a new categorization system for side channel attacks on
play

A new categorization system for side-channel attacks on mobile - PowerPoint PPT Presentation

Nov 25, 2022 •189 likes •759 views

A new categorization system for side-channel attacks on mobile devices & more Veelasha Moonsamy Radboud University, The Netherlands 06 February 2017 University of Adelaide, Australia Radboud University, Nijmegen, NL 2 Digital Security

  1. A new categorization system for side-channel attacks on mobile devices & more Veelasha Moonsamy Radboud University, The Netherlands 06 February 2017 University of Adelaide, Australia

  2. Radboud University, Nijmegen, NL 2

  3. Digital Security (DiS) Group 3

  4. DiS research topics ◮ (Applied) Crypto ◮ Symmetric key crypto ◮ Identity-based applications ◮ Smart cards and RFID security ◮ Hardware security ◮ Side-channel analysis and countermeasures ◮ Fault attacks ◮ Efficient implementations of crypto: hardware and software ◮ Post-quantum crypto ◮ Lightweight crypto: protocols and implementations 4

  5. PhD research overview 5

  6. PhD research overview ◮ Postdoc research interests: hardware- and software-based side channel on mobile devices 5

  7. Outline of my talk ◮ Part I : Establishing a covert channel via USB charging cable on mobile devices 6

  8. Outline of my talk ◮ Part I : Establishing a covert channel via USB charging cable on mobile devices ◮ Part II : New categorization system for side-channel attacks on smartphones 6

  9. Part I No Free Charge Theorem: A Covert Channel via USB Charging Cable on Mobile Devices

  10. Acknowledgment ◮ Joint collaboration: ◮ Paper available at: https://arxiv.org/abs/1609.02750 8

  11. Motivation ◮ Increasing use of smartphones 9

  12. Motivation ◮ Increasing use of smartphones ◮ Battery-draining apps (e.g. Pokémon Go) 9

  13. Motivation ◮ Current situation: Airports, airplanes, shopping malls, gyms, museums, etc.. 10

  14. Motivation ◮ Emerging business model 11

  15. Research Question ◮ Is it possible to exfiltrate data from a device while it is connected to a public charging station? 12

  16. Research Question ◮ Is it possible to exfiltrate data from a device while it is connected to a public charging station? ◮ ... and the answer is YES!! 12

  17. Research Question ◮ Is it possible to exfiltrate data from a device while it is connected to a public charging station? ◮ ... and the answer is YES!! ◮ Contributions: ◮ Demonstrated the practicality of using only the power feature of USB charging cable as a covert channel to exfiltrate data from a device while it is connected to a public charging station. 12

  18. Research Question ◮ Is it possible to exfiltrate data from a device while it is connected to a public charging station? ◮ ... and the answer is YES!! ◮ Contributions: ◮ Demonstrated the practicality of using only the power feature of USB charging cable as a covert channel to exfiltrate data from a device while it is connected to a public charging station. ◮ Built a proof-of-concept app, PowerSnitch to communicate bits of information in the form of power bursts back to the adversary 12

  19. Research Question ◮ Is it possible to exfiltrate data from a device while it is connected to a public charging station? ◮ ... and the answer is YES!! ◮ Contributions: ◮ Demonstrated the practicality of using only the power feature of USB charging cable as a covert channel to exfiltrate data from a device while it is connected to a public charging station. ◮ Built a proof-of-concept app, PowerSnitch to communicate bits of information in the form of power bursts back to the adversary ◮ Implemented a decoder, which resides on the adversary’s side, i.e., public charging station, to retrieve the binary information embedded in the power bursts. 12

  20. Assumptions ◮ Energy supplier’s side (adversary) ◮ Has physical access to the power meter ◮ Able to monitor and store energy traces through the power meter 13

  21. Assumptions ◮ Energy supplier’s side (adversary) ◮ Has physical access to the power meter ◮ Able to monitor and store energy traces through the power meter ◮ Victim’s side ◮ Has installed the PowerSnitch app ◮ Features of PowerSnitch app : requires access to private data (e.g. contacts), does not rely on traditional permission to transmit data (e.g. WiFi, Bluetooth) 13

  22. Overview of the attack 14

  23. PowerSnitch app ◮ Used to establish a covert channel ◮ Covert channel can be considered as a secret channel used to exfiltrate information from a secured environment in an undetected manner ◮ Can be deployed as a standalone app or as a library in a repackaged app ◮ Runs as a background service ◮ Uses WAKE_LOCK permission to wake up the CPU while phone is in deep sleep mode in order to start transmitting the payload ◮ Works even when user authentication mechanisms (i.e PIN) are in place ◮ Does not use any conventional communication technology (e.g., Wi-Fi, Bluetooth, NFC); can exfiltrate information even if the phone is in airplane mode ◮ Defeats existing USB charging protection dongles, since app only requires the USB power pins to exfiltrate data. 15

