fully automated differential fault analysis on software
play

Fully Automated Differential Fault Analysis on Software - PowerPoint PPT Presentation

Mar 23, 2023 •249 likes •513 views

Fully Automated Differential Fault Analysis on Software Implementations of Block Ciphers Xiaolu Hou 1 , Jakub Breier 2 , Fuyuan Zhang 3 , and Yang Liu 2 1 National University of Singapore, Singapore 2 HP-NTU Digital Manufacturing Corporate Lab,

  1. Fully Automated Differential Fault Analysis on Software Implementations of Block Ciphers Xiaolu Hou 1 , Jakub Breier 2 , Fuyuan Zhang 3 , and Yang Liu 2 1 National University of Singapore, Singapore 2 HP-NTU Digital Manufacturing Corporate Lab, Singapore 3 Max Planck Institute, Karlsruhe, Germany CHES’19, 28 Aug 2019

  2. Data Flow Graph of Software Implementation of AES 2

  3. Our Contribution • We developed a method that works on assembly implementations of block ciphers, it identifies spots vulnerable to differential fault analysis (DFA) by bit flips, and verifies whether those spots are exploitable • Our method is sound – if it marks the spot as exploitable, it is provably exploitable – The prototype tool outputs the identified attack • Furthermore, we developed a way to check how many rounds should be protected by a countermeasure to be able to avoid DFA to vulnerable spots 3

  4. Tool for Automated DFA on Assembly 4

  5. Tool for Automated DFA on Assembly – TADA • The main idea – feed the assembly code to the tool and get the vulnerabilities, together with a way how to exploit them • Static analysis module analyzes the propagation of the fault and determines what information can be extracted from known data • SMT solver module solves the DFA equations, verifying whether an attack exists Analyze Generate Construct Find the assembly custom DFA key file DFG attack 5

  6. TADA – Detailed Process Flow 6

  7. Sample Cipher and DFG Construction # Instruction 0 LD r0 X+ 1 LD r1 X+ 2 LD r2 key1+ 3 LD r3 key1+ 4 AND r0 r1 5 EOR r0 r2 6 EOR r1 r3 7 ST x+ r0 8 ST x+ r1 7

  8. Properties of the DFG – Explained Linear edge Non-linear edge 1 Node r3 (3) affects node r1 (6) 0 0 Distance between r0 (0) and r0 (4) is 1 Distance between r0 (0) and x+ (7) is also 1 8

  9. TADA – Detailed Process Flow 9

  10. Vulnerable Instructions • For a vulnerable instruction, each of its input nodes that is not known can be a target node or/and a vulnerable node • A fault will be injected into the vulnerable node so that it might reveal information about the target node • TADA creates a subgraph for each pair of target and vulnerable node 10

  11. Find Vulnerable Instruction # Instruction 0 LD r0 X+ 1 LD r1 X+ 2 LD r2 key1+ 3 LD r3 key1+ 4 AND r0 r1 5 EOR r0 r2 6 EOR r1 r3 7 ST x+ r0 Recall that r2 (2) and r3 (3) are the key nodes 8 ST x+ r1 11

  12. TADA – Detailed Process Flow 12

  13. TADA – Detailed Process Flow 13

  14. Update Known Nodes 14

  15. TADA – Detailed Process Flow Not yet! 15

  16. One More Iteration 16

  17. TADA – Detailed Process Flow 17

  18. Evaluation Results [TBM14] H. Tupsamudre, S. Bisht, and D. Mukhopadhyay. Differential fault analysis on the families of Simon and Speck ciphers. FDTC 2014. [Gir05] Christophe Giraud. DFA on AES. Conference on AES 2005. 18

  19. Countermeasures How many rounds to protect?

  20. Standard Duplication/Triplication Countermeasure Plaintext • Popular in industrial applications • Either area or time redundancy • Expensive overheads Encrypt Encrypt • Resources can be saved in case it is not necessary to protect the entire Ciphertext Ciphertext cipher Compare 20

  21. Countermeasure implementation based on TADA • After the previous analysis, the target and the vulnerable nodes change to target and exploitable nodes – the latter one was proven to be exploitable by TADA • We are now trying to find the earliest node possible to affect the target node, such that there are no collisions • This information will tell us what is the earliest round where the fault can be injected 21

  22. Results – AES SR SB MC SB SR MC R8 R8 R8 R9 R9 R9 MC SB SR D. Saha, D. Mukhopadhyay, and D. RoyChowdhury. A Diagonal Fault Attack on the R10 R10 R10 Advanced Encryption Standard, Cryptology ePrint Archive: Report 2009/581. 22

  23. How Many Rounds to Protect? Resources for countermeasures can be saved as follows: – SIMON – over 90% (3 out of 32 rounds) – SPECK – over 81% (4 out of 22 rounds) – AES – over 60% (4 out of 10 rounds) – PRIDE – over 80% (4 out of 20 rounds) 23

  24. Conclusion 24

  25. Conclusion • We showed a way to automate differential fault analysis on block cipher implementations • Analysis works on a modified data flow graph, vulnerabilities are checked with SMT solver for exploitability • Countermeasure implementations can be done more efficiently with the support of automated evaluation – number of rounds can be reduced • For future, it would be good to extend the method to other fault models and other fault analysis techniques 25

