Cross-VM cache attacks on Camellia

Flush+Reload is a powerful cache-based side-channel attack in which the attacker takes advantage of a security weakness in the X86 processor architecture to ascertain whether specific cache lines are accessed by the victim or not. The Flush+Reload attack can be performed in a cross-core setting under the assumption that the last level cache is shared between the cores. In this paper, we demonstrate that Camellia implementations of OpenSSL 1.1.0 running inside the victim VM are vulnerable to the Flush+Reload attacks. Camellia is an ISO/IEC standard and CRYPTREC-portfolio cipher which was jointly designed by NTT and Mitsubishi. Our experimental results demonstrate that the attacker is able to recover the secret keys of Camellia in less than 1 minute in the native setup by utilizing the Flush+Reload technique. Our work demonstrates that common implementations of this standard cipher are vulnerable against Flush+Reload attack in both native and cross-VM setups. To the best of our knowledge, the proposed attacks are the first attack on Camellia that can be applied in the cross-VM setting.