  24. Components of the app 16

  25. How does it work? (victim’s side) 17

  26. Overview of the attack - Decoder 18

  27. How does it work? (adversary’s side) 19

  28. Decoder design ◮ Components of the decoder 20

  29. Components of the decoder ◮ 1. Data filtering: ◮ Received signal is passed through a low-pass filter to get rid of high-frequency noises ◮ Helps to smooth the signal and make threshold-based detection of peaks easier 21

  30. Components of the decoder ◮ Data filtering - an example: 22

  31. Components of the decoder ◮ 2. Threshold estimation & 3. Peak detection: ◮ Presence or absence of a peak at a certain time and for a specific period is translated to a corresponding bit 23

  32. Components of the decoder ◮ 2. Threshold estimation & 3. Peak detection: ◮ Presence or absence of a peak at a certain time and for a specific period is translated to a corresponding bit ◮ Peak detection is done by setting an appropriate threshold; anything above the threshold is a peak, else it is just noise 23

  33. Components of the decoder ◮ 2. Threshold estimation & 3. Peak detection: ◮ Presence or absence of a peak at a certain time and for a specific period is translated to a corresponding bit ◮ Peak detection is done by setting an appropriate threshold; anything above the threshold is a peak, else it is just noise ◮ We make use of a ‘start’ and ‘end’ of transmission preamble to set the threshold 23

  34. Evaluation ◮ Android phones: Nexus 4 with Android 5.1.1 (API 22), Nexus 5 with Android 6.0 (API 23), Nexus 6 with Android 6.0 (API 23) and Samsung S5 with Android 5.1.1 (API 22) ◮ Transmitted a payload (from the device) comprising of letters and numbers of ASCII code for a total of 512 bits ◮ Results in terms of Bit Error Ratio (BER) in the transmission of the payload; the lower the BER, the better the quality of the transmission 24

  35. Making PowerSnitch more incognito... ◮ Keep a duty cycle (i.e. the time of power burst in a period) under 50% ◮ Temperature of the device could increase significantly ◮ If attack takes place during battery charge phase, battery will take more time to recharge due to high amount of energy consumed by the CPU 25

  36. Making PowerSnitch more incognito... ◮ Keep a duty cycle (i.e. the time of power burst in a period) under 50% ◮ Temperature of the device could increase significantly ◮ If attack takes place during battery charge phase, battery will take more time to recharge due to high amount of energy consumed by the CPU ◮ Android Debug Bridge (ADB) ◮ It is possible to monitor the CPU power consumption via the ADB ◮ PowerSnitch could easily detect whether ADB setting is active through Settings.Global.ADB_ENABLED , once again provided by an Android API 25

  37. Part II New categorization system for side-channel attacks on smartphones

  38. Side Channel Analysis (SCA) ◮ Previous work: ◮ Smudge attacks on smartphone touch screens (WOOT 2010) ◮ Inferring Keystrokes on Touch Screen from Smartphone Motion (HotSec 2011) ◮ Practicality of accelerometer side channels on smartphones (ACSAC 2012) ◮ ACCessory: Password Inference using Accelerometers on Smartphones (HotMobile 2012) 27

  39. Side Channel Analysis (SCA) ◮ Previous work: ◮ Smudge attacks on smartphone touch screens (WOOT 2010) ◮ Inferring Keystrokes on Touch Screen from Smartphone Motion (HotSec 2011) ◮ Practicality of accelerometer side channels on smartphones (ACSAC 2012) ◮ ACCessory: Password Inference using Accelerometers on Smartphones (HotMobile 2012) ◮ (Smart)watch your taps: side-channel keystroke inference attacks using smartwatches (ISWC 2015) ◮ An empirical study of cryptographic misuse in android applications (CCS 2013) 27

  40. Acknowledgment ◮ Paper available at: https://arxiv.org/pdf/1611.03748v1.pdf 28

  41. Traditional SCA categorization ◮ Active vs. Passive ◮ Invasive vs. semi-invasive vs. non-invasive 29

  42. Traditional SCA categorization ◮ Active vs. Passive ◮ Depending on whether the attacker actively influences the behavior of the device or only passively observes leaking information ◮ Invasive vs. semi-invasive vs. non-invasive 29

