formally proved security of assembly code against power
play

Formally Proved Security of Assembly Code Against Power Analysis: A - PowerPoint PPT Presentation

Feb 26, 2023 •183 likes •718 views

Formally Proved Security of Assembly Code Against Power Analysis: A Case Study on Balanced Logic Pablo Rauzy Sylvain Guilley Zakaria Najm rauzy@enst.fr guilley@enst.fr znajm@enst.fr pablo.rauzy.name perso.enst.fr/ guilley Telecom

  1. Formally Proved Security of Assembly Code Against Power Analysis: A Case Study on Balanced Logic Pablo Rauzy Sylvain Guilley Zakaria Najm rauzy@enst.fr guilley@enst.fr znajm@enst.fr pablo.rauzy.name perso.enst.fr/ ∼ guilley Telecom ParisTech CNRS LTCI / COMELEC / SEN PROOFS 2014 Third Workshop on Security Proofs for Embedded Systems September 27, 2014 @ Busan, Korea IACR ePrint 2013/554 Pablo Rauzy (Telecom ParisTech) Formal Security Against Power Analysis PROOFS 2014 1 / 37

  2. WDDL : SecLib : a False OR4 a False C ∨ y False ∨ b False y False ∨ b False a True ∨ C y True ∧ b True a True OR4 C ∨ y True ∨ MDPL : b True ∨ C MAJ 0 ∧ a False BCDL : y False ∧ ∨ b False a False ∧ ∨ m False b False y False ∧ a True MAJ ∧ ∧ a True b True y True ∧ y True ∧ ∨ b True UNI ∨ ∧ m True ∧ ∨ Pablo Rauzy (Telecom ParisTech) Formal Security Against Power Analysis PROOFS 2014 2 / 37

  3. WDDL : SecLib : a False OR4 a False C ∨ y False ∨ b False y False ∨ b False a True ∨ Software? C y True ∧ b True a True OR4 C ∨ y True ∨ MDPL : b True ∨ C MAJ 0 ∧ a False BCDL : y False ∧ ∨ b False a False ∧ ∨ m False b False y False ∧ a True MAJ ∧ ∧ a True b True y True ∧ y True ∧ ∨ b True UNI ∨ ∧ m True ∧ ∨ Pablo Rauzy (Telecom ParisTech) Formal Security Against Power Analysis PROOFS 2014 2 / 37

  4. WDDL : SecLib : a False OR4 a False C ∨ y False ∨ b False Automation? y False ∨ b False a True ∨ Software? C y True ∧ b True a True OR4 C ∨ y True ∨ MDPL : b True ∨ C MAJ 0 ∧ a False BCDL : y False ∧ ∨ b False a False ∧ ∨ m False b False y False ∧ a True MAJ ∧ ∧ a True b True y True ∧ y True ∧ ∨ b True UNI ∨ ∧ m True ∧ ∨ Pablo Rauzy (Telecom ParisTech) Formal Security Against Power Analysis PROOFS 2014 2 / 37

  5. WDDL : SecLib : a False OR4 a False C ∨ y False ∨ b False Automation? y False ∨ b False a True ∨ Software? C y True ∧ b True a True OR4 C ∨ y True ∨ MDPL : b True ∨ C MAJ 0 ∧ a False Verification? BCDL : y False ∧ ∨ b False a False ∧ ∨ m False b False y False ∧ a True MAJ ∧ ∧ a True b True y True ∧ y True ∧ ∨ b True UNI ∨ ∧ m True ∧ ∨ Pablo Rauzy (Telecom ParisTech) Formal Security Against Power Analysis PROOFS 2014 2 / 37

  6. WDDL : SecLib : a False OR4 a False C ∨ y False ∨ b False Automation? y False ∨ b False a True ∨ Software? C y True ∧ b True a True OR4 C ∨ y True ∨ MDPL : b True ∨ C MAJ 0 ∧ a False Verification? BCDL : y False ∧ ∨ Formally? b False a False ∧ ∨ m False b False y False ∧ a True MAJ ∧ ∧ a True b True y True ∧ y True ∧ ∨ b True UNI ∨ ∧ m True ∧ ∨ Pablo Rauzy (Telecom ParisTech) Formal Security Against Power Analysis PROOFS 2014 2 / 37

  7. Motivation ◮ Our goal is to be able to formally assess the security of a cryptosystem against power analysis attacks . ◮ But, formal methods work with models, not implementations . ◮ Yet, side-channel attacks are an implementation-level threat . → We want to apply formal methods on the implementation. Pablo Rauzy (Telecom ParisTech) Formal Security Against Power Analysis PROOFS 2014 3 / 37