  26. J. Breier, X. Hou, S. Bhasin (eds.): Automated Methods in Cryptographic Fault Analysis, Springer, 2019. Thank you for your interest! Questions? 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Differential Fault Analysis of HC-128 Aleksandar Kircanski and Amr M. Youssef AFRICACRYPT 2010

Differential Fault Analysis of HC-128 Aleksandar Kircanski and Amr M. Youssef AFRICACRYPT 2010

Differential Fault Analysis of HC-128 Differential Fault Analysis of HC-128 Aleksandar Kircanski and Amr M. Youssef AFRICACRYPT 2010 May 03-06, 2010, Stellenbosch, South Africa Differential Fault Analysis of HC-128 Outline Fault analysis

374 views • 24 slides
Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier,

Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier,

Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier, Xiaolu Hou and Yang Liu 10 September 2018 1 / 25 Table of Contents Background and Motivation 1 Overview of DATAC DFA Automation Tool for

727 views • 25 slides
Using Likely Invariants For Automated Software Fault Localization Swarup Sahoo, John Criswell,

Using Likely Invariants For Automated Software Fault Localization Swarup Sahoo, John Criswell,

Using Likely Invariants For Automated Software Fault Localization Swarup Sahoo, John Criswell, Chase Geigle, Vikram Adve Presented By: Matthew Perez and Thomas Rupp Motivation Detecting software bugs is time consuming and difficult Lots

150 views • 13 slides
Automated fault detection for Automated fault detection for Autosub6000: Autosub6000: What we've

Automated fault detection for Automated fault detection for Autosub6000: Autosub6000: What we've

Automated fault detection for Automated fault detection for Autosub6000: Autosub6000: What we've achieved in a year? TSEM talk @ Institute of Cybernetics, Tallinn, Estonia Juhan Ernits, March 9, 2010 Overview of todays talk Overview of today s

490 views • 26 slides
my.SWISSTRAFFIC Automated Traffic Collection & Analysis FULLY AUTOMATED TRAFFIC DATA

my.SWISSTRAFFIC Automated Traffic Collection & Analysis FULLY AUTOMATED TRAFFIC DATA

my.SWISSTRAFFIC Automated Traffic Collection & Analysis FULLY AUTOMATED TRAFFIC DATA COLLECTION AND ANALYTICS There is a high demand for reliable Traffic Data but Static data single-purpose data Invasive costly deployment &

404 views • 18 slides
EASY-TO-USE, READY-TO-PRODUCE by ALL-IN-ONE HARDWARE + SOFTWARE SOLUTION 3U

EASY-TO-USE, READY-TO-PRODUCE by ALL-IN-ONE HARDWARE + SOFTWARE SOLUTION 3U

Jan. 2017 CONF FULLY AUTOMATED CONFERENCE CAPTURE EASY-TO-USE, READY-TO-PRODUCE by ALL-IN-ONE HARDWARE + SOFTWARE SOLUTION 3U rackable Video Server PTZ touret cameras VIDEO FILMING FULLY AUTOMATED The system is connected

432 views • 16 slides
Explaining Differential Fault Analysis on DES Christophe Clavier Michael Tunstall 5/18/2006

Explaining Differential Fault Analysis on DES Christophe Clavier Michael Tunstall 5/18/2006

Explaining Differential Fault Analysis on DES Christophe Clavier Michael Tunstall 5/18/2006 References Bull & Innovatron Patents 2 Fault I njection Equipment: Laser 3 Bull & Innovatron Patents Fault I njection Equipment: CLI O

423 views • 39 slides
Differential Fault Analysis against AES-192 and AES-256 with Minimal Faults Chong Hee KIM

Differential Fault Analysis against AES-192 and AES-256 with Minimal Faults Chong Hee KIM

Outline Differential Fault Analysis against AES-192 and AES-256 with Minimal Faults Chong Hee KIM Information Security Group Universit e Catholique de Louvain, Belgium August 21, 2010 Chong Hee KIM, Universit e Catholique de Louvain

797 views • 76 slides
Noise Explorer Fully automated modeling, analysis and verification for arbitrary Noise protocols

Noise Explorer Fully automated modeling, analysis and verification for arbitrary Noise protocols

Noise Explorer Fully automated modeling, analysis and verification for arbitrary Noise protocols IACR Real World Crypto Nadim Kobeissi Symposium 2019 Karthikeyan Bhargavan San Jose, California Noise Protocol Framework: What is it? A

586 views • 23 slides
Differential Fault Analysis of Trivium Michal Hojsk 1 , 3 and Bohuslav Rudolf 2 , 3 1The Selmer

Differential Fault Analysis of Trivium Michal Hojsk 1 , 3 and Bohuslav Rudolf 2 , 3 1The Selmer

Differential Fault Analysis of Trivium Michal Hojsk 1 , 3 and Bohuslav Rudolf 2 , 3 1The Selmer Center, University of Bergen, Norway 2National Security Authority, Czech Republic 3Department of Algebra, Charles University in Prague, Czech

