Breaking Deployed Crypto The Side Channel Analyst s Way Daniel - - PowerPoint PPT Presentation

Breaking Deployed Crypto

The Side Channel Analyst’s Way

Daniel Moghimi (@danielmgmi)

04/30/2020 Hardwear.io

About Me

• Daniel Moghimi

@danielmgmi

• Security Researcher
• PhD Student @ WPI
• Microarchitectural Security
• Side Channels
• Breaking Crypto Implementations
• Trusted Execution Environment (Intel SGX)

2

Cryptanalysis

3 Encrypt Decrypt Sign m k

• Cryptosystem with an input m, output c, and secret k
• Attacker tries to learn k by looking at (m, c)

c

Cryptanalysis

4 Encrypt Decrypt Sign m k

• Cryptosystem with an input m, output c, and secret k
• Attacker tries to learn k by looking at (m, c)

c 𝐹𝐷𝐸𝑇𝐵 𝑇𝑗𝑕𝑜: 𝑦1, 𝑧1 = 𝑙𝑗 × 𝐻 𝑠𝑗 = 𝑦1 𝑛𝑝𝑒 𝑜 𝑡𝑗 = 𝑙𝑗

−1 𝑨 + 𝑠𝑗𝑒 𝑛𝑝𝑒 𝑜

𝑡1 = 𝑙1

−1 𝑨 + 𝑠 1𝑒 𝑛𝑝𝑒 𝑜

𝑡2 = 𝑙2

−1 𝑨 + 𝑠2𝑒 𝑛𝑝𝑒 𝑜

Cryptanalysis

5 Encrypt Decrypt Sign m k

• Cryptosystem with an input m, output c, and secret k
• Attacker tries to learn k by looking at (m, c)

c 𝐹𝐷𝐸𝑇𝐵 𝑇𝑗𝑕𝑜: 𝑦1, 𝑧1 = 𝑙𝑗 × 𝐻 𝑠𝑗 = 𝑦1 𝑛𝑝𝑒 𝑜 𝑡𝑗 = 𝑙𝑗

−1 𝑨 + 𝑠𝑗𝑒 𝑛𝑝𝑒 𝑜

𝑙1= 𝑙2= 𝑙𝑜 𝑡1 = 𝑙−1 𝑨 + 𝑠

1𝑒 𝑛𝑝𝑒 𝑜

𝑡2 = 𝑙−1 𝑨 + 𝑠2𝑒 𝑛𝑝𝑒 𝑜

Cryptanalysis

6 Encrypt Decrypt Sign m k

• Cryptosystem with an input m, output c, and secret k
• Attacker tries to learn k by looking at (m, c)

c 𝐹𝐷𝐸𝑇𝐵 𝑇𝑗𝑕𝑜: 𝑦1, 𝑧1 = 𝑙𝑗 × 𝐻 𝑠𝑗 = 𝑦1 𝑛𝑝𝑒 𝑜 𝑡𝑗 = 𝑙𝑗

−1 𝑨 + 𝑠𝑗𝑒 𝑛𝑝𝑒 𝑜

𝑙1= 𝑙2= 𝑙𝑜 𝑡1 = 𝑙−1 𝑨 + 𝑠

1𝑒 𝑛𝑝𝑒 𝑜

𝑡2 = 𝑙−1 𝑨 + 𝑠2𝑒 𝑛𝑝𝑒 𝑜 𝑡2 − 𝑡1 = 𝑠2 − 𝑠

1 𝑒 𝑛𝑝𝑒 𝑜

Side-Channel Cryptanalysis

7 Encrypt Decrypt Sign m k

• Cryptosystem with an input m, output c, and secret k
• Attacker tries to learn k by looking at (m, c) and signal s

c s

Side-Channel Attacks

8

• Channels
• Power Analysis
• EM Analysis
• …
• Timing Analysis
• CPU Side Channels
• Threat Models:
• Physical Access
• Local Access (Co-location)
• Remote

Secure Elements

Software is insecure. Heartbleed? Computers are just Evil?! Rootkits? Ransomware? Untrusted /Bad Org.?

