### Seeds of SEED: **R-SAW**: New Side Channels Exploiting Read Asymmetry in MLC Phase Change Memories

Md Hafizul Islam Chowdhuryy<sup>1</sup>, Ricard Ewetz<sup>1</sup>, Amro Awad<sup>2</sup>, and Fan Yao<sup>1</sup>

<sup>1</sup>Department of ECE University of Central Florida Florida <sup>2</sup>Department of ECE North Carolina State University North Carolina

International Symposium on Secure and Private Execution Environment Design (SEED) September 20 - 21, 2021

- Information security in hardware is a major concern.
  - Many microarchitectural components can be sources of leakage

- Information security in hardware is a major concern.
  - Many microarchitectural components can be sources of leakage

### Emerging technologies in memory subsystems (Non-volatile memory).

- PCM is the major contender for future main memory
- Prior works focus on data integrity and remanence issues
- No prior studies of μarch timing channels in PCM







- Information security in hardware is a major concern.
  - Many microarchitectural components can be sources of leakage

### Emerging technologies in memory subsystems (Non-volatile memory).

- PCM is the major contender for future main memory
- Prior works focus on data integrity and remanence issues
- No prior studies of μarch timing channels in PCM



**Lessons from past:** Security needs to be understood by design, instead of an afterthought.

Information security in hardware is a major concern.

Many microarchitectural components can be sources of leakage

Emerging technologies in mentic work vstems (Non-volatile memory).

First investigation of information leakage vulnerabilities in Multi-level Cell PCM

**Lessons from past:** Security needs to be understood by design, instead of an afterthought.

PCM cells have wide range of resistance.



- PCM cells have wide range of resistance.
- **Single-level cell mode (SLC):** Each cell stores one bit.



- PCM cells have wide range of resistance.
- **Single-level cell mode (SLC):** Each cell stores one bit.
- Multi-level cell mode (MLC): Each cell stores two (or more) bits.











4



Decouple MSB bit reads from LSB bit reads.



- Decouple MSB bit reads from LSB bit reads.
- ✤ Inter-line striping: Stripe alternating lines in different speed grades.



- Decouple MSB bit reads from LSB bit reads.
- ✤ Inter-line striping: Stripe alternating lines in different speed grades.
  - MSB Lines: Memory lines containing *all* MSB bits (faster)



- Decouple MSB bit reads from LSB bit reads.
- Inter-line striping: Stripe alternating lines in different speed grades.
  - MSB Lines: Memory lines containing *all* MSB bits (faster)
  - LSB Lines: Memory lines containing *all* LSB bits (slower)

### ✤ <u>Microbenchmark:</u>

- Issues fixed number of memory accesses
- Varies MSB and LSB lines accesses

### ✤ Microbenchmark:

- Issues fixed number of memory accesses
- Varies MSB and LSB lines accesses

Increasing LSB ratio -> Deterministic linear increase in execution time



### ✤ Microbenchmark:

- Issues fixed number of memory accesses
- Varies MSB and LSB lines accesses

Increasing LSB ratio -> Deterministic linear increase in execution time



#### Microbenchmark:

Differentiation in PCM access patterns can induce externally observable slow and fast executions.

Increasing LSB ratio -> Deterministic linear increase in execution time











- ✤ AES encryption uses pre-computed values from memory (t-tables).
- PCM access patterns to these t-tables are secret key dependent.



# Attacking AES with R-SAW: Offline Profiling

- Collects LSB/MSB access ratios (P) of encryption for random plaintext (PT) and key.
- Organizes the *P* based on last round key byte and ciphertext (CT) byte value pair.
- For each key byte value, MPV stores the P corresponding to each CT byte value.

