guillaume vinet 19th may 2019
play

Guillaume VINET 19th May 2019 1 stress WBC-based solutions, - PowerPoint PPT Presentation

Nov 20, 2023 •208 likes •920 views

Guillaume VINET 19th May 2019 1 stress WBC-based solutions, challenging practical realisation, to exploitable faulty computations, include: and able to affect large range of instructions multiple faults Binary analysis: dynamic fault

  1. Guillaume VINET 19th May 2019 1

  2. stress WBC-based solutions, challenging practical realisation, to exploitable faulty computations, include: and able to affect large range of instructions multiple faults • Binary analysis: dynamic fault injection is a powerful way to • Publications in this area remain modest, mostly due to • Registers, memory access can be changed in runtime leading • Nowadays, a state-of-the-art WBC security analysis must • static and dynamic fault injections • an efficient way to induce dynamic faulty computations: being precise • a large range of public fault injection attacks exploiting single or 2

  3. 3

  4. Native binary file (assembly code) NO SOURCE FILES! 4

  5. 5

  6. Native binary file Cryptographic attacks Differential Fault Analysis (DFA) Safe Error … • • • 6

  7. Native binary file Safe Error Differential Fault Analysis (DFA) downgrade Security … … Stuck mask value to transform a 2 nd Defeat algorithm protection. Defeat integrity mechanisms attacks Cryptographic • • • • • order attack to a 1 rst order • 7

  8. Native binary file Cryptographic attacks Security downgrade 8

  9. 9

  10. 10

  11. Assets: Easy to implement Drawbacks: Speed: how to avoid combinatorial complexity with multiple fault injections? Accuracy: valuable to modify table value, but not disturbing operation execution Anti-Fault countermeasures: fault easily detected • • • • 11

  12. https:/ /github.com/SideChannelMarvels Python framework Tree strategy to inject the faults included in • • 12

  13. 13

  14. Assets: Accuracy: Alter registers, memory or instructions Multiple fault injection to defeat security countermeasures Drawbacks: Fault Model: which fault effects must be implemented Speed: how to avoid combinatorial complexity with multiple fault injections? • • • • • 14

  15. Assets: Open source Use the powerful Unicorn Engine… • • 15

  16. Source https:/ /www.riscure.com/uploads/2017/09/eu-15-sanfelix-mune-dehaas-unboxing-the-white-box-wp_v1.1.pdf Know where to recover the ciphertext once the fault was injected Call to external libraries must be implemented/patched 16

  17. Assets: Open source Use the powerful Unicorn Engine… Drawbacks: … that needs reverse engineering Executable/Library must be instrumented by a script The Unicorn emulation is slow • • • • • 17

  18. 18

  19. Relevant Fault Models Speed Where? When? Configuration Dynamic fault injection 19

  20. Faults models: Register modification • 20

  21. Faults models: Register modification Data Flow Modification • • 21

  22. Faults models: Register modification Data Flow Modification Control Flow Modification with Program Counter Register • • • 22

  23. Where to fault: Filtering based on: Program Counter Kind of instruction: mov, add … • • • 23

  24. When to fault: pattern detector • • 24

  25. When to fault: pattern detector • 25

  26. Data flow disturbance Multi-fault injection ARM support Filtering and trig&act capabilities Takes advantage of Qemu speed included in Dynamic register modification X86, x86_64, Control flow disturbance Fault&trace capabilities • • • • • • • • 26

  27. 27

  28. Attack an AES White-Box implementation Configuration: CPU i7-7560U, 2.4GHz dual core 16 GB of RAM (we not need so much) SSD NVMe Double fault injection Key recovery from the faulty outputs with a DFA of Piret (with 4 modified bytes in a specific way) • • • • • • • 28

  29. Attack an AES White-Box implementation Double fault injection Key recovery from the faulty outputs with a DFA of Piret (with 4 modified bytes in a specific way) nb_ins x nb_fault_model x nb_target x nb_input x nb_area • • • 29

  30. $./cipheraes 06 1F C9 F5 88 B2 F9 D2 00 19 86 82 2C 12 11 79 message: 061fc9f588b2f9d2001986822c121179 cipher: 14ed01ea7ce2a551c9791ae85c7cecf4 AES-128 X86-64 architecture Differential Fault Analysis with a double fault injection attack: • Data flow disturbance • Control flow disturbance 30