  8. Motivation Power Analysis ◮ Power analysis is a form of side-channel attack in which the attacker measures the power consumption of a cryptographic device. ◮ Power consumption is modeled by the Hamming weight of values and the Hamming distance of updates. ◮ Unprotected implementation leaks at every step. ◮ Thwarting side-channel analysis is a complicated task. Pablo Rauzy (Telecom ParisTech) Formal Security Against Power Analysis PROOFS 2014 4 / 37

  9. Motivation Countermeasures ◮ In practice, there are two ways to protect cryptosystems. ◮ Palliative countermeasures attempt to make the attack more difficult, however without a theoretical foundation: ◮ variable clock, ◮ operation shuffling, ◮ dummy encryptions, etc. ◮ Curative countermeasures aim at providing a leak-free implementation based on a security rationale: ◮ decorrelate the leakage from the manipulated data, or ◮ make the leakage constant, irrespective of the manipulated data. Pablo Rauzy (Telecom ParisTech) Formal Security Against Power Analysis PROOFS 2014 5 / 37

  10. Motivation / Countermeasures Masking Masking Definition Mix the computation with random numbers to make the leakage (at least in average) independent of the sensitive data. ◮ Pros: ◮ independence with respect to the leakage behavior of the hardware, ◮ existence of provably secure masking schemes. ◮ Cons: ◮ greedy requirement for randomness, ◮ randomness is hard to formalize, ◮ hardware glitches are likely to depend on more than one sensitive data, hence being high-order. ◮ possibility of high-order attacks. Pablo Rauzy (Telecom ParisTech) Formal Security Against Power Analysis PROOFS 2014 6 / 37

  11. Motivation / Countermeasures Balancing Balancing Definition Follow a dual-rail protocol to make the leakage constant , irrespective of the manipulated data. DPL ( Dual-rail with Precharge Logic ) Definition Compute on redundant representation on two indistinguishable resources, so that the attacker cannot know which one has been set (which depends on the bit value). ◮ Pros: ◮ no randomness necessary, ◮ simple protocol easily captured formally. ◮ Cons: ◮ strongly depends on assumption on the hardware leakage. Pablo Rauzy (Telecom ParisTech) Formal Security Against Power Analysis PROOFS 2014 7 / 37

  12. Motivation Power Analysis Countermeasures Dual-rail with Precharge Logic DPL in Software DPL Macro Generation of DPL Protected Assembly Code Generic Assembly Language Code Transformation Correctness Proof of the Transformation Formally Proving the Absence of Leakage Computed Proof of Constant Activity Hardware Characterization Case Study: present on an AVR Micro-Controller Profiling the AVR Micro-Controller Generating Balanced AVR Assembly Cost of the Countermeasure Attacks Conclusions Perspectives Pablo Rauzy (Telecom ParisTech) Formal Security Against Power Analysis PROOFS 2014 8 / 37

  13. Dual-rail with Precharge Logic ◮ The DPL countermeasure consists in computing on a redundant representation: each bit y is implemented as a pair ( y False , y True ) . ◮ The bit pair is then used in a protocol made up of two phases: 1. a precharge phase, during which all the bit pairs are zeroized ( y False , y True ) = (0 , 0) , such that the computation starts from a known reference state; 2. an evaluation phase, during which the ( y False , y True ) pair is equal to (1 , 0) if it carries the logical value 0 , or (0 , 1) if it carries the logical value 1 . Pablo Rauzy (Telecom ParisTech) Formal Security Against Power Analysis PROOFS 2014 9 / 37

  14. Dual-rail with Precharge Logic DPL in Software ◮ Historically, DPL has been designed for implementation at hardware level. ◮ But we want to run DPL on an off-the-shelf processor. ◮ Therefore, we must: ◮ identify two similar resources that can hold true and false values in an indiscernible way for a side-channel attacker; ◮ play the DPL protocol by ourselves, in software. ◮ Then, to reproduce the DPL protocol in software we have to: ◮ work at the bit level, and ◮ duplicate (in positive and negative logic) the bit values. Pablo Rauzy (Telecom ParisTech) Formal Security Against Power Analysis PROOFS 2014 10 / 37