  43. Traditional SCA categorization ◮ Active vs. Passive ◮ Depending on whether the attacker actively influences the behavior of the device or only passively observes leaking information ◮ Invasive vs. semi-invasive vs. non-invasive ◮ Depending on whether or not the attacker removes the passivation layer of the chip, depackages the chip, or does not manipulate the packaging at all 29

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud Taesoo Kim, Marcus

System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud Taesoo Kim, Marcus

System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud Taesoo Kim, Marcus Peinado, Gloria Mainar-Ruiz MIT CSAIL Microsoft Research Security is a big concern in cloud adoption Why are cache-based side channel

588 views • 38 slides
Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of Technology, The Netherlands May 6, 2018 Outline 1 Side-channels 2 Implementation Attacks 3 Side-channel Attacks 4 Fault Injection 2 / 48

824 views • 48 slides
Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 21

Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 21

I SAP Towards Side-channel Secure AE Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer ESC 2017 www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . .

476 views • 33 slides
Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 18

Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 18

I SAP Towards Side-channel Secure AE Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer FSE 2017 www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . .

635 views • 30 slides
SoC it to EM: electromagnetic side-channel attacks on a complex system-on-chip Jake Longo 1 Elke

SoC it to EM: electromagnetic side-channel attacks on a complex system-on-chip Jake Longo 1 Elke

SoC it to EM: electromagnetic side-channel attacks on a complex system-on-chip Jake Longo 1 Elke De Mulder 2 Dan Page 1 Mike Tunstall 2 1 University Of Bristol, Merchant Venturers Building, Woodland Road, Bristol, BS8 1UB. UK. 2 Rambus

630 views • 51 slides
Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet

Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet

Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet nadia.el-mrabet@emse.fr Mines St Etienne WRACH2019, April 17, 2019 Side channel attacks Physical counter measures Algorithmic counter measures Arithmetical

900 views • 36 slides
Behind the Scene of Side Channel Attacks ASIACRYPT 2013 Victor LOMNE, Emmanuel PROUFF and Thomas

Behind the Scene of Side Channel Attacks ASIACRYPT 2013 Victor LOMNE, Emmanuel PROUFF and Thomas

Behind the Scene of Side Channel Attacks ASIACRYPT 2013 Victor LOMNE, Emmanuel PROUFF and Thomas ROCHE ANSSI (French Network and Information Security Agency) Thursday, December 3rd, 2013 Side Channel Attacks (SCA)| Linear Regression Attack

340 views • 32 slides
SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna Ors Yal cn Istanbul Technical University Department of Electronics and Communication Engineering Introduction A side-channel analysis attack

1.81k views • 99 slides
Side-Channel & Fault Attacks Ruggero Susella System Research & Applications Security

Side-Channel & Fault Attacks Ruggero Susella System Research & Applications Security

Side-Channel & Fault Attacks Ruggero Susella System Research & Applications Security Rodmap STMicroelectronics 2018/12/06 2 ST Who are we ? STMicroelectronics 3 A global semiconductor leader 2017 revenues of $8.35B

1.32k views • 107 slides
Performing Low-cost Electromagnetic Side-channel Attacks using RTL-SDR and Neural Networks

Performing Low-cost Electromagnetic Side-channel Attacks using RTL-SDR and Neural Networks

Performing Low-cost Electromagnetic Side-channel Attacks using RTL-SDR and Neural Networks Pieter Robyns Motivation and introduction Motivation Information about performing EM side-channel attacks using SDR is quite scarce A few

758 views • 42 slides
HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume

HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume

HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume that secret keys are utilized by implementations of the algorithm in a secure fashion, with access only allowed through the I/Os Unfortunately,

363 views • 12 slides
Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks

Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks

Elliptic Curves Side-Channel Countermeasures Conclusion Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks Vincent Verneuil 1 , 2 1 Inside Secure 2 Institut de Math ematiques de Bordeaux S

2.22k views • 188 slides
AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS PHISIC 2018 |

AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS PHISIC 2018 |

Nicolas Belleville Damien Courouss Karine Heydemann Henri-Pierre Charles AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS PHISIC 2018 | Belleville Nicolas INTRODUCTION Focus on power/EM based side channel

535 views • 31 slides
AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS SIDE CHANNEL ATTACKS

AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS SIDE CHANNEL ATTACKS

Nicolas Belleville 1 Damien Courouss 1 Karine Heydemann 2 1 Univ Grenoble Alpes, CEA, List, F-38000 Grenoble, France Henri-Pierre Charles 1 firstname.lastname@cea.fr 2 Sorbonne Universit, CNRS, LIP6, F-75005, Paris, France

