- Library Home /
- Search Collections /
- Open Collections /
- Browse Collections /
- UBC Theses and Dissertations /
- Cache side-channel attacks on language runtimes
Open Collections
UBC Theses and Dissertations
UBC Theses and Dissertations
Cache side-channel attacks on language runtimes Wang, Yayu
Abstract
Cache side-channel attacks are a class of attacks where an attacker co-located with a victim application on a server infers the victim’s secrets from observations of the victim’s usage of shared caches. Conventionally, cache side-channel attacks have been used to leak sensitive information from applications written in statically typed languages (e.g., C) and compiled into binary. However, cache side-channel vulnerabilities in applications using language runtimes have received less attention. Language runtimes introduce several barriers to performing cache side-channel attacks. First, with language runtimes, the application code is converted into a bytecode sequence, which is then interpreted as a sequence of machine instructions during execution. The attacker therefore needs to identify the cache lines that uniquely map to the sequence of machine instructions corresponding to specific bytecode operations in the victim’s logic. Second, the control flow in runtime interpretation logic might influence the state of the cache, which is shared between the attacker, the victim application, and the runtime. Consequently, the runtime induces noise in the cache measurements that prevents the attacker from accurately inferring the victim’s execution logic. We address the above challenges and demonstrate that cache side-channel attacks can be exploited on applications executed with language runtimes. We present two well-known types of cache side-channel attacks, namely Prime+Scope and Flush+Reload, on a JavaScript implementation of RSA that is run on QuickJS. We show that even if the RSA source code is hardened to have secret-independent execution time, an attacker can derive the secret key via cache side-channel observations on RSA’s bytecode interpretation with 99% accuracy after only 32 runs of the RSA.
Item Metadata
| Title |
Cache side-channel attacks on language runtimes
|
| Creator | |
| Supervisor | |
| Publisher |
University of British Columbia
|
| Date Issued |
2025
|
| Description |
Cache side-channel attacks are a class of attacks where an attacker co-located with a victim application on a server infers the victim’s secrets from observations of the victim’s usage of shared caches. Conventionally, cache side-channel attacks have been used to leak sensitive information from applications written in statically typed languages (e.g., C) and compiled into binary. However, cache side-channel vulnerabilities in applications using language runtimes have received less attention.
Language runtimes introduce several barriers to performing cache side-channel attacks. First, with language runtimes, the application code is converted into a bytecode sequence, which is then interpreted as a sequence of machine instructions during execution. The attacker therefore needs to identify the cache lines that uniquely map to the sequence of machine instructions corresponding to specific bytecode operations in the victim’s logic. Second, the control flow in runtime interpretation logic might influence the state of the cache, which is shared between the attacker, the victim application, and the runtime. Consequently, the runtime induces noise in the cache measurements that prevents the attacker from accurately inferring the victim’s execution logic.
We address the above challenges and demonstrate that cache side-channel attacks can be exploited on applications executed with language runtimes. We present two well-known types of cache side-channel attacks, namely Prime+Scope and Flush+Reload, on a JavaScript implementation of RSA that is run on QuickJS. We show that even if the RSA source code is hardened to have secret-independent execution time, an attacker can derive the secret key via cache side-channel observations on RSA’s bytecode interpretation with 99% accuracy after only 32 runs of the RSA.
|
| Genre | |
| Type | |
| Language |
eng
|
| Date Available |
2025-04-25
|
| Provider |
Vancouver : University of British Columbia Library
|
| Rights |
Attribution-NonCommercial-NoDerivatives 4.0 International
|
| DOI |
10.14288/1.0448547
|
| URI | |
| Degree | |
| Program | |
| Affiliation | |
| Degree Grantor |
University of British Columbia
|
| Graduation Date |
2025-05
|
| Campus | |
| Scholarly Level |
Graduate
|
| Rights URI | |
| Aggregated Source Repository |
DSpace
|
Item Media
Item Citations and Data
Rights
Attribution-NonCommercial-NoDerivatives 4.0 International