Secure Elements

Software is insecure. Heartbleed? Computers are just Evil?! Hardware-based Root of Trust?!

10

Rootkits? Ransomware? Untrusted /Bad Org.?

Trusted Platform Module (TPM)

• Security Chip for Computers?
• Tamper Resistant
• Side-Channel Resistant
• Crypto Co-processor

11

Trusted Platform Module (TPM)

• Security Chip for Computers?
• Tamper Resistant
• Side-Channel Resistant
• Crypto Co-processor

Trusted Computing Base

12

Trusted Platform Module (TPM)

• Cryptographic Co-processor, specified by Trusted Computing Group
• Secure Storage
• Integrity Measurement
• TRNG
• Hash Functions
• Encryption
• Digital Signatures

13

TPM – Digital Signatures

• Applications
• Trusted Execution of Signing Operations
• Remote Attestation
• TPM 2.0 supports Elliptic-Curve Digital Signature
• ECDSA
• ECSchnorr
• ECDAA (Anonymous Remote Attestation)

14

Trusted Computing Group

• https://trustedcomputinggroup

.org/membership/certification/

• https://trustedcomputinggroup

.org/membership/certification/ tpm-certified-products/

15

Are TPMs really side-channel resistant?

16

High-resolution Timing Test

• TPM frequency ~= 32-120 MHz
• CPU Frequency is more than 2 GHz

17

High-resolution Timing Test – Intel PTT (fTPM)

• Intel Platform Trust Technology (PTT)
• Integrated firmware-TPM inside the CPU package
• Runs on top of Converged Security and

Management Engine (CSME)

• Standalone low power processor
• Has been around since Haswell

18 CPU PCH CSME fTPM

High-resolution Timing Test – Intel PTT (fTPM)

• Intel Platform Trust Technology (PTT)
• Integrated firmware-TPM inside the CPU package
• Runs on top of Converged Security and

Management Engine (CSME)

19

Histogram

CPU PCH CSME fTPM

High-resolution Timing Test – Intel PTT (fTPM)

20

• Linux TPM Command Response Buffer (CRB) driver
• Kernel Driver to increase the Resolution

CPU PCH CSME fTPM

High-resolution Timing Test - Analysis

• RSA and ECDSA timing test on 3 dedicated TPM and Intel fTPM
• Various non-constant behaviour for both RSA and ECDSA

21

High-resolution Timing Test – ECDSA Nonce

• Intel fTPM: 4-bit Window Nonce

Length Leakage

• ECDSA
• ECSChnorr
• BN-256 (ECDAA)

22 0101000100111111...111 t 4.8 4.84 4.76 4.72 4.67 0000100100111111...111 1101000100111111...111 0000000000111111...111 0000000000001111...111

Nonce

High-resolution Timing Test – ECDSA Nonce

• Intel fTPM: 4-bit Window Nonce

Length Leakage

• ECDSA
• ECSChnorr
• BN-256 (ECDAA)

23 0101000100111111...111 t 4.8 4.84 4.76 4.72 4.67 0000100100111111...111 1101000100111111...111 0000000000111111...111 0000000000001111...111

Nonce

High-resolution Timing Test – ECDSA Nonce

• Intel fTPM: 4-bit Window Nonce

Length Leakage

• ECDSA
• ECSChnorr
• BN-256 (ECDAA)

24 0101000100111111...111 t 4.8 4.84 4.76 4.72 4.67 0000100100111111...111 1101000100111111...111 0000000000111111...111 0000000000001111...111

Nonce

High-resolution Timing Test – ECDSA Nonce

• Intel fTPM: 4-bit Window Nonce

Length Leakage

• ECDSA
• ECSChnorr
• BN-256 (ECDAA)

25 0101000100111111...111 t 4.8 4.84 4.76 4.72 4.67 0000100100111111...111 1101000100111111...111 0000000000111111...111 0000000000001111...111

Nonce

High-resolution Timing Test – ECDSA Nonce

• Intel fTPM: 4-bit Window Nonce

Length Leakage

• ECDSA
• ECSChnorr
• BN-256 (ECDAA)

