a hacker s guide to reducing side channel atuack surgaces
play

A Hackers guide to reducing side-channel atuack surgaces using - PowerPoint PPT Presentation

Apr 15, 2023 •253 likes •935 views

A Hackers guide to reducing side-channel atuack surgaces using deep-learning Google, @jmichel_p Google, @elie with the help of many Googlers and external collaborators Security and Privacy Group Talk is based on some of the results of a

  1. A Hacker’s guide to reducing side-channel atuack surgaces using deep-learning Google, @jmichel_p Google, @elie with the help of many Googlers and external collaborators Security and Privacy Group

  2. Talk is based on some of the results of a joint research project with many collaborators on hardening hardware cryptography Security and Privacy Group

  3. Work in progress Experimental results and code ahead Security and Privacy Group

  4. Side channel atuacks are one of the most effjcient ways to atuack secure hardware Security and Privacy Group

  5. A side-channel atuack was used to recover the Trezor bitcoin wallet private key htups://jochen-hoenicke.de/crypto/trezor-power-analysis/ Security and Privacy Group

  6. Side-channels atuacks are notoriously hard to debug and fjx Security and Privacy Group

  7. Can we create a debugger ? that accurately pinpoints the code vulnerable to side-channel atuacks? Security and Privacy Group

  8. Combine deep-learning and dynamic analysis to pinpoint origin of leakage Security and Privacy Group

  9. AI? Really? Security and Privacy Group

  10. Side Channel Atuacks Leak Detector Security and Privacy Group

  11. Today’s goal : use SCALD to debug tinyAES running on STM32F4 Security and Privacy Group

  12. Agenda What are side channels? AI based side-channel atuacks AI explainability Finding implementation leakage origin with SCALD Security and Privacy Group

  13. Code and slides htups://elie.net/scald Security and Privacy Group

  14. Disclaimer This talk purposely focuses on showcasing a high level overview of how to debug a cryptographic implementation end-to-end using SCALD. For technical details, see the paper Security and Privacy Group

  15. Paru 1 What are side-channel atuacks? Security and Privacy Group

  16. A side-channel atuack is an indirect measurement of a computation result via an auxiliary mechanism Security and Privacy Group

  17. Real-world side-channel applications Extract crypto Recover Pergorm blind Steal passwords wallets encryption keys SQL injections and pins Security and Privacy Group

  18. Plaintext Timing Current Heat Secret Key Electromagnetic emission Security and Privacy Group

  19. 1 2 3 4 5 6 7 8 9 10 AES round are visible in lightly protected AES implementation power traces Security and Privacy Group

  20. SCA in a nutshell Encryption Signal acquisition Template atuack AES key! Security and Privacy Group

  21. NewAE Chipwhisperer Pro + Picoscope 6000 for fast sampling rate is what we use for our research This is not an ad :) it is a recommendation based on what we use Security and Privacy Group

  22. Section 2 AI based side-channel atuacks Security and Privacy Group

  23. Side Channel Atuacks Automated with Machine Learning Security and Privacy Group

  24. How do SCAAML atuacks work in practice? Security and Privacy Group

  25. Check out last year talk for in-depth explanation htups://elie.net/scaaml Security and Privacy Group

  26. Threat model whitebox atuack Contrary to our previous work that focused on black box atuacks, the traces used in this talk are truncated and collected synchronously to improve debugging quality. This is consistent with the white-box atuack model used during chip development. Additionally, the model architecture is also optimized for debugging, not pure pergormance. Security and Privacy Group

  27. SCAAML process overview Encryption Signal acquisition Predictions Combine DNN AES key! (ChipWhisperer) using DNN predictions Security and Privacy Group

  28. key key PT TinyAES has multiples atuack points that can be sub_bytes_in targeted by SCAAML. Today we focus on SBOX sub_bytes_in sub_bytes_out Security and Privacy Group

  29. Probabilistic atuack: ... ... Security and Privacy Group

  30. Probabilistic atuack: Val 0: 0.10 Val 0: 0.08 Val 0: 4.4 Val 1: 0.02 Val 1: 0.04 Val 1: 5.3 Val 2: 0.01 Val 2: 0.05 Val 2: 3.2 + … + ... ... ... Val 42: 0.3 Val 42: 0.12 Val 42: 21.4 ... ... ... Val 254: 0.02 Val 254: 0.03 Val 254: 2.9 Val 255: 0.05 Val 255: 0.10 Val 255: 4.2 *sum uses log10 + ε Security and Privacy Group

