(ISSTAC) Side Channel Analysis Corina Pasareanu (CMU&NASA - - PowerPoint PPT Presentation

Integrated Symbolic Execution for Space-Time Analysis of Code (ISSTAC) Side Channel Analysis

• Corina Pasareanu (CMU&NASA Ames)

Project team members

• ❑

Corina Pasareanu

❑

Teme Kahsai

❑

Kasper Luckow

❑

Quoc-Sang Phan

❑

Rody Kersten

❑

Federico Ponte

• ❑

Tevfik Bultan

❑

Lucas Bang

❑

Abdulbaki Aydin

❑

Miroslav Gavrilov

• ❑

Gabor Karsai

❑

Zhenkai Zhang

❑

Dmitriy Kostyuchenko

❑

Sandor Nyako

The Problem

❑

Inherent space-time complexity of algorithms used for building software systems offer new attack surfaces for cyber exploits

• ❑

Side-channel attacks — recover secret inputs to programs from non-functional characteristics of computations, such as time consumed, number of memory accesses or size of

• utput files

❑

Worst case-complexity — denial-of-service attacks, the adversary's goal is to deny service to the system's users, or to disable the system by choosing a worst-case input

The Project

Compute from the bytecode its worst-case time-space bounds, produce example inputs that trigger them, estimate information leakage through observables related to time/memory via symbolic execution of the code performed on a cloud-based computing platform using a model-counting constraint-solver.

Java Bytecode Symbolic Execution Hadoop Distributed File System (HDFS) Hive Data Warehouse Symbolic Execution Engines Worst-case Analysis (bounds) Side-channel Analysis Model-counting Constraint Solver

• Quantified Information

Leakage and Confidence guide

• Worst-case Bounds

Worst-case Input Worst-case Constraints

• Analysis

Report input generates Apache Spark

Background: Symbolic Execution

King [Comm. ACM 1976], Clarke [IEEE TSE 1976]

• ❑

analysis of programs with symbolic inputs

❑

symbolic states represent sets of concrete states

❑

for each path, build path condition — encodes condition on inputs for the execution to follow that path

❑

check path condition satisfiability – explore only feasible paths

• ❑

received renewed interest in recent years … due to

❑

algorithmic advances

❑

computational power and decision procedures

❑

applications: test-case generation, error detection, …

❑

many tools: SAGE, DART, KLEE, Pex, BitBlaze …

Concrete Execution

6

Symbolic Execution

7

JPF and SPF

Java PathFinder

• Extensible tool for Java

bytecode verification

• Uses specialized JVM
• Developed at NASA Ames

since 1999

• Open-sourced
• Symbolic PathFinder (SPF)
• Symbolic execution tool for

Java bytecode; open-sourced

• Uses lazy initializations to

handle complex data structures and arrays as inputs

• Handles multi-threading
• Provides support for symbolic

string operations

• Supports quantitative

reasoning

Side-Channel Analysis

Java Bytecode Symbolic Execution Hadoop Distributed File System (HDFS) Hive Data Warehouse Symbolic Execution Engines Worst-case Analysis (bounds) Side-channel Analysis Model-counting Constraint Solver

• Worst-case Bounds

Worst-case Input Worst-case Constraints

• Analysis

Report informs generates Apache Spark input Preprocessing &Visualization

• Quantified Information

Leakage and Confidence

Side-Channel Attacks

Figure taken from: “RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis"

program

low high “main” channel (unintended) side channel

Side-Channel Attacks

• boolean verifyPassword(byte [] input, byte [] password) {

for ( int i = 0; i < SIZE; i++) { if (password[ i ] != input[ i ]) return false ; Thread.sleep(25L); } return true; }

• Suppose the password is a 4-digit PIN. A brute-force attack:

❑

• n the main channel: 10000 tries in the worst case.