  15. Dual-rail with Precharge Logic DPL Macro ◮ Each sensitive instruction should replaced by a DPL macro . ◮ The DPL macro assumes that the system is in a valid DPL state. ◮ And leaves it in a valid DPL state to make the macros chainable. ◮ The basic idea is to concatenate two DPL encoded values. ◮ Then use the result as an index in a look-up table. Pablo Rauzy (Telecom ParisTech) Formal Security Against Power Analysis PROOFS 2014 11 / 37

  16. Dual-rail with Precharge Logic / DPL Macro Example Using the Two Least Significant Bit r 1 r 0 ← r 1 a ← r 1 ∧ 3 r 1 ◮ In this example we use the two LSB. ← r 1 r 1 ≪ 1 ← ◮ Logical value 1 is 1 ( 01 ). r 1 ≪ 1 r 1 ← ◮ Logical value 0 is 2 ( 10 ). r 2 r 0 ← r 2 b ← ◮ Precharge phases (activity: 1 if sensitive) r 2 ∧ 3 r 2 ← ◮ Evaluation phases (activity: 1) r 1 r 1 ∨ r 2 ← ◮ Masks (activity: normally 0) r 3 r 0 ← ◮ Shifts (activity: 2) r 3 op [ r 1 ] ← ◮ Concatenation (activity: 1) d r 0 ← d r 3 ← ◮ Look-up (activity: 1 + 2) DPL macro for d = a op b Pablo Rauzy (Telecom ParisTech) Formal Security Against Power Analysis PROOFS 2014 12 / 37

  17. Dual-rail with Precharge Logic / DPL Macro Example Using the Two Least Significant Bit r 1 r 0 ← r 1 a ← r 1 ∧ 3 r 1 ◮ In this example we use the two LSB. ← r 1 r 1 ≪ 1 ← ◮ Logical value 1 is 1 ( 01 ). r 1 ≪ 1 r 1 ← ◮ Logical value 0 is 2 ( 10 ). r 2 r 0 ← r 2 b ← ◮ Precharge phases (activity: 1 if sensitive) r 2 ∧ 3 r 2 ← ◮ Evaluation phases (activity: 1) r 1 r 1 ∨ r 2 ← ◮ Masks (activity: normally 0) r 3 r 0 ← ◮ Shifts (activity: 2) r 3 op [ r 1 ] ← ◮ Concatenation (activity: 1) d r 0 ← d r 3 ← ◮ Look-up (activity: 1 + 2) DPL macro for d = a op b Pablo Rauzy (Telecom ParisTech) Formal Security Against Power Analysis PROOFS 2014 12 / 37

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Thailand: Never Formally Colonized Thailand was never formally colonized by a Western

Thailand: Never Formally Colonized Thailand was never formally colonized by a Western

Neo-Colonialism in The King and I : An Analysis of Hegemony through Aural and Visual Representation By Natalie Tantisirirat Thailand: Never Formally Colonized Thailand was never formally colonized by a Western power strong pride

337 views • 21 slides
IA-32 Architecture CS 4440/7440 Malware Analysis and Defense Intel x86 Architecture } Security

IA-32 Architecture CS 4440/7440 Malware Analysis and Defense Intel x86 Architecture } Security

IA-32 Architecture CS 4440/7440 Malware Analysis and Defense Intel x86 Architecture } Security professionals constantly analyze assembly language code } Many exploits are written in assembly } Source code for applications and malware is not

1.1k views • 58 slides
Binarylevel program analysis: Assembly basics Gang Tan CSE 597 Spring 2019 Penn State

Binarylevel program analysis: Assembly basics Gang Tan CSE 597 Spring 2019 Penn State

Binarylevel program analysis: Assembly basics Gang Tan CSE 597 Spring 2019 Penn State University 1 Source code, Assembly code, Object code, and Executable Code Source Object Assembly Compiler Assembler code code code Then a

500 views • 12 slides
Debugging Beware of bugs in the above code; I have only proved it correct, not tried it.

Debugging Beware of bugs in the above code; I have only proved it correct, not tried it.