  31. Model architecture Hyperuuned residual separated 1D convolution network Custom residual block used Security and Privacy Group

  32. Tensorboards - 1 model per byte Security and Privacy Group

  33. Our side-channel optimized model architecture yield 16 high accuracy model in 5 epoch as expect on this easy use-case Security and Privacy Group

  34. How to fjnd where ? TinyAES is leaking using our model? Security and Privacy Group

  35. Section 3 Deep-learning explainability Security and Privacy Group

  36. A classic vision model prediction Boxer ... Tiger cat Security and Privacy Group

  37. Why did the model ? predict a tiger cat and a boxer? Security and Privacy Group

  38. Explainability to the rescue: Why did the model ? Boxer predict a tiger cat and dog? Explainer Security and Privacy Group

  39. Explainability to the rescue: Why did the model ? Tiger cat predict a tiger cat and dog? Security and Privacy Group

  40. Identifying errors and biases Unmasking Clever Hans Predictors and Assessing What Machines Really Learn Security and Privacy Group

  41. How do I use explainability and ? combine it with dynamic analysis to debug leakages? Security and Privacy Group

  42. Section 4 Finding leakage origin with SCALD Security and Privacy Group

  43. Annotated code SCALD: Game plan SCALD: Game plan Target emulator Model (cpu + fjrmware) Annotated code Explainer Target emulator Traces + predictions Leakage map Security and Privacy Group

  44. Many explainability techniques exists Sanity Checks for Saliency Maps - Adebayo et al. Security and Privacy Group

  45. Which explainability ? techniques work best? Security and Privacy Group

  46. Leak maps Aggregate, fjlter, and normalize Reduce to key spikes Security and Privacy Group

  47. Byte 0 leak map SNR visualization for various techniques Grad Cam++ Activations maps Security and Privacy Group

  48. Benchmarking key explainability techniques mask top n points Accuracy decrease Test traces model Leak map Security and Privacy Group

  49. Benchmark results: lower is betuer 100% 95% 95% 57% 58% 58% 44% Byte 0 Byte 7 Byte 7 Byte 7 Byte 0 Byte 0 Baseline SNR Activation Grad Cam++ maps Security and Privacy Group Preliminary results - 4 points masked

  50. Explainability techniques don’t work betuer than SNR and have very noisy leak maps Security and Privacy Group

  51. Develop a technique tailored to leakage explanation Security and Privacy Group

  52. Custom code? Really? Security and Privacy Group

  53. SCALD leakage map SCALD explainer combines paruitioned Byte 0 and convolutive occlusion for speed and precise leakage Byte 7 pinpointing Security and Privacy Group

  54. Benchmark results: lower is betuer 100% 95% 95% 57% 58% 58% 44% 42% 17% Byte 0 Byte 7 Byte 7 Byte 7 Byte 0 Byte 0 Baseline SNR Activation Grad Cam++ SCALD maps Security and Privacy Group Preliminary results - 4 points masked

  55. SNR byte 0 leak maps comparaison: the Gradcam SCALD map is visibly cleaner SCALD Security and Privacy Group

  56. SCALD custom explainability technique decreases accuracy the most and generate low noise leak map Security and Privacy Group

  57. How do you go from the ? leakage map to code? Security and Privacy Group

  58. From traces to CPU instructions state automaton FW CPU Leakage map Mapped ASM Security and Privacy Group

  59. From CPU instructions to code Firmware Debug symbol Mapped ASM Code mapper Code leakage mapping Security and Privacy Group

  60. Theory looks great but ? how hard is it in practice? Security and Privacy Group

  61. Requirements An explanation technique that have single point precision We need to isolate the exact few points of the traces that cause most of the leakage as some instruction only take one cycle or two (4 or 8 traces points) An emulator that have single cycle precision We need to map each instruction to its exact cycle to be able to map them to the trace. A single error and the entire analysis is wrong as all instruction will be shifued. A bit of computation You need a 1M data point dataset, 16 models, 16 explanations, 1 full target execution and 1 mapping. With all our optimization this is requires a few days of computation that are parallelizable. Security and Privacy Group

  62. This level of explainability and emulation precision seems out-of reach Security and Privacy Group

  63. Model targeting sub_bytes_in are expected to mostly exploit leakage in the AddRoundKey() function STM32F4 - TinyAES Security and Privacy Group

  64. TinyAES aes.c line 213 is exactly the sub_byte_in operation! SCALD perfectly identify the main source of leakage. Scald analysis result output Security and Privacy Group