❑

• n the timing channel: 40 tries in the worst case.

low high

Side-channel Analysis

• ❑

Quantitative Information-Flow Analysis (QIF) to determine side-channel capacity — maximum possible leakage

❑

Side-channel costs form the “observables”

• Maximum Leakage

deterministic programs

Side-channel Analysis using Symbolic Execution

• ❑

Perform symbolic execution

❑

Collect all symbolic paths

❑

Compute “cost” of each path

• Cost model:

❑

execution time

❑

number of packets sent/received over a network

❑

number of bytes written to a file

• Maximum Leakage

Computing Shannon Entropy

• ❑

Probabilistic symbolic execution [ICSE’13,PLDI’14]

❑

PCs are path conditions computed with symbolic execution

❑

#(PC) — number of solutions computed with model counting (Latte)

❑

#D size of domain

• ❑

Model counting: – Latte[Köppe, 2006] -- integer linear constraints, finite domain – Polynomial in both number of variables and number of constraints; – Omega Lib used for algebraic simplifications; optimizations (independence, caching) …

Simple Example

//high range: 1..10 if(high>7) ... cost=1; else ... cost=2;

• Channel capacity:

log2(2)=1 bit

• Shannon Entropy:
• 0.3 log2(0.3) -0.7 log2(0.7)=

0.3 * 1.736966 + 0.7 * 0.514573= 0.8812909 bits

• high>7
• 1=cost 1
• p(o1)=0.3
• high<8
• 2=cost 2
• p(o2)=0.7

Password Example

boolean verifyPassword(byte [] input, byte [] password) { for ( int i = 0; i < SIZE; i++) { if (password[ i ] != input[ i ]) return false ; Thread.sleep(25L); } return true; } p(o0)=#PC0/#D=90000000/100000000=0.9 p(o1)=#PC1/#D=9000000/100000000=0.09 p(o2)=#PC2/#D=900000/100000000=0.009 …

n=4, range:0..9, #D=108

Maximizing Channel Capacity

Symbolic public inputs over-approximate the leakage

• Example 1:

❑

5 possible observables, l<0: 3 observables, l>=0: 2 observables Example 2:

❑

3 observables, l=0: 2 observables

• Goal

❑

find the low input that leads to maximum number of observables

Maximizing Channel Capacity: MaxSMT

❑

Assemble PCs that lead to same observable into “clauses” of weight “1”

❑

MaxSMT solution gives maximal assignment corresponding to largest

number of observables reached by a public input

❑

Any other assignments leads to less observables

❑

MaxSMT solution:

❑

l=0: satisfies first 2 clauses

❑

leakage log2(2)=1 bit

Multi-run analysis

❑

Generalization over multiple-run side-channel analysis

• ❑

The attacker gradually learns the secret by observing multiple program runs

❑

An “observable” is a sequence of costs

❑

MaxSMT used to synthesize a sequence of public inputs

❑

Non-adaptive attacks, greedy approach

❑

Multi-threading/garbage collection

• ❑

Analysis of password examples and cryptographic functions

❑

Shown experimentally to perform better than CBMC+self composition or brute-force enumeration

• see [CSF’16] Multi-run side-channel analysis using Symbolic

Execution and Max-SMT, by C. Pasareanu, S. Phan, P. Malacaria

Multi-threading

T1 :: example1( l; h); T2 :: l = -l;

• l=-1

gives 3 observables for T1;T2 gives 2 observables for T2;T1

• compute leakage for each schedule; enumerate all

schedules; report max leakage

• multi-threading introduces noise that makes leakage smaller;

tree-like schedulers, probabilistic schedulers … future work garbage collection

Side-channel analysis

Next steps …

• ❑

Multi-run analysis for adaptive attacks: attacker chooses next input based on previous outputs observed

• ❑

Leakage computation in the presence of noisy observations

• ❑

Model counting for string constraints (ABC) and non-linear constraints (#SAT, qCoral)

Attack Trees

• l1
• 1
• At each step:

❑

the attacker uses MaxSMT to compute the next low value that maximizes leakage

❑

under “assumptions” encoding that h is consistent with previous observations

Min-Max Game: at each step

❑

attacker minimizes entropy (uses MaxSMT to compute next low that maximizes no. of observations)

❑

system maximizes entropy (uses model counting to compute largest partition)

❑

game ends when MaxSMT returns 1 clause (no further refinement on the secret possible)

❑

gives “perfect” attacker for segment

• racle
• 2
• l2
• l3