26 0101000100111111...111 t 4.8 4.84 4.76 4.72 4.67 0000100100111111...111 1101000100111111...111 0000000000111111...111 0000000000001111...111

Nonce

High-resolution Timing Test – ECDSA Nonce

• Intel fTPM: 4-bit Window Nonce

Length Leakage

• ECDSA
• ECSChnorr
• BN-256 (ECDAA)

27 0101000100111111...111 t 4.8 4.84 4.76 4.72 4.67 0000100100111111...111 1101000100111111...111 0000000000111111...111 0000000000001111...111

Nonce

High-resolution Timing Test – ECDSA Nonce

• Intel fTPM: 4-bit Window Nonce

Length Leakage

• ECDSA
• ECSChnorr
• BN-256 (ECDAA)

28 0101000100111111...111 t 4.8 4.84 4.76 4.72 4.67 0000100100111111...111 1101000100111111...111 0000000000111111...111 0000000000001111...111

Nonce

29

High-resolution Timing Test – ECDSA Nonce

• Intel fTPM: 4-bit Window Nonce Length Leakage
• STMicro TPM: Bit-by-Bit Nonce Length Leakage

30

TPM-Fail – Recovering Private ECDSA Key

• TPM is programmed with an unknown key
• We already have a template for 𝑢𝑗.
• 1. Collect list of signatures (𝑠

𝑗, 𝑡𝑗) and timing samples 𝑢𝑗.

• 2. Filter signatures based on 𝑢𝑗 and keeps (𝑠

𝑗, 𝑡𝑗) with a known bias.

• 3. Lattice-based attack to recover private key 𝑒, from signatures

with biased nonce 𝑙𝑗.

31

Lattice and Hidden Number Problem

• 𝑡 = 𝑙−1 𝑨 + 𝑒𝑠 𝑛𝑝𝑒 𝑜

32

Lattice and Hidden Number Problem

• 𝑡 = 𝑙−1 𝑨 + 𝑒𝑠 𝑛𝑝𝑒 𝑜 → 𝑙𝑗

−1 − 𝑡𝑗 −1𝑠 𝑗𝑒 − 𝑡𝑗 −1𝑨 ≡ 0 𝑛𝑝𝑒 𝑜

33

Lattice and Hidden Number Problem

• 𝑡 = 𝑙−1 𝑨 + 𝑒𝑠 𝑛𝑝𝑒 𝑜 → 𝑙𝑗

−1 − 𝑡𝑗 −1𝑠 𝑗𝑒 − 𝑡𝑗 −1𝑨 ≡ 0 𝑛𝑝𝑒 𝑜

• 𝐵𝑗 = −𝑡𝑗

−1𝑠 𝑗, 𝐶𝑗 = −𝑡𝑗 −1𝑨 → 𝑙𝑗 + 𝐵𝑗𝑒 + 𝐶𝑗 = 0

34

Lattice and Hidden Number Problem

• 𝑡 = 𝑙−1 𝑨 + 𝑒𝑠 𝑛𝑝𝑒 𝑜 → 𝑙𝑗

−1 − 𝑡𝑗 −1𝑠 𝑗𝑒 − 𝑡𝑗 −1𝑨 ≡ 0 𝑛𝑝𝑒 𝑜

• 𝐵𝑗 = −𝑡𝑗

−1𝑠 𝑗, 𝐶𝑗 = −𝑡𝑗 −1𝑨 → 𝑙𝑗 + 𝐵𝑗𝑒 + 𝐶𝑗 = 0

• Let 𝑌 be the upper bound on ki and (𝑒, 𝑙0, 𝑙1 … , 𝑙𝑜) is unknown

35

[1] Dan Boneh and Ramarathnam Venkatesan. Hardness of Computing the Most Significant Bits of Secret Keys in Diffie-Hellman and Related Schemes