Debugging Beware of bugs in the above code; I have only proved it correct, not tried it. -David Knuth assert Assertions: Use What happens if you run def fact(x): half_fact(5) ? assert isinstance(x, int) assert x >= 0 Infinite

756 views • 26 slides
RESource: A Framework for Online Matching of Assembly with Open Source Code Ashkan Rahimian*,

RESource: A Framework for Online Matching of Assembly with Open Source Code Ashkan Rahimian*,

RESource: A Framework for Online Matching of Assembly with Open Source Code Ashkan Rahimian*, Philippe Charland**, Stere Preda*, and Mourad Debbabi* *Computer Security Laboratory, CIISE Concordia University, Montreal, Quebec, Canada **Mission

649 views • 25 slides
Assembly Language CS2253 Owen Kaser, UNBSJ Assembly Language Some insane machine-code

Assembly Language CS2253 Owen Kaser, UNBSJ Assembly Language Some insane machine-code

Assembly Language CS2253 Owen Kaser, UNBSJ Assembly Language Some insane machine-code programming Assembly language as an alternative Assembler directives Mnemonics for instructions Machine-Code Programming (or, Why Assemblers

783 views • 52 slides
Security and the .NET Framework Code Access Security Enforces security policy on code

Security and the .NET Framework Code Access Security Enforces security policy on code

Security and the .NET Framework Code Access Security Enforces security policy on code Regardless of user running the code Regardless of whether the code is in the same application with other code Other code can be more, less, or

695 views • 21 slides
Formally verifying exceptions in low-level code with Separation Logic Marco Paviotti and Jesper

Formally verifying exceptions in low-level code with Separation Logic Marco Paviotti and Jesper

Formally verifying exceptions in low-level code with Separation Logic Marco Paviotti and Jesper Bengtson IT University of Copenhagen 22nd October Nordic Workshop on Programming Theory (NWPT) Reykjavik, Iceland 1 Verification of low-level

416 views • 15 slides
High-Level Languages Languages Assembly vs Machine Code Assembly vs high-level language

High-Level Languages Languages Assembly vs Machine Code Assembly vs high-level language

High-Level Languages Languages Assembly vs Machine Code Assembly vs high-level language Why Learn New Language availability special features porting maintenance more tools required for job cost Why Design a

1.36k views • 54 slides
Where We Are Source code Lexical, Syntax, and if (b == 0) a = b; Semantic Analysis IR

Where We Are Source code Lexical, Syntax, and if (b == 0) a = b; Semantic Analysis IR

Where We Are Source code Lexical, Syntax, and if (b == 0) a = b; Semantic Analysis IR Generation Low-level IR code Optimizations Optimized Low-level IR code Assembly code Assembly code generation cmp $0,%rcx cmovz %rax,%rdx 1 Low IR

777 views • 42 slides
New Struc w Structure ture for A for Adde dder with r with r Im Improve proved Spe d

New Struc w Structure ture for A for Adde dder with r with r Im Improve proved Spe d

New Struc w Structure ture for A for Adde dder with r with r Im Improve proved Spe d Speed, A d, Are rea a and Powe nd Power Fatemeh Karami H. 1 , Ali K. Horestani 2 1 Department of Electrical and Computer Engineering Isfahan

280 views • 17 slides
Taken Out of Context: Security Risks with Security Code AutoFill in iOS & macOS Andreas

Taken Out of Context: Security Risks with Security Code AutoFill in iOS & macOS Andreas

Cambridge Innovation Centre Taken Out of Context: Security Risks with Security Code AutoFill in iOS & macOS Andreas Gutmann, Steven J. Mudoch, WAY19 | @kryptoandi PLEASE RAISE YOUR HAND Have you ever received a security code via SMS

289 views • 24 slides
assembly language source assembler code "machine code" 1 These slides may be

assembly language source assembler code "machine code" 1 These slides may be

assembly language source assembler code "machine code" 1 These slides may be freely used, distributed, and incorporated into other works. To execute a program: 1 put the "machine code" into memory 2 jal __start (the OS

798 views • 66 slides
Micro-Policies Formally Verified, Tag-Based Security Monitors Arthur Azevedo de Amorim Maxime

Micro-Policies Formally Verified, Tag-Based Security Monitors Arthur Azevedo de Amorim Maxime

Micro-Policies Formally Verified, Tag-Based Security Monitors Arthur Azevedo de Amorim Maxime Dns Nick Giannarakis Ctlin Hricu Benjamin C. Pierce Antal Spector-Zabusky Andrew Tolmach May 20, 2015 1 How can we design secure

900 views • 79 slides
Formally Certifying the Security of Digital Signature Schemes Santiago Zanella 1 , 2 Benjamin

Formally Certifying the Security of Digital Signature Schemes Santiago Zanella 1 , 2 Benjamin

Formally Certifying the Security of Digital Signature Schemes Santiago Zanella 1 , 2 Benjamin Grgoire 1 , 2 Gilles Barthe 3 Federico Olmedo 3 1 Microsoft Research - INRIA Joint Centre, France 2 INRIA Sophia Antipolis - Mditerrane, France 3

