Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "IT Underground conference in Rome cancelled at last minute"] [Next entry: "Pete Finnigan at UKOUG 2006"]

Cache missing for fun and profit

I saw a mention of this paper on a list somewhere and made a note to have a look. This is a very interesting idea on how to hack cryptographic keys. The paper is titled "Cache missing for fun and profit" - by Colin Percival

"Abstract. Simultaneous multithreading — put simply, the shar-ing of the execution resources of a superscalar processor betweenmultiple execution threads — has recently become widespread viaits introduction (under the name “Hyper-Threading”) into IntelPentium 4 processors. In this implementation, for reasons of ef-ficiency and economy of processor area, the sharing of processorresources between threads extends beyond the execution units; ofparticular concern is that the threads share access to the memorycaches.We demonstrate that this shared access to memory caches pro-vides not only an easily used high bandwidth covert channel be-tween threads, but also permits a malicious thread (operating, intheory, with limited privileges) to monitor the execution of anotherthread, allowing in many cases for theft of cryptographic keys.Finally, we provide some suggestions to processor designers, op-erating system vendors, and the authors of cryptographic software,of how this attack could be mitigated or eliminated entirely."