  31. 31

  32. 32

  33. 33

  34. 34

  35. 35

  36. 36

  37. 37

  38. 38

  39. 39

  40. No effect for the other registers (rbx, r8, r9, r10, r11, r12, r13, r14, r15) rax 10000 15000 20000 25000 30000 35000 40000 rcx 0 rdx rsp rbp rsi rdi Faulty Output Correct Ouput Parse Error 5000 78 1557 35745 0 755 35613 34422 7 565 34943 36500 887 264 2078 36493 35935 644 310 225 0 0 40

  41. 14 campaigns faulting one register (rsp/rbp not included) ~76 min (multi-thread not used) ~112 injected faults by second 511,000 injected faults 41

  42. 42

  43. 43

  44. Correct/ Faulty output analysis Execute algorithm: To recover the key Or to detect in which round the fault was injected A lot of public algorithm available, but if they fail it gives no information • • • 44

  45. Correct/ Faulty output but it requires reverse engineering skills Give a way to understand very accurately the fault execution Understand the effect of the fault on the program engineering Reverse gives no information A lot of public algorithm available, but if they fail it Or to detect in which round the fault was injected To recover the key Execute algorithm: analysis • • • • • 45

  46. Correct/ engineering Give a visual way to understand accurately the fault Fault & Trace but it requires reverse engineering skills Give a way to understand very accurately the fault effect without reverse engineering skills execution Understand the effect of the fault on the program Faulty output Reverse Program Counter registers …) gives no information A lot of public algorithm available, but if they fail it Or to detect in which round the fault was injected To recover the key Execute algorithm: analysis Fault and trace at the same time (memory access, • • • • • • • 46

  47. 47

  48. 48

  49. Fault and trace the PC register to see the executed instructions Traces are identical Traces are different 49

  50. Fault and trace the PC register to see the executed instructions Traces are identical Traces are different 50

  51. 51

  52. 52

  53. 53

  54. 54

  55. 55

  56. 56

  57. loc_4033CE: jz short loc_4033C4 retn leave nop loc_4033D4 bytes. checked by block of four twice. Its consistency is The output was computed cmp edx, eax cmp [rbp+var_1], 3 mov eax, [rbp+rax*4+var_30] cdqe movzx eax, [rbp+var_1] mov edx, [rbp+rax*4+var_20] cdqe movzx eax, [rbp+var_1] loc_403393: jbe short loc_403393 57

  58. loc_4033CE: add rax, rdx retn leave nop loc_4033D4 zero. four-byte block is set to In case of a failure, the bytes. checked by block of our twice. Its consistency is The output was computed mov dword ptr [rax], 0 mov rax, [rbp+var_38] cmp [rbp+var_1], 3 lea rdx, ds:0[rax*4] movzx eax, [rbp+var_1] jz short loc_4033C4 cmp edx, eax mov eax, [rbp+rax*4+var_30] cdqe movzx eax, [rbp+var_1] mov edx, [rbp+rax*4+var_20] cdqe movzx eax, [rbp+var_1] loc_403393: jbe short loc_403393 58

  59. loc_4033CE: four-byte block is set to We start the output analysis The output was computed twice. Its consistency is checked. In case of a failure, the zero. add eax, 1 loc_4033D4 nop leave retn These operation are done 4 times to analyze all the output. mov [rbp+var_1], al movzx eax, [rbp+var_1] cmp [rbp+var_1], 3 cdqe jbe short loc_403393 loc_403393: movzx eax, [rbp+var_1] cdqe mov edx, [rbp+rax*4+var_20] movzx eax, [rbp+var_1] mov eax, [rbp+rax*4+var_30] loc_4033C4: cmp edx, eax jz short loc_4033C4 movzx eax, [rbp+var_1] lea rdx, ds:0[rax*4] mov rax, [rbp+var_38] add rax, rdx mov dword ptr [rax], 0 59