837 views • 51 slides
Program Generation Workflow C**program compiler assembly*code nd* library*object*code

Program Generation Workflow C**program compiler assembly*code nd* library*object*code

Program Generation Workflow C**program compiler assembly*code nd* library*object*code assembler de. . object*code on* linker bels* executable *how* Sean Barker 1 Linking Schematic Executable*file Object*file main:*****

390 views • 4 slides
Handling fjrst-order proofs Michael Raskin , raskin@mccme.ru Christoph Welzel Dept. of CS, TU

Handling fjrst-order proofs Michael Raskin , raskin@mccme.ru Christoph Welzel Dept. of CS, TU

. . . . . . . . . . . . . . Handling fjrst-order proofs Michael Raskin , raskin@mccme.ru Christoph Welzel Dept. of CS, TU Munich April 1, 2019 The project has received funding from the European Research Council (ERC) under the

642 views • 33 slides
4.5: Proving the Correctness of Grammars In this section, we consider techniques for proving the

4.5: Proving the Correctness of Grammars In this section, we consider techniques for proving the

4.5: Proving the Correctness of Grammars In this section, we consider techniques for proving the correctness of grammars, i.e., for proving that grammars generate the languages we want them to. 1 / 21 Definition of Suppose G is a grammar and

324 views • 21 slides
Defining the Ethereum Virtual Machine for Interactive Theorem Provers Yoichi Hirai Ethereum

Defining the Ethereum Virtual Machine for Interactive Theorem Provers Yoichi Hirai Ethereum

Overview Some Technicality Own Evaluation Summary Defining the Ethereum Virtual Machine for Interactive Theorem Provers Yoichi Hirai Ethereum Foundation Workshop on Trusted Smart Contracts Malta, Apr. 7, 2017 1/32 Yoichi Hirai Defining

538 views • 32 slides
CS70: Lecture 2. Outline. Quick Background and Notation. Direct Proof. Theorem: For any a , b , c

CS70: Lecture 2. Outline. Quick Background and Notation. Direct Proof. Theorem: For any a , b , c

CS70: Lecture 2. Outline. Quick Background and Notation. Direct Proof. Theorem: For any a , b , c Z , if a | b and a | c then a | ( b c ) . Integers closed under addition. Proof: Assume a | b and a | c Today: Proofs!!! b = aq and c = aq

162 views • 4 slides
Learn the Financial and Energy Benefits of Becoming a NYSERDA Clean Energy Community EASTERN

Learn the Financial and Energy Benefits of Becoming a NYSERDA Clean Energy Community EASTERN

Learn the Financial and Energy Benefits of Becoming a NYSERDA Clean Energy Community EASTERN NEW YORK TERRITORY September 23, 2016 2 Agenda Introduc)ons Todd Fabozzi, NYSERDA Clean Energy Communi)es Eastern

845 views • 47 slides
Good programs, broken programs? CS 251 Fall 2019 CS 240 Spring 2020 Principles of Programming

Good programs, broken programs? CS 251 Fall 2019 CS 240 Spring 2020 Principles of Programming

Good programs, broken programs? CS 251 Fall 2019 CS 240 Spring 2020 Principles of Programming Languages Foundations of Computer Systems Ben Wood Ben Wood Goal: program works (does not fail) Need: definition of works/correct : a

547 views • 8 slides
Challenges in def bubblesort(x): quantum algorithms for for j in range(len(x)): integer

Challenges in def bubblesort(x): quantum algorithms for for j in range(len(x)): integer

1 2 Challenges in def bubblesort(x): quantum algorithms for for j in range(len(x)): integer factorization for i in reversed(range(j)): x[i],x[i+1] = ( D. J. Bernstein min(x[i],x[i+1]), University of Illinois at Chicago max(x[i],x[i+1])

1.48k views • 118 slides
Prune the Unnecessary: Sriram Aananthakrishnan * Parallel Pull-Push Louvain Algorithms Fabrizio

Prune the Unnecessary: Sriram Aananthakrishnan * Parallel Pull-Push Louvain Algorithms Fabrizio

Jesmin Jahan Tithi Andrzej Stasiak * Prune the Unnecessary: Sriram Aananthakrishnan * Parallel Pull-Push Louvain Algorithms Fabrizio Petrini with Automatic Edge Pruning Parallel Computing Labs, Intel, * Data Center Group, Intel. What

1.38k views • 87 slides

More recommend