  65. SCALD is able to automatically isolate the exact code vulnerable to a given SCAAML side-channel atuack Security and Privacy Group

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Mind The Portability A Warriors Guide through Realistic Profiled Side-channel Analysis Shivam

Mind The Portability A Warriors Guide through Realistic Profiled Side-channel Analysis Shivam

Mind The Portability A Warriors Guide through Realistic Profiled Side-channel Analysis Shivam Bhasin 1 , Dirmanto Jap 1 , Anupam Chattopadhyay 1 , Stjepan Picek 2 , Annelie Heuser 3 , and Ritu Ranjan Shrivastwa 4 1 NTU, Singapore 2 TU Delft,

335 views • 22 slides
+ Side Channel and Covert Channel A1acks on Microkernel

+ Side Channel and Covert Channel A1acks on Microkernel

+ Side Channel and Covert Channel A1acks on Microkernel Architectures WAMOS 2015 Advanced Opera3ng Systems Hochschule RheinMain Alexander Baumgrtner and

539 views • 25 slides
FIDES: Lightweight Authentication Cipher with Side-Channel Resistance for Constrained Hardware

FIDES: Lightweight Authentication Cipher with Side-Channel Resistance for Constrained Hardware

FIDES: Lightweight Authentication Cipher with Side-Channel Resistance for Constrained Hardware Begl Bilgin, Andrey Bogdanov, Miroslav Kne evi , Florian Mendel, and Qingju Wang 1 DIAC 2013, Chicago Side Channel Resistance 2 Side

1.29k views • 76 slides
Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 18

Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 18

I SAP Towards Side-channel Secure AE Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer FSE 2017 www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . .

635 views • 30 slides
Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 21

Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 21

I SAP Towards Side-channel Secure AE Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer ESC 2017 www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . .

476 views • 33 slides
The Curse of Class Imbalance and Conflicting Metrics with Machine Learning for Side-channel

The Curse of Class Imbalance and Conflicting Metrics with Machine Learning for Side-channel

The Curse of Class Imbalance and Conflicting Metrics with Machine Learning for Side-channel Evaluations Stjepan Picek, Annelie Heuser, Alan Jovic, Shivam Bhasin, and Francesco Regazzoni Big Picture side-channel measurements device classifier

822 views • 33 slides
Generic Side-Channel Distinguishers: Improvements and Limitations N. Veyrat-Charvillon and F-X.

Generic Side-Channel Distinguishers: Improvements and Limitations N. Veyrat-Charvillon and F-X.

Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions Generic Side-Channel Distinguishers: Improvements and Limitations N. Veyrat-Charvillon and F-X. Standaert UCL Crypto Group, Universit e catholique

355 views • 24 slides
SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna Ors Yal cn Istanbul Technical University Department of Electronics and Communication Engineering Introduction A side-channel analysis attack

1.81k views • 99 slides
Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers

Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers

Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers will always cheat xkcd #538 What is side channel cryptanalysis? Side Channels: whatever the designers ignored Key Plaintext Encryption Cipher

1.14k views • 112 slides
Recent advances in side- channel analysis using machine learning techniques Annelie Heuser with

Recent advances in side- channel analysis using machine learning techniques Annelie Heuser with

Recent advances in side- channel analysis using machine learning techniques Annelie Heuser with Stjepan Picek, Sylvain Guilley, Alan Jovic, Shivam Bhasin, Tania Richmond, Karlo Knezevic In this talk Short recap on side-channel analysis

4.52k views • 56 slides
Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of Technology, The Netherlands May 6, 2018 Outline 1 Side-channels 2 Implementation Attacks 3 Side-channel Attacks 4 Fault Injection 2 / 48

824 views • 48 slides
Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks

Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks

Elliptic Curves Side-Channel Countermeasures Conclusion Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks Vincent Verneuil 1 , 2 1 Inside Secure 2 Institut de Math ematiques de Bordeaux S

2.22k views • 188 slides
The Need for Speed: Applications of HPC in Side Channel

The Need for Speed: Applications of HPC in Side Channel

The Need for Speed: Applications of HPC in Side Channel Research Dr. M. Elisabeth Oswald Reader, EPSRC Leadership Fellow University of Bristol Roadmap

280 views • 25 slides
Enhancing the Power of Deep Learning in Side-Channel Analysis? Breaking multiple layers of

Enhancing the Power of Deep Learning in Side-Channel Analysis? Breaking multiple layers of

