A., and Reiter, M. K. Homealone: Co-residency detection in the cloud via sidechannel analysis. In Proceedings of the 2011 IEEE Symposium on Security and Privacy (Washington, DC, USA, 2011), SP ’11, IEEE Computer Society, pp. 313-328.

[53] Zhang, Y., Juels, A., Reiter, M. K., and Ristenpart, T. Cross-VM side channels and their use to extract private keys. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (New York, NY, USA, 2012), CCS ’12, ACM, pp. 305-316.

[54] Zhang, Y., Juels, A., Reiter, M. K., and Ristenpart, T. Cross-tenant side-channel attacks in paas clouds. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (New York, NY, USA, 2014), CCS ’14, ACM, pp. 990-1003.

Journal Information


All Time Past Year Past 30 Days
Abstract Views 0 0 0
Full Text Views 194 194 32
PDF Downloads 61 61 9