715 views • 53 slides
Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com

Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com

Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com MCrypt Seminar Aug. 11th 2014 Outline 1 Introduction 2 Modeling side-channel leakage 3 Achieving provable security against SCA

1.62k views • 92 slides
Intro to Physical Side Channel Attacks Thomas Eisenbarth 15.06.2018 Summer School on Real-World

Intro to Physical Side Channel Attacks Thomas Eisenbarth 15.06.2018 Summer School on Real-World

Intro to Physical Side Channel Attacks Thomas Eisenbarth 15.06.2018 Summer School on Real-World Crypto & Privacy ibenik , Croatia Outline Why physical attacks matter Implementation attacks and power analysis Leakage Detection

972 views • 52 slides
Secure Multi-Execution Dominique Devriese Frank Piessens K.U.Leuven May 14, 2010 Dominique

Secure Multi-Execution Dominique Devriese Frank Piessens K.U.Leuven May 14, 2010 Dominique

Secure Multi-Execution Dominique Devriese Frank Piessens K.U.Leuven May 14, 2010 Dominique Devriese, Frank Piessens (K.U.Leuven) Secure Multi-Execution May 14, 2010 1 / 24 Secure Multi-Execution Outline Secure Multi-Execution

622 views • 29 slides
CCC Leadership in Embedded Security Workshop 2017 Tomas Vagoun Cybersecurity R&D

CCC Leadership in Embedded Security Workshop 2017 Tomas Vagoun Cybersecurity R&D

CCC Leadership in Embedded Security Workshop 2017 Tomas Vagoun Cybersecurity R&D Coordinator Na4onal Coordina4on Office for NITRD Strategic Plan for Federal Cybersecurity R&D Federal Cybersecurity R&D Goals S&T for effec5ve

530 views • 5 slides
Mandatory Access Control Mandatory Access Control 1 DAC DAC and Trojan Horse d T j H Brown:

Mandatory Access Control Mandatory Access Control 1 DAC DAC and Trojan Horse d T j H Brown:

Mandatory Access Control Mandatory Access Control 1 DAC DAC and Trojan Horse d T j H Brown: read, write Employee Brown Read Employee Black Brown: read write Black, Brown: read, write REJECTED! Blacks Employee Black is not allowed

565 views • 38 slides
liberate, (n): A library for exposing (tra ffi c-classification) rules and avoiding them e ffi

liberate, (n): A library for exposing (tra ffi c-classification) rules and avoiding them e ffi

liberate, (n): A library for exposing (tra ffi c-classification) rules and avoiding them e ffi ciently Fangfan Li , Abbas Razaghpanah, Arash Molavi Kakhki, Arian Akhavan Niaki, David Cho ff nes, Phillipa Gill, Alan Mislove 1 Traffic management 2

1.54k views • 115 slides
New methods for controlling timing channels Andrew Myers Cornell University (with Danfeng

New methods for controlling timing channels Andrew Myers Cornell University (with Danfeng

New methods for controlling timing channels Andrew Myers Cornell University (with Danfeng Zhang, Aslan Askarov) Timing channels e adversary can learn (a lot) from timing measurements. Known to exist Hard to detect Hard to prevent

639 views • 40 slides
ARM Platform NAIWEI LIU, WANYU ZANG, MENG YU, RAVI SANDHU UTSA ICS LAB; ROOSEVELT UNIVERSITY

ARM Platform NAIWEI LIU, WANYU ZANG, MENG YU, RAVI SANDHU UTSA ICS LAB; ROOSEVELT UNIVERSITY

On the Cost-Effectiveness of TrustZone Defense on ARM Platform NAIWEI LIU, WANYU ZANG, MENG YU, RAVI SANDHU UTSA ICS LAB; ROOSEVELT UNIVERSITY Contents Abstract and Introduction Related Work Cache-Based Security Threats and Attack

618 views • 25 slides
COMPGA11: Research in Information Security Steven Murdoch University College London based

COMPGA11: Research in Information Security Steven Murdoch University College London based

COMPGA11: Research in Information Security Steven Murdoch University College London based on a course by Tony Morton Term 2 2014/15 Course summary To develop an understanding of what research in information security is about,

460 views • 24 slides
on Precise Realtime Software Access and Control of Wired Networks Ki Suh Lee, Han Wang, Hakim

on Precise Realtime Software Access and Control of Wired Networks Ki Suh Lee, Han Wang, Hakim

Forensics in the SoNIC Project on Precise Realtime Software Access and Control of Wired Networks Ki Suh Lee, Han Wang, Hakim Weatherspoon Cornell University International Workshop on Trustworthiness, Accountability, and Forensics in the Cloud

693 views • 31 slides

More recommend