1 Cyberspace Research Institute, Shahid Beheshti University, Iran

2 Iran-Tehran



In cloud computing, multiple users can share the same physical machine that can potentially leak secret information, in particular when the memory de-duplication is enabled. Flush+Reload attack is a cache-based attack that makes use of resource sharing. T-table implementation of AES is commonly used in the crypto libraries like OpenSSL.
Several Flush+Reload attacks on T-table implementation of AES have been proposed in the literature which requires a notable number of encryptions. In this paper, we present a technique to enhance the Flush+Reload attack on AES in the ciphertext-only scenario by significantly reducing the number of needed encryptions in both native and cross-VM setups. In this paper, we focus on finding the wrong key candidates and keep the right key by considering only the cache miss event. Our attack is faster than previous Flush+Reload attacks. In particular, our method can speed-up the Flush+Reload attack in cross-VM environment significantly. To verify the theoretical model, we implemented the proposed attack.


[1] Daniel J Bernstein. "cache-timing attacks on aes". Citeseer, 2005.

[2] Qian Ge, Yuval Yarom, David Cock, and Gernot Heiser. "a survey of microarchitectural timing attacks and countermeasures on contemporary hardware". Journal of Cryptographic Engineering, 8(1):1–27, 2018.

[3] Colin Percival. "cache missing for fun and profit". BSDCan, 2005.

[4] Yuval Yarom and Katrina Falkner. "FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack". In Kevin Fu and Jaeyeon Jung, editors, 23rd USENIX Security Symposium, pages 719–732. USENIX Association, 2014.

[5] Eyal Ronen, Robert Gillham, Daniel Genkin, Adi Shamir, David Wong, and Yuval Yarom. "the 9 lives of bleichenbacher’s cat: New cache attacks on tls implementations". In 2019 IEEE Symposium on Security and Privacy (SP), pages 435–452. IEEE, 2019.

[6] Gorka Irazoqui, Mehmet Sinan Inci, Thomas Eisenbarth, and Berk Sunar. "wait a minute! a fast, cross-vm attack on aes". In International Workshop on Recent Advances in Intrusion Detection, pages 299–319. Springer, 2014.

[7] Berk Gülmezoğlu, Mehmet Sinan Inci, Gorka Irazoqui, Thomas Eisenbarth, and Berk Sunar. "a faster and more realistic flush+ reload attack on aes". In International Workshop on Constructive Side-Channel Analysis and Secure Design, pages 111–126. Springer, 2015.

[8] Daniel Gruss, Clémentine Maurice, Klaus Wagner, and Stefan Mangard. "flush+ flush: a fast and stealthy cache attack". In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pages 279– 299. Springer, 2016.

[9] Paul C Kocher. "timing attacks on implementations of diffie-hellman, rsa, dss, and other systems". In Annual International Cryptology Conference, pages 104–113. Springer, 1996.

[10] Dag Arne Osvik, Adi Shamir, and Eran Tromer. "cache attacks and countermeasures: the case of aes". pages 1–20, 2006.

[11] Thomas Ristenpart, Eran Tromer, Hovav Shacham, and Stefan Savage. "hey, you, get off of my cloud: exploring information leakage in thirdparty compute clouds". In Proceedings of the 16th ACM conference on Computer and communications security, pages 199–212. ACM, 2009.

[12] David Gullasch, Endre Bangerter, and Stephan Krenn. "cache games–bringing access-based cache attacks on aes to practice". In 2011 IEEE Symposium on Security and Privacy, pages 490– 505. IEEE, 2011.

[13] Gorka Irazoqui Apecechea, Mehmet Sinan Inci, Thomas Eisenbarth, and Berk Sunar. "fine grain cross-vm attacks on xen and vmware are possible!". volume 2014, page 248. Citeseer, 2014.

[14] Yuval Yarom and Naomi Benger. "recovering openssl ecdsa nonces using the flush+ reload cache side-channel attack". volume 2014, page 140, 2014.

[15] Fangfei Liu, Yuval Yarom, Qian Ge, Gernot Heiser, and Ruby B Lee. "last-level cache sidechannel attacks are practical". In 2015 IEEE Symposium on Security and Privacy, pages 605– 622. IEEE, 2015.

[16] Leon Groot Bruinderink, Andreas Hülsing, Tanja Lange, and Yuval Yarom. "flush, gauss, and reload–a cache attack on the bliss lattice-based signature scheme". In International Conference on Cryptographic Hardware and Embedded Systems, pages 323–345. Springer, 2016.

[17] Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, and Mike Hamburg. "meltdown". arXiv preprint arXiv:1801.01207, 2018.

[18] Michael Schwarz, Moritz Lipp, Daniel Moghimi, Jo Van Bulck, Julian Stecklina, Thomas Prescher, and Daniel Gruss. "zombieload: Cross-privilegeboundary data sampling". In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pages 753–768, 2019.

[19] Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, et al. "spectre attacks: Exploiting speculative execution". In 2019 IEEE Symposium on Security and Privacy (SP), pages 1–19. IEEE, 2019.

[20] Michael Schwarz, Robert Schilling, Florian Kargl, Moritz Lipp, Claudio Canella, and Daniel Gruss. "context: Leakage-free transient execution". arXiv preprint arXiv:1905.09100, 2019.

[21] Marina Minkin, Daniel Moghimi, Moritz Lipp, Michael Schwarz, Jo Van Bulck, Daniel Genkin, Daniel Gruss, Frank Piessens, Berk Sunar, and Yuval Yarom. "fallout: Reading kernel writes from user space". arXiv preprint arXiv:1905.12701, 2019.

[22] Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Giorgi Maisuradze, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida. "ridl: Rogue in-flight data load". S&P (May 2019), 2019.

[23] Michael Schwarz, Martin Schwarzl, Moritz Lipp, Jon Masters, and Daniel Gruss. "netspectre: Read arbitrary memory over network". In European Symposium on Research in Computer Security, pages 279–299. Springer, 2019.

[24] Mathy Vanhoef and Eyal Ronen. "dragonblood: Analyzing the dragonfly handshake of wpa3 and eap-pwd". In Proceedings of the 2020 IEEE Symposium on Security and Privacy-S&P 2020). IEEE, 2020.

[25] Samira Briongos, Pedro Malagón, Juan-Mariano de Goyeneche, and Jose M Moya. "cache misses and the recovery of the full aes 256 key". Applied Sciences, 9(5):944, 2019.