Lattice and Hidden Number Problem

• 𝑡 = 𝑙−1 𝑨 + 𝑒𝑠 𝑛𝑝𝑒 𝑜 → 𝑙𝑗

−1 − 𝑡𝑗 −1𝑠 𝑗𝑒 − 𝑡𝑗 −1𝑨 ≡ 0 𝑛𝑝𝑒 𝑜

• 𝐵𝑗 = −𝑡𝑗

−1𝑠 𝑗, 𝐶𝑗 = −𝑡𝑗 −1𝑨 → 𝑙𝑗 + 𝐵𝑗𝑒 + 𝐶𝑗 = 0

• Let 𝑌 be the upper bound on ki and (𝑒, 𝑙0, 𝑙1 … , 𝑙𝑜) is unknown
• Lattice Construction:

𝑜 𝑜 ⋱ 𝑜 𝐵1 𝐵2 … 𝐵𝑢

𝑌 𝑜

𝐶1 𝐶2 … 𝐶𝑢 𝑌

LLL/BKZ 36

TPM-Fail – Key Recovery Results

• Intel fTPM
• ECDSA, ECSchnorr and BN-256 (ECDAA)
• Three different threat model System, User, Network
• STMicroelectronics TPM
• CC EAL4+ Certified
• Give you the key in 80 minutes

37

38

TPM-Fail Case Study: StrongSwan VPN

VPN Client VPN Server TPM Device

39

TPM-Fail Case Study: StrongSwan VPN

𝐽𝐿𝐹_𝐽𝑂𝐽𝑈[ 𝑞𝑠𝑝𝑞𝑝𝑡𝑏𝑚, 𝑕𝑦, 𝑜𝐽, … ]

VPN Client VPN Server TPM Device

40

TPM-Fail Case Study: StrongSwan VPN

𝐽𝐿𝐹_𝐽𝑂𝐽𝑈[ 𝑞𝑠𝑝𝑞𝑝𝑡𝑏𝑚, 𝑕𝑦, 𝑜𝐽, … ]

VPN Client VPN Server TPM Device

𝐽𝐿𝐹_𝐽𝑂𝐽𝑈

𝑠𝑓𝑡𝑞𝑝𝑜𝑡𝑓[ 𝑞𝑠𝑝𝑞𝑝𝑡𝑏𝑚, 𝑕𝑦, 𝑜𝑆, … ]

𝑡𝑡ℎ𝑏𝑠𝑓𝑒−𝑡𝑓𝑑𝑠𝑓𝑢 = 𝑄𝑆𝐺ℎ(𝑕𝑦𝑧) 41

TPM-Fail Case Study: StrongSwan VPN

𝐽𝐿𝐹_𝐽𝑂𝐽𝑈[ 𝑞𝑠𝑝𝑞𝑝𝑡𝑏𝑚, 𝑕𝑦, 𝑜𝐽, … ]

VPN Client VPN Server TPM Device

𝐽𝐿𝐹_𝐽𝑂𝐽𝑈

𝑠𝑓𝑡𝑞𝑝𝑜𝑡𝑓[ 𝑞𝑠𝑝𝑞𝑝𝑡𝑏𝑚, 𝑕𝑦, 𝑜𝑆, … ]

𝑡𝑡ℎ𝑏𝑠𝑓𝑒−𝑡𝑓𝑑𝑠𝑓𝑢 = 𝑄𝑆𝐺ℎ(𝑕𝑦𝑧) 𝐽𝐿𝐹_𝐵𝑣𝑢ℎ[ 𝑇𝑗𝑕𝑜𝑡𝑙𝐽, (𝑜𝑆, … ) ] 42

TPM-Fail Case Study: StrongSwan VPN

𝐽𝐿𝐹_𝐽𝑂𝐽𝑈[ 𝑞𝑠𝑝𝑞𝑝𝑡𝑏𝑚, 𝑕𝑦, 𝑜𝐽, … ]

VPN Client VPN Server TPM Device

𝐽𝐿𝐹_𝐽𝑂𝐽𝑈

𝑠𝑓𝑡𝑞𝑝𝑜𝑡𝑓[ 𝑞𝑠𝑝𝑞𝑝𝑡𝑏𝑚, 𝑕𝑦, 𝑜𝑆, … ]