Plaintext: A Missing Feature for Enhancing the Power of Deep Learning in Side-Channel Analysis? Breaking multiple layers of side-channel countermeasures Anh-Tuan Hoang, Neil Hanley and Mire ONeill CHES 2020 14-18 September 2020 Outline

620 views • 21 slides
AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS PHISIC 2018 |

AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS PHISIC 2018 |

Nicolas Belleville Damien Courouss Karine Heydemann Henri-Pierre Charles AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS PHISIC 2018 | Belleville Nicolas INTRODUCTION Focus on power/EM based side channel

535 views • 31 slides
Reducing Social Isolation and Loneliness by enabling and empowering people with dementia ntia

Reducing Social Isolation and Loneliness by enabling and empowering people with dementia ntia

Exploring opportunities Building communities Changing lives Side by Side Reducing Social Isolation and Loneliness by enabling and empowering people with dementia ntia Side by Side 2 Reducing Social Isolation and Loneliness by enabling and

494 views • 10 slides
Learning Software Engineering - Online 29 th Pacific NW Software Quality Conference Oct 10-12 2011

Learning Software Engineering - Online 29 th Pacific NW Software Quality Conference Oct 10-12 2011

10/13/2011 Learning Software Engineering - Online 29 th Pacific NW Software Quality Conference Oct 10-12 2011 Kal Toth, kalmanctoth@gmail.com 10/13/2011 PNSQC 2011: Leanring Software Engineering - Online, Kal Toth 1 Unstated Goal Learning

386 views • 13 slides
Ontstolling in de dagelijkse praktijk casustiek Alles wat u wilt weten over ontstolling en

Ontstolling in de dagelijkse praktijk casustiek Alles wat u wilt weten over ontstolling en

Ontstolling in de dagelijkse praktijk casustiek Alles wat u wilt weten over ontstolling en plaatjesremming bij CAD, hartfalen, AF en stents (VKA, NOAC, aspirine, clopidogrel, prasugrel en ticagrelor) Jur ten Berg, cardioloog 1 2016

539 views • 33 slides
Ultra-high dimensional statistics and statistical learning on some applications Dominique Picard

Ultra-high dimensional statistics and statistical learning on some applications Dominique Picard

Examples Linear model Mathematical ingredients LOL algo Ultra-high dimensional statistics and statistical learning on some applications Dominique Picard Universit e Paris-Diderot Laboratoire Probabilit es et Mod` eles Al eatoires

1.19k views • 86 slides
CISC323: Introduction to Software developing software that organizes the effort into a number of

CISC323: Introduction to Software developing software that organizes the effort into a number of

Software Process A software (development) process is a method for CISC323: Introduction to Software developing software

469 views • 13 slides
Spring Scales Theyre only accurate when everything is at rest Turn off all electronic

Spring Scales Theyre only accurate when everything is at rest Turn off all electronic

Spring Scales 1 Spring Scales 2 Observations about Spring Scales They move downward during weighing They take a little time to settle Spring Scales Theyre only accurate when everything is at rest Turn off all electronic devices

330 views • 3 slides
DCS/CSCI 2350: Social & Economic Networks WWW: Information Networks Chapters 13, 14 Mohammad

DCS/CSCI 2350: Social & Economic Networks WWW: Information Networks Chapters 13, 14 Mohammad

5/4/16 DCS/CSCI 2350: Social & Economic Networks WWW: Information Networks Chapters 13, 14 Mohammad T . Irfan Announcements u My office hours u Today 12pm, Tuesday 46pm u Cory's office hours u Wednesday 79pm u

415 views • 17 slides
The Tor software ecosystem Roger Dingledine Jacob Appelbaum The Tor Project

The Tor software ecosystem Roger Dingledine Jacob Appelbaum The Tor Project

The Tor software ecosystem Roger Dingledine Jacob Appelbaum The Tor Project https://torproject.org/ 1 Tor: client, relay/bridge, dir (heavy) 2 Tor: hidden services (moderate) 3 All of these projects are listed at

701 views • 59 slides
Sam Asci Council staff Scallop AP/Committee September 13 th & 14 th , 2018 Recap of input to

Sam Asci Council staff Scallop AP/Committee September 13 th & 14 th , 2018 Recap of input to

Doc.6a Sam Asci Council staff Scallop AP/Committee September 13 th & 14 th , 2018 Recap of input to date Committee (March-18) Ranked priority, and recommended continuing work PDT Tasking Motion Advisory Panel (March-18)

422 views • 31 slides

More recommend