390 views • 19 slides
Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June,

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June,

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June, 2011 Michael Tunstall (University of Bristol) May/June, 2011 1 / 34 Introduction We present a survey of low complexity differential cryptanalysis

844 views • 34 slides
Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June,

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June,

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June, 2011 Michael Tunstall (University of Bristol) May/June, 2011 1 / 48 Introduction We present a survey of low complexity differential cryptanalysis

716 views • 48 slides
Automated Credit-Loan Platform based on AI-technology A fully automated processes The Corex.ai

Automated Credit-Loan Platform based on AI-technology A fully automated processes The Corex.ai

Automated Credit-Loan Platform based on AI-technology A fully automated processes The Corex.ai system is a fully automated loan management system. This solution extends the productivity of Your loan business to the maximum. Easily integrates

541 views • 27 slides
Approaching Automation Necessary for introducing a task Prioritize automation steps based

Approaching Automation Necessary for introducing a task Prioritize automation steps based

Learning objectives Understand the main purposes of automating software analysis and testing Identify activities that can be fully or partially Automating Analysis and Test automated Understand cost and benefit trade-offs in

799 views • 12 slides
Automated Transplantation and Differential Testing for Clones Tianyi Zhang, Miryung Kim

Automated Transplantation and Differential Testing for Clones Tianyi Zhang, Miryung Kim

Automated Transplantation and Differential Testing for Clones Tianyi Zhang, Miryung Kim University of California, Los Angeles 1 Problem Statement Code clones are common in modern software systems. Developers often find it difficult to

715 views • 29 slides
Towards an Automated Fault Localizer while Designing Meta-models Adel Ferdjoukh and Jean-Marie

Towards an Automated Fault Localizer while Designing Meta-models Adel Ferdjoukh and Jean-Marie

Towards an Automated Fault Localizer while Designing Meta-models Adel Ferdjoukh and Jean-Marie Mottu MDEbug@MODELS 2018, Copenhagen (Kbenhavn) null Motivation Automated fault localization Tooling Ideas for improving Conclusion Synopsis 1

586 views • 25 slides
Cryptography and Cryptography and Network Security Network Security Chapter Chapter 3 3

Cryptography and Cryptography and Network Security Network Security Chapter Chapter 3 3

Cryptography and Cryptography and Network Security Network Security Chapter Chapter 3 3 Fourth Edition Fourth Edition by William Stallings by William Stallings Lecture slides by Lecture slides by Lawrie Lawrie Brown Brown Modern Block

1.07k views • 43 slides
Design Issues of Block Ciphers The objectives of this part is to show certain design issues of

Design Issues of Block Ciphers The objectives of this part is to show certain design issues of

Design Issues of Block Ciphers The objectives of this part is to show certain design issues of block ciphers. 1 Block Ciphers and Stream Ciphers A one-key cipher is a 5-tuple ( M , C , K , E k , D k ) , where M , C , K are respectively the

461 views • 12 slides
One Time Pad, Block Ciphers, Encryption Modes Ahmet Burak Can Hacettepe University

One Time Pad, Block Ciphers, Encryption Modes Ahmet Burak Can Hacettepe University

One Time Pad, Block Ciphers, Encryption Modes Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr Information Security 1 Basic Ciphers Shift Cipher Brute&force attack can easily break Substitution Cipher Frequency

571 views • 35 slides
Cryptography and Network Encryption Standard Security All the afternoon Mungo had been working on

Cryptography and Network Encryption Standard Security All the afternoon Mungo had been working on

Chapter 3 Block Ciphers and the Data Cryptography and Network Encryption Standard Security All the afternoon Mungo had been working on Stern's Chapter 3 code, principally with the aid of the latest messages which he had copied down at the Nevin

289 views • 7 slides
Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the ciphertext block C i = E K ( M i ), and the results are concatenated to the

334 views • 8 slides
Chapter 3: Block Ciphers and the Data Encryption Standard Dr. Loai Tawalbeh Computer

Chapter 3: Block Ciphers and the Data Encryption Standard Dr. Loai Tawalbeh Computer

CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Chapter 3: Block Ciphers and the Data Encryption Standard Dr. Loai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan Dr. Loai Tawalbeh Fall 2005

339 views • 23 slides
How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and

How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and

Introduction Cryptology Basics Detection Cryptanalysis The Word Case The Excel Case Conclusion How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and Break them Eric Filiol, filiol@esiea.fr ESIEA -

808 views • 64 slides
BLOCK CIPHERS 1 / 1 Permutations and Inverses A function f : { 0 , 1 } { 0 , 1 } is a

BLOCK CIPHERS 1 / 1 Permutations and Inverses A function f : { 0 , 1 } { 0 , 1 } is a

BLOCK CIPHERS 1 / 1 Permutations and Inverses A function f : { 0 , 1 } { 0 , 1 } is a permutation if there is an inverse function f 1 : { 0 , 1 } { 0 , 1 } satisfying x { 0 , 1 } : f 1 ( f ( x )) = x

1.05k views • 62 slides

More recommend