  60. loc_4033CE: four-byte block is set to We start the output analysis The output was computed twice. Its consistency is checked. In case of a failure, the zero. add eax, 1 loc_4033D4 nop leave retn These operation are done 4 times to analyze all the output. mov [rbp+var_1], al movzx eax, [rbp+var_1] cmp [rbp+var_1], 3 cdqe jbe short loc_403393 loc_403393: movzx eax, [rbp+var_1] cdqe mov edx, [rbp+rax*4+var_20] movzx eax, [rbp+var_1] mov eax, [rbp+rax*4+var_30] loc_4033C4: cmp edx, eax jz short loc_4033C4 movzx eax, [rbp+var_1] lea rdx, ds:0[rax*4] mov rax, [rbp+var_38] add rax, rdx mov dword ptr [rax], 0 60

  61. loc_4033CE: mov rax, [rbp+var_38] retn leave nop loc_4033D4 mov [rbp+var_1], al add eax, 1 movzx eax, [rbp+var_1] loc_4033C4: mov dword ptr [rax], 0 add rax, rdx lea rdx, ds:0[rax*4] cmp [rbp+var_1], 3 movzx eax, [rbp+var_1] jz short loc_4033C4 cmp edx, eax mov eax, [rbp+rax*4+var_30] cdqe movzx eax, [rbp+var_1] mov edx, [rbp+rax*4+var_20] cdqe movzx eax, [rbp+var_1] loc_403393: 61

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Guillaume VINET 19th May 2019 1 becoming more mature the art adequatly protected. and heavy

Guillaume VINET 19th May 2019 1 becoming more mature the art adequatly protected. and heavy

Guillaume VINET 19th May 2019 1 becoming more mature the art adequatly protected. and heavy processing issues White-Box Cryptography (WBC) security analyses are Tracing the binary execution is now part of the state of Tracing can

1.14k views • 91 slides
unusual LISA Jean-Yves Vinet A.R.T.E.M.I.S. Observatoire de la Cte dAzur NICE (France)

unusual LISA Jean-Yves Vinet A.R.T.E.M.I.S. Observatoire de la Cte dAzur NICE (France)

unusual LISA Jean-Yves Vinet A.R.T.E.M.I.S. Observatoire de la Cte dAzur NICE (France) Contents 1) Gravitational coronography 2) Signals from asteroids GGI/FLORENCE 28-30 J-Y. Vinet 2 Sept 2006 Gravitational coronography Tinto

369 views • 36 slides
Certification and IoT Guillaume Boufgard ( guillaume.boufgard@ssi.gouv.fr ) Agence nationale de la

Certification and IoT Guillaume Boufgard ( guillaume.boufgard@ssi.gouv.fr ) Agence nationale de la

Certification and IoT Guillaume Boufgard ( guillaume.boufgard@ssi.gouv.fr ) Agence nationale de la scurit des systmes dinformation 23 Mai 2019 Until now Security features are made on specific devices Payment Identity Travel

560 views • 26 slides
Security in modern CPU Guillaume Bouffard ( guillaume.bouffard@ssi.gouv.fr ) Hardware Security

Security in modern CPU Guillaume Bouffard ( guillaume.bouffard@ssi.gouv.fr ) Hardware Security

Security in modern CPU Guillaume Bouffard ( guillaume.bouffard@ssi.gouv.fr ) Hardware Security Labs National Cybersecurity Agency of France (ANSSI) DIENS, ENS, CNRS, PSL University Workshop SILM 21 November 2019 Who am I? Me Expert in

1.18k views • 80 slides
Model for DNA-less cell fate. Guillaume Garnier Team GO ParisSaclay 2019 Universit

Model for DNA-less cell fate. Guillaume Garnier Team GO ParisSaclay 2019 Universit

Introduction The mathematical Model The e ff ect of nucleases The phage infection References Model for DNA-less cell fate. Guillaume Garnier Team GO ParisSaclay 2019 Universit ParisSaclay 17 Septembre 2020 Guillaume Garnier Model

698 views • 35 slides
Annual General Meeting 2019 10 April 2019 Tom Enders | Chief Executive Officer Guillaume

Annual General Meeting 2019 10 April 2019 Tom Enders | Chief Executive Officer Guillaume

Annual General Meeting 2019 10 April 2019 Tom Enders | Chief Executive Officer Guillaume Faury | President Airbus Commercial Aircraft SAFE HARBOUR STATEMENT DISCLAIMER This presentation includes forward-looking statements. Words such as