𝑡𝑡ℎ𝑏𝑠𝑓𝑒−𝑡𝑓𝑑𝑠𝑓𝑢 = 𝑄𝑆𝐺ℎ(𝑕𝑦𝑧) 𝐽𝐿𝐹_𝐵𝑣𝑢ℎ[ 𝑇𝑗𝑕𝑜𝑡𝑙𝐽, (𝑜𝑆, … ) ] 𝐽𝐿𝐹_𝐵𝑣𝑢ℎ𝑠𝑓𝑡𝑞𝑝𝑜𝑡𝑓[ 𝑇𝑗𝑕𝑜𝑡𝑙𝑆, (𝑜𝑆, … ) ] 43

TPM-Fail Case Study: StrongSwan VPN

𝐽𝐿𝐹_𝐽𝑂𝐽𝑈[ 𝑞𝑠𝑝𝑞𝑝𝑡𝑏𝑚, 𝑕𝑦, 𝑜𝐽, … ]

VPN Client VPN Server TPM Device

𝐽𝐿𝐹_𝐽𝑂𝐽𝑈

𝑠𝑓𝑡𝑞𝑝𝑜𝑡𝑓[ 𝑞𝑠𝑝𝑞𝑝𝑡𝑏𝑚, 𝑕𝑦, 𝑜𝑆, … ]

𝑡𝑡ℎ𝑏𝑠𝑓𝑒−𝑡𝑓𝑑𝑠𝑓𝑢 = 𝑄𝑆𝐺ℎ(𝑕𝑦𝑧) 𝐽𝐿𝐹_𝐵𝑣𝑢ℎ[ 𝑇𝑗𝑕𝑜𝑡𝑙𝐽, (𝑜𝑆, … ) ] 44

TPM-Fail Case Study: StrongSwan VPN

𝐽𝐿𝐹_𝐽𝑂𝐽𝑈[ 𝑞𝑠𝑝𝑞𝑝𝑡𝑏𝑚, 𝑕𝑦, 𝑜𝐽, … ]

VPN Client VPN Server TPM Device

𝐽𝐿𝐹_𝐽𝑂𝐽𝑈

𝑠𝑓𝑡𝑞𝑝𝑜𝑡𝑓[ 𝑞𝑠𝑝𝑞𝑝𝑡𝑏𝑚, 𝑕𝑦, 𝑜𝑆, … ]

𝑡𝑡ℎ𝑏𝑠𝑓𝑒−𝑡𝑓𝑑𝑠𝑓𝑢 = 𝑄𝑆𝐺ℎ(𝑕𝑦𝑧) 𝐽𝐿𝐹_𝐵𝑣𝑢ℎ[ 𝑇𝑗𝑕𝑜𝑡𝑙𝐽, (𝑜𝑆, … ) ] 𝐽𝐿𝐹_𝐵𝑣𝑢ℎ𝑠𝑓𝑡𝑞𝑝𝑜𝑡𝑓[ 𝑇𝑗𝑕𝑜𝑡𝑙𝑆, (𝑜𝑆, … ) ] 45

TPM-Fail Case Study: StrongSwan VPN Key Recovery

• Remote Key Recovery after about 44,000 handshake ~= 5 hours

46

47

System Adversary User Adversary Remote Sample UDP App Remote StrongSwan VPN

CacheQuote [2]

48

[2] F Dall, G De Micheli, T Eisenbarth, D Genkin, N Heninger, A Moghimi, Y Yarom. CacheQuote: Efficiently Recovering Long-term Secrets of SGX EPID via Cache Attacks

