Cache Side-Channel Attack on Mail User Agent

Hodong Kim, Hyundo Yoon, Youngjoo Shin, Junbeom Hur

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    6 Citations (Scopus)

    Abstract

    MUA (Mail User Agent) programs support email encryption functionality for providing confidentiality of the email contents. They encrypt email contents using email encryption standards such as OpenPGP or S/MIME, mostly implemented by GnuPG, or GPG in practice. In order to understand security implication of the structures and analyze any possible vulnerabilities of MUA programs, in this paper, we investigated practical MUAs supporting e-mail encryption. As a result, we found severe vulnerabilities in a list of MUAs that allow cache side-channel attacks in virtualized desktop environments. Our analysis reveals that the root cause originates from the lack of verification and control over third-party cryptographic libraries they adopt. In order to substantiate the importance of the vulnerability we found, we delivered FLUSH+RELOAD attack on those MUA programs and demonstrated that the attack restores 92% of the RSA private keys when recipients read a single encrypted email.

    Original languageEnglish
    Title of host publication34th International Conference on Information Networking, ICOIN 2020
    PublisherIEEE Computer Society
    Pages236-238
    Number of pages3
    ISBN (Electronic)9781728141985
    DOIs
    Publication statusPublished - 2020 Jan
    Event34th International Conference on Information Networking, ICOIN 2020 - Barcelona, Spain
    Duration: 2020 Jan 72020 Jan 10

    Publication series

    NameInternational Conference on Information Networking
    Volume2020-January
    ISSN (Print)1976-7684

    Conference

    Conference34th International Conference on Information Networking, ICOIN 2020
    Country/TerritorySpain
    CityBarcelona
    Period20/1/720/1/10

    Bibliographical note

    Funding Information:
    ACKNOWLEDGMENT This work was supported by Institute of Information communications Technology Planning Evaluation (IITP) grant funded by the Korea government(MSIT) (No.2019-0-00533, Research on CPU vulnerability detection and validation)

    Publisher Copyright:
    © 2020 IEEE.

    Keywords

    • Cache side-channel attack
    • SW vulnerability
    • mail user agent

    ASJC Scopus subject areas

    • Computer Networks and Communications
    • Information Systems

    Fingerprint

    Dive into the research topics of 'Cache Side-Channel Attack on Mail User Agent'. Together they form a unique fingerprint.

    Cite this