267 views • 11 slides
Universal Dependencies for Mby Guaran Guillaume Thomas August 30, 2019 Department of

Universal Dependencies for Mby Guaran Guillaume Thomas August 30, 2019 Department of

Universal Dependencies for Mby Guaran Guillaume Thomas August 30, 2019 Department of Linguistics University of Toronto Mby Guaran Tupi-Guaran language About 30,000 speakers: Argentina, Brazil, Paraguay (Dietrich 2010) 1

475 views • 31 slides
Computations in homotopy type theory Guillaume Brunerie MLoC 2019, University of Stockholm

Computations in homotopy type theory Guillaume Brunerie MLoC 2019, University of Stockholm

Computations in homotopy type theory Guillaume Brunerie MLoC 2019, University of Stockholm August 23, 2019 Constructivity of MartinLf type theory Theorem Take u a closed term of type N in MLTT, and successively apply reduction rules to u .

247 views • 20 slides
What Is Race & Why Does It Matter? Compassion in Action Webinar Series November 19th, 2019

What Is Race & Why Does It Matter? Compassion in Action Webinar Series November 19th, 2019

What Is Race & Why Does It Matter? Compassion in Action Webinar Series November 19th, 2019 Moderator Stephanie Adler Yuan Director, Education & Training The Schwartz Center for Compassionate Healthcare 2 Audience Reminders You may

543 views • 36 slides
Announcement: Presentation of MBA Research Project (BA 399) Monday, August 19th, 2019 at 11:45

Announcement: Presentation of MBA Research Project (BA 399) Monday, August 19th, 2019 at 11:45

Lincoln University 401 15th Street, Oakland, CA 94612 Announcement: Presentation of MBA Research Project (BA 399) Monday, August 19th, 2019 at 11:45 am, University Boardroom (Room 206 on the Second Floor) Topic: Business Plan on Import-

335 views • 31 slides
Algorithmic Challenges in Radiation Therapy Guillaume Blin January, 2019 Complexity, Algorithms,

Algorithmic Challenges in Radiation Therapy Guillaume Blin January, 2019 Complexity, Algorithms,

Algorithmic Challenges in Radiation Therapy Guillaume Blin January, 2019 Complexity, Algorithms, Automata and Logic Meet 2019 Guillaume Blin Algorithmic Challenges in Radiation Therapy January, 2019 1 / 28 Radiation Therapy Radiation

992 views • 66 slides
CoqInE S eminaire Dedukti/CPR Guillaume Burel Friday April 1st, 2011 Guillaume Burel: S

CoqInE S eminaire Dedukti/CPR Guillaume Burel Friday April 1st, 2011 Guillaume Burel: S

ENSIIE C edric CoqInE S eminaire Dedukti/CPR Guillaume Burel Friday April 1st, 2011 Guillaume Burel: S eminaire Dedukti/CPR, 2011-04-01 CoqInE 1/28 Introduction Universal proof checker Guillaume Burel: S eminaire

668 views • 33 slides
Guillaume Cyr Paul Glover Guillaume Cyr, Paul Glover Universit Laval, Qubec, Canada Victor

Guillaume Cyr Paul Glover Guillaume Cyr, Paul Glover Universit Laval, Qubec, Canada Victor

Guillaume Cyr Paul Glover Guillaume Cyr, Paul Glover Universit Laval, Qubec, Canada Victor Novikov Victor Novikov Joint Institute for High Temperatures of Russian Academy of Sciences, Russia 1 Deep within the mountainous regions of

461 views • 16 slides
Analyse and binary transformation Guillaume Bouffard Analyse and binary transformation Guillaume

Analyse and binary transformation Guillaume Bouffard Analyse and binary transformation Guillaume

Analyse and binary transformation Guillaume Bouffard Analyse and binary transformation Guillaume Bouffard Outline 1 Introduction Profiling step 2 Translation step 3 Binary Modification 4 Proof Of Concept 5 Conclusion 6 2 / 19

779 views • 40 slides
Ana6: an IPv6 ad hoc addressing architecture Guillaume Chelius <guillaume.chelius@