Cryptographic Implementation is Hard - ECDSA

49 𝐹𝐷𝐸𝑇𝐵 𝑇𝑗𝑕𝑜: 𝑦1, 𝑧1 = 𝑙𝑗 × 𝐻 𝑠𝑗 = 𝑦1 𝑛𝑝𝑒 𝑜 𝑡𝑗 = 𝑙𝑗

−1 𝑨 + 𝑠𝑗𝑒 𝑛𝑝𝑒 𝑜

Cryptographic Implementation is Hard - ECDSA

50 𝐹𝐷𝐸𝑇𝐵 𝑇𝑗𝑕𝑜: 𝑦1, 𝑧1 = 𝑙𝑗 × 𝐻 𝑠𝑗 = 𝑦1 𝑛𝑝𝑒 𝑜 𝑡𝑗 = 𝑙𝑗

−1 𝑨 + 𝑠𝑗𝑒 𝑛𝑝𝑒 𝑜

Cryptographic Implementation is Hard - ECDSA

51 𝐹𝐷𝐸𝑇𝐵 𝑇𝑗𝑕𝑜: 𝑦1, 𝑧1 = 𝑙𝑗 × 𝐻 𝑠𝑗 = 𝑦1 𝑛𝑝𝑒 𝑜 𝑡𝑗 = 𝑙𝑗

−1 𝑨 + 𝑠𝑗𝑒 𝑛𝑝𝑒 𝑜

𝑙𝑗 = 3 → 3 × 𝐻 = 2𝐻 + 𝐻

Cryptographic Implementation is Hard - ECDSA

52 𝐹𝐷𝐸𝑇𝐵 𝑇𝑗𝑕𝑜: 𝑦1, 𝑧1 = 𝑙𝑗 × 𝐻 𝑠𝑗 = 𝑦1 𝑛𝑝𝑒 𝑜 𝑡𝑗 = 𝑙𝑗

−1 𝑨 + 𝑠𝑗𝑒 𝑛𝑝𝑒 𝑜

𝑙𝑗 = 3 → 3 × 𝐻 = 2𝐻 + 𝐻 𝑙𝑗 = 7 → 7 × 𝐻 = 2 2𝐻 + 2𝐻 + 𝐻

Cryptographic Implementation is Hard - ECDSA

53 𝐹𝐷𝐸𝑇𝐵 𝑇𝑗𝑕𝑜: 𝑦1, 𝑧1 = 𝑙𝑗 × 𝐻 𝑠𝑗 = 𝑦1 𝑛𝑝𝑒 𝑜 𝑡𝑗 = 𝑙𝑗

−1 𝑨 + 𝑠𝑗𝑒 𝑛𝑝𝑒 𝑜

𝑙𝑗 = 3 → 3 × 𝐻 = 2𝐻 + 𝐻 𝑙𝑗 = 7 → 7 × 𝐻 = 2 2𝐻 + 2𝐻 + 𝐻 𝑙𝑗 = 7 → 23 × 𝐻 = 2 2(2(2𝐻) + 𝐻) + 𝐻 + 𝐻

Cryptographic Implementation is Hard - ECDSA

54 𝐹𝐷𝐸𝑇𝐵 𝑇𝑗𝑕𝑜: 𝑦1, 𝑧1 = 𝑙𝑗 × 𝐻 𝑠𝑗 = 𝑦1 𝑛𝑝𝑒 𝑜 𝑡𝑗 = 𝑙𝑗

−1 𝑨 + 𝑠𝑗𝑒 𝑛𝑝𝑒 𝑜

𝑙𝑗 = 3 → 3 × 𝐻 = 2𝐻 + 𝐻 𝑙𝑗 = 7 → 7 × 𝐻 = 2 2𝐻 + 2𝐻 + 𝐻 𝑙𝑗 = 7 → 23 × 𝐻 = 2 2(2(2𝐻) + 𝐻) + 𝐻 + 𝐻 //Scalar Mul: Add & Double Q = 0 R = G for k_b in k: if k_b == 1: Q = add(Q, R) R = double(R) return Q

Cryptographic Implementation is Hard

• Many Algorithms to do the same thing
• Scalar Multiplication
• Double-Add Algorithm
• Montgomery Double-Add
• Sliding Window
• Fixed Window
• Unclear Threat Model
• What is a side channel?
• Power Analysis, Timing, Cache?

