Mitigation for Frequency Throttling Side-Channel Attack¶
More information about the attack can be found in Intel Software Security Guidance and in the published paper: Chen Liu, Abhishek Chakraborty, Nikhil Chawla, Neer Roggel. 2022. Frequency Throttling Side-Channel Attack. https://arxiv.org/pdf/2206.07012.pdf
Implemented in IPP Crypto mitigation was done for AES Encryption and Decryption in ECB (ippsAESDecryptECB, ippsAESEncryptECB) and GCM (ippsAES_GCMDecrypt, ippsAES_GCMEncrypt) modes and for AES CMAC (ippsAES_CMACUpdate) mode.
Developed mitigation is based on random noise injections for every fixed amount of processing data. There are 3 new APIs that should be used to enable the mitigation for AES.
The main difference between these APIs is that they work with different types of AES context - IppsAESSpec, IppsAES_GCMState, IppsAES_CMACState.
The general usage flow is GetSize -> Init -> SetupNoise -> Processing. For example:
AES ECB mode:
ippsAESGetSize()
ippsAESInit()
ippsAESSetupNoise()
ippsAESEncryptECB() / ippsAESDecryptECB()
AES GCM mode:
ippsAES_GCMGetSize()
ippsAES_GCMInit()
ippsAES_GCMSetupNoise()
AES CMAC mode:
ippsAES_CMACGetSize()
ippsAES_CMACInit()
ippsAES_CMACSetupNoise()
Mitigation can be enabled only explicitly by calling the corresponding SetupNoise function with a non-zero parameter noiseLevel (amount of noise injected).
Accordingly, to disable mitigation in the flow, the SetupNoise function should be called with noiseLevel equal to 0.
Calling ippsAESInit, ippsAES_GCMInit, ippsAES_CMACInit functions also reset mitigation parameters stored in the context, it also can be used to disable mitigation if it is enabled earlier.
Mitigation is available when AES-NI or VAES instructions present on the current CPU.