Ana6: an IPv6 ad hoc addressing architecture Guillaume Chelius <guillaume.chelius@

Ana6: an IPv6 ad hoc addressing architecture Guillaume Chelius <guillaume.chelius@ insa-lyon.fr> Eric Fleury <Eric.Fleury@ inria.fr> My ad hoc Holy Grail Wireless link (if. A) Wire link Internet Wireless link (if. B) Access

469 views • 18 slides
Modern tools to debug GStreamer applications Guillaume Desmottes

Modern tools to debug GStreamer applications Guillaume Desmottes

Modern tools to debug GStreamer applications Guillaume Desmottes guillaume.desmottes@collabora.com 3 rd February 2018 Plan T racers Leak tracer GstShark Dealing with logs 2 GstTracer Introduced in 1.8 T racing module

436 views • 16 slides
Streams and File I/O Fundamentals of Computer Science Outline Overview of Streams and File

Streams and File I/O Fundamentals of Computer Science Outline Overview of Streams and File

Streams and File I/O Fundamentals of Computer Science Outline Overview of Streams and File I/O Buffering Text File I/O Binary File I/O Streams Stream : an object that either delivers data to its destination (screen, file,

770 views • 33 slides
+ Projects: Developing an OS Kernel for x86 Introduction + The boot process ! After the power

+ Projects: Developing an OS Kernel for x86 Introduction + The boot process ! After the power

CPSC 410/611: Operating Systems Projects, Introduction + Projects: Developing an OS Kernel for x86 Introduction + The boot process ! After the power button has been pressed ! Power supply certifies that can supply the correct amount of

349 views • 6 slides
Tools for viewing and editing binary data Eric McCreath cat and less The cat command will

Tools for viewing and editing binary data Eric McCreath cat and less The cat command will

Tools for viewing and editing binary data Eric McCreath cat and less The cat command will concatenate a list of files and print the result to standard output. It provides a quick way of viewing the contents of a single ASCII file. In the

112 views • 10 slides
Introduction to Unix http://linux.oreilly.com/ VI, March 2005 Page 1 Unix tutorial Outline

Introduction to Unix http://linux.oreilly.com/ VI, March 2005 Page 1 Unix tutorial Outline

Unix tutorial Introduction to Unix http://linux.oreilly.com/ VI, March 2005 Page 1 Unix tutorial Outline Basic background in Unix structure Directories and files I (listing, navigation, filenames) Directories and files II

359 views • 19 slides
C: File I/ O What we have done so far We have been reading/ writing files using stdin/

C: File I/ O What we have done so far We have been reading/ writing files using stdin/

C: File I/ O What we have done so far We have been reading/ writing files using stdin/ stdout with the redirect operator stdin: Standard input stream stdout: Standard output stream e.g. $ myApplication <

508 views • 8 slides
Assemblers, Linkers, and Loaders Hakim Weatherspoon CS 3410 Computer Science Cornell

Assemblers, Linkers, and Loaders Hakim Weatherspoon CS 3410 Computer Science Cornell

Assemblers, Linkers, and Loaders Hakim Weatherspoon CS 3410 Computer Science Cornell University [Weatherspoon, Bala, Bracy, and Sirer] Big Picture: Where are we going? int x = 10; C x0 = 0 x = 2 * x + 15; compiler x5 = x0 + 10 addi x5,

778 views • 39 slides
CS 241 Data Organization Uuencoding January 30, 2018 What is uuencode ? uuencode name is

CS 241 Data Organization Uuencoding January 30, 2018 What is uuencode ? uuencode name is

CS 241 Data Organization Uuencoding January 30, 2018 What is uuencode ? uuencode name is derived from Unix-to-Unix encoding Binary to text encoding used to send binary files via email and newsgroups uudecode recreates original

310 views • 5 slides
CS 31: Intro to Systems Binary Representation Martin Gagn Swarthmore College January 19, 2017

CS 31: Intro to Systems Binary Representation Martin Gagn Swarthmore College January 19, 2017

CS 31: Intro to Systems Binary Representation Martin Gagn Swarthmore College January 19, 2017 Today Number systems and conversion Data storage How many unique values can we represent with 9 bits? One bit: two values (0 or 1)

944 views • 51 slides

More recommend