55

Software Leakages

• Secret Dependent Control Flow
• Secret Dependent Memory Access Pattern
• Secret Dependent Timing, e.g: ARM Cortext-M3 umull

56 state[i] = state[i] ^ sbox[roundKey[i]] for(int i = 0; i < Bitlength(key); ++i)

MicroWalk Goal

• Automated Analysis
• Dynamic Approach
• Binary-level Analysis:
• Leakages introduced by compilation
• Closed-source libraries
• Locate leakage source at Instruction Level

57

MicroWalk Model

• In practice: Attacker measures
• Execution time for (int i = 0; i < bitlength(key); ++i)
• Memory usage pattern state[i] = state[i] ^ sbox[roundKey[i]]
• In theory: Attacker gets access to execution trace with
• Executed instructions
• Branch targets
• Memory access offsets

58

MicroWalk Approach

• Generate set of random test cases and capture execution traces
• Analysis A: Compute pairwise diffs

59

MicroWalk Approach

• Generate set of random test cases and capture execution traces
• Analysis A: Compute pairwise diffs
• Analysis B: Compute mutual information between execution trace

and input

60

MicroWalk Implementation

• Dynamic binary instrumentation using Intel Pin
• Collect traces while program runs
• Modules:
• Emulate other CPUs or disable certain capabilities (e.g. AES-NI)
• Modify RDRAND output

61

MicroWalk Implementation

• Raw traces only contain absolute addresses of memory accesses

0x1111107A → sbox+0x7A

• Removal of uninteresting trace entries → considerable size

reduction

• Modules:
• Configure memory address leakage granularity 0x156F → 0x1540

62

MicroWalk Implementation

• Load and analyze preprocessed traces
• Optionally pass results to visualization stage
• Modules:
• Compute pairwise trace diffs
• Calculate mutual information for each memory accessing instruction

63

MicroWalk Leakge Model

• Page Table ⇒ leaks 4 KB memory access
• Data Cache ⇒ leaks 64 B data access
• Memory Order Buffer ⇒ leaks 4 B data access
• Cache Banks ⇒ leaks 8 B data access
• Branch Target Buffer ⇒ which branch is executed
• Instruction Cache ⇒ which instructions are executed

64

Coordinated Disclosure - STMicroelectronics

• STMicroelectronics (CVE-2019-16863)
• 05/15/2019: Reported to ST
• 05/17/2019: Acknowledged
• Lots of calls/emails to clarify the disclosure process
• 09/12/2019: Verified new version of STM TPM firmware
• After 11/12/2019:
• HP and Lenovo have issued firmware updates.
• ST released a list of affected devices.

65

05/15/2019: Report TPM Vuln to STM 05/17/2019: STM Acknowledged 09/12/2019: We verified new version

• f STM TPM

Post 11/12/2019: HP and Lenovo issued firmware update

Coordinated Disclosure - Intel

• Intel (CVE-2019-11090)
• 02/01/2019: Reported to IPSIRT
• 02/12/2019: Acknowledged (Outdated Intel IPP Crypto library)
• 11/12/2019: Firmware Update for Intel Management Engine

66 02/01/2019: Reported fTPM Vulns to IPSIRT 02/12/2019: Acknowledged Outdated IPP Library 11/12/2019: (CVE-2019- 11090) Firmware Update for CSME

MicroWalk Analysis Results

• Rigorous Analysis of two Closed-source Libraries
• Intel IPP CVEs
• CVE-2018-12155
• CVE-2018-12156

67

06/22/2018: Report IPP Vulns to IPSIRT 06/25/2018: Acknowledged the Receipt 12/05/2018: CVE-2018-12155 02/01/2019: Report fTPM Vulns to IPSIRT 02/12/2019: Acknowledged Outdated IPP Library 11/12/2019: (CVE-2019- 11090) Firmware Update for CSME

Thanks!

• Berk Sunar @ WPI
• Nadia Heninger @ UCSD
• Thomas Eisenbarth @ UzL
• Jan Wichelmann @ UzL

68

Questions?!

https://tpm.fail/ https://www.usenix.org/conference/us enixsecurity20/presentation/moghimi

TPM-FAIL

69 https://github.com/ VernamLab/TPM-Fail https://github.com /UzL-ITS/Microwalk