Memory-pattern vector (MPV): 
$$\mathcal{M}(u) = \{\overline{P}^0_{(u)}, \overline{P}^1_{(u)}, ..., \overline{P}^{255}_{(u)}\}$$

# Attacking AES with R-SAW: Offline Profiling

- Collects LSB/MSB access ratios (P) of encryption for random plaintext (PT) and key.
- Organizes the *P* based on last round key byte and ciphertext (CT) byte value pair.
- For each key byte value, MPV stores the P corresponding to each CT byte value.

Memory-pattern vector (MPV): 
$$\mathcal{M}(u) = \{\overline{P}_{(u)}^{0}, \overline{P}_{(u)}^{1}, ..., \overline{P}_{(u)}^{255}\}$$
  
Last round key byte value, U  
Last round key byte value, U  
LSB Access ratio when  = 

# Attacking AES with R-SAW: Offline Profiling

- Collects LSB/MSB access ratios (P) of encryption for random plaintext (PT) and key.
- Organizes the *P* based on last round key byte and ciphertext (CT) byte value pair.
- For each key byte value, MPV stores the P corresponding to each CT byte value.

Memory-pattern vector (MPV): 
$$\mathcal{M}(u) = \{\overline{P}_{(u)}^{0}, \overline{P}_{(u)}^{1}, ..., P_{(u)}^{255}\}$$
  
Last round key byte value, U  
LSB Access ratio when  $\langle key, ciphertext \rangle = \langle u, 255 \rangle$ 

**Profile dataset:** For each key byte, 256 MPVs corresponding to each value of **U** 

# Attacking AES with R-SAW: Runtime Monitoring

- Attacker monitors encryption times (*L*) for AES encryptions (unknown key).
- Organizes the *L* based ciphertext byte value.
- Attacker creates **ETV** by collecting **L** for each ciphertext byte value.

Encryption-timing vector (ETV): 
$$\mathcal{T}(\mathbf{x}) = \{\overline{L}_{(\mathbf{x})}^0, \overline{L}_{(\mathbf{x})}^1, ..., \overline{L}_{(\mathbf{x})}^{255}\}$$

# Attacking AES with R-SAW: Runtime Monitoring

- Attacker monitors encryption times (*L*) for AES encryptions (unknown key).
- Organizes the *L* based ciphertext byte value.
- Attacker creates **ETV** by collecting *L* for each ciphertext byte value.

Encryption-timing vector (ETV): 
$$\mathcal{T}(\mathbf{x}) = \{\overline{L}_{(\mathbf{x})}^{0}, \overline{L}_{(\mathbf{x})}^{1}, ..., \overline{L}_{(\mathbf{x})}^{255}\}$$
  
Key byte value, unknown  
Key byte value, unknown  
 $(\mathbf{Encryption time when} < key, ciphertext > = < unknown, 255 > )$ 

# Attacking AES with R-SAW: Runtime Monitoring

- Attacker monitors encryption times (*L*) for AES encryptions (unknown key).
- Organizes the *L* based ciphertext byte value.
- Attacker creates **ETV** by collecting **L** for each ciphertext byte value.

Encryption-timing vector (ETV): 
$$\mathcal{T}(\mathbf{x}) = \{\overline{L}_{(\mathbf{x})}^{0}, \overline{L}_{(\mathbf{x})}^{1}, ..., \overline{L}_{(\mathbf{x})}^{255}\}$$
  
Key byte value, unknown  
Key byte value, unknown  
Key, ciphertext> = 

#### <u>Attack data:</u> One ETV for the key byte value, **Unknown**

# Attacking AES with R-SAW: Correlation Analysis

- Correlation analysis between <u>attack data</u> and <u>profile dataset</u>.
- Highest and outstanding correlation may indicate the unknown key value.





Two example traces of MPV from local system











### More on paper

Comparison of R-SAW with state-of-the-art cache-based attacks.

- Resiliency of R-SAW against system noise
- Feasibility of R-SAW with small number of attack samples
- Discussions on potential mitigations for R-SAW.



### Thanks! Questions?

Md Hafizul Islam Chowdhuryy Email: <u>reyad